How is this different from say, SystemD? It runs as root and has a larger attack surface.
The link you pointed out has every CVE for every application packaged as Docker image. Would you make the same point that APT or AppImage is insecure because there are insecure applications packaged that way?
It’s very different because SystemD does way more things than running containers.
Also, this is whataboutism.
The link you pointed out has every CVE for every application packaged as Docker image.
You could scan through the list and check for yourself which ones are due to docker itself.
Besides, I updated the link to filter out the spurious CVEs.
Would you make the same point that APT or AppImage is insecure because there are insecure applications packaged that way?
I would not… unless the tool itself was actively encouraging bad security practices, for example bundling dependencies, as Docker/AppImage/Flatpak/Snap do.
It is not whataboutism since SystemD is what you’ll use to run services if you don’t use Docker… If I say that mass transit is a terrible idea because it pollutes, and you point out that cars pollute even more, I can’t claim “whataboutism” to dismiss your argument.
Docker runs the whole daemon as root and has a large attack surface. Also, it has a lot of footguns that can mislead the user. Its security track record speaks for itself: https://www.cvedetails.com/product/28125/Docker-Docker.html?vendor_id=13534
How is this different from say, SystemD? It runs as root and has a larger attack surface.
The link you pointed out has every CVE for every application packaged as Docker image. Would you make the same point that APT or AppImage is insecure because there are insecure applications packaged that way?
It’s very different because SystemD does way more things than running containers. Also, this is whataboutism.
You could scan through the list and check for yourself which ones are due to docker itself. Besides, I updated the link to filter out the spurious CVEs.
I would not… unless the tool itself was actively encouraging bad security practices, for example bundling dependencies, as Docker/AppImage/Flatpak/Snap do.
It is not whataboutism since SystemD is what you’ll use to run services if you don’t use Docker… If I say that mass transit is a terrible idea because it pollutes, and you point out that cars pollute even more, I can’t claim “whataboutism” to dismiss your argument.
Here’s the corresponding page for SystemD: https://www.cvedetails.com/product/38088/Freedesktop-Systemd.html?vendor_id=7971 as you can see there are even more vulnerabilities, which makes sense as the attack surface is even larger.