Comment on Rybbit - Open source Google Analytics replacement
quick_snail@feddit.nl 2 days agoDude, just search the github for “docker content trust” and you can read all the issues. I’m not making big claims that aren’t known already by the devs
partofthevoice@lemmy.zip 2 days ago
Again we’re talking past each other. I’m sure those results are available and I’m aware docker doesn’t verify signatures automatically, but I’m asking how that necessarily makes docker insecure in spite of best practices being implemented. It’s about pinning yourself to trusted digests and having a verification process (like time) before updates. Why would you need authorship verification in that case? If there’s a good answer to that, I’d consider alternatives too. I’m just saying I don’t think it’s inherently insecure over this, and at face value I wouldn’t call docker insecure over this. It boils back down to the classic: don’t download untrusted software.