• nutomicOPMA
    link
    fedilink
    arrow-up
    4
    ·
    3 years ago

    Thats great, I didnt even know that Yunohost was blocked by our lack of documentation.

      • nutomicOPMA
        link
        fedilink
        arrow-up
        2
        ·
        3 years ago

        So now that this has been fixed, the next step could be to somehow make the manual install option aware within the Yunohost community

        I simply made a comment in the thread you linked haha

      • DessalinesA
        link
        fedilink
        arrow-up
        1
        arrow-down
        3
        ·
        3 years ago

        Considering how many apps use docker nowadays, that really surprises me that they wouldn’t support it. There’s that linuxserver docker repository that’s packaged hundreds of applications for docker.

        • federico3
          link
          fedilink
          arrow-up
          4
          arrow-down
          2
          ·
          3 years ago

          docker is really bad for security and adds a lot of unnecessary complexity

          • remram
            link
            fedilink
            arrow-up
            3
            arrow-down
            3
            ·
            edit-2
            3 years ago

            Docker is not bad for security, unless you do insecure things like exposing your Docker socket or running random workloads as root, however those are just as insecure under systemd.

            • nutomicOPMA
              link
              fedilink
              arrow-up
              5
              ·
              3 years ago

              It has some weird behaviour, for example ufw rules dont apply to Docker.

              • remram
                link
                fedilink
                arrow-up
                1
                arrow-down
                2
                ·
                3 years ago

                This is not insecure. It is surprising if you don’t know how containers work, but in a real deployment you’d only bind to localhost and use a reverse proxy and that is perfectly safe.

                  • remram
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    3 years ago

                    As I said this is surprising if you don’t know how containers work. This is similar from how e.g. virtual machine networking would trip you. As long as you know how to set things up properly, which is documented at length, Docker is not “insecure”.

              • remram
                link
                fedilink
                arrow-up
                3
                arrow-down
                2
                ·
                edit-2
                3 years ago

                How is this different from say, SystemD? It runs as root and has a larger attack surface.

                The link you pointed out has every CVE for every application packaged as Docker image. Would you make the same point that APT or AppImage is insecure because there are insecure applications packaged that way?

                • federico3
                  link
                  fedilink
                  arrow-up
                  3
                  arrow-down
                  1
                  ·
                  3 years ago

                  How is this different from say, SystemD?

                  It’s very different because SystemD does way more things than running containers. Also, this is whataboutism.

                  The link you pointed out has every CVE for every application packaged as Docker image.

                  You could scan through the list and check for yourself which ones are due to docker itself. Besides, I updated the link to filter out the spurious CVEs.

                  Would you make the same point that APT or AppImage is insecure because there are insecure applications packaged that way?

                  I would not… unless the tool itself was actively encouraging bad security practices, for example bundling dependencies, as Docker/AppImage/Flatpak/Snap do.

                  • remram
                    link
                    fedilink
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    3 years ago

                    It is not whataboutism since SystemD is what you’ll use to run services if you don’t use Docker… If I say that mass transit is a terrible idea because it pollutes, and you point out that cars pollute even more, I can’t claim “whataboutism” to dismiss your argument.

                    Here’s the corresponding page for SystemD: https://www.cvedetails.com/product/38088/Freedesktop-Systemd.html?vendor_id=7971 as you can see there are even more vulnerabilities, which makes sense as the attack surface is even larger.