Alpine Linux? * Package download without HTTPS; * Operation on archive content before signature checks; * Custom updater & tar handling code. Maybe you should use a real distribution for your base images and stop worrying about that extra 2Mo it takes on your 2To drive.https://twitter.com/tqbf/status/1040320695048302593 …
-
-
Total neglect is not having code that had bugs. The reality is we didn’t deprecate updates over HTTP because like getting the signature files from attempts at gpg. The reality is gpg doesn’t work for this for almost anybody.
-
At the current price for EBS storage on Amazon, my cost overhead for not using Alpine is 2 cents per container per month. I'm not even beginning to have a discussion there until they have their security game down.
-
Universe of interesting things happen when you’re running hundreds of thousands of containers, on one machine. Number and size of simultaneous memory mappings is a thing. Technology is different now. Welcome to the new game.
-
This is not a typical use case, I'd dare to say it borders on the pathological. We do run on the order of tens of thousands containers, but spread across a couple of thousand nodes.
-
You want to understand why Alpine exists, you get to do some research. There is a lot of innovation happening past the typical these days. Typical systems are neither secure nor scalable. It shouldn’t surprise you a min container distribution exists. Hell, instantiation latency
-
I'm not surprised, I even see the benefit, but for our not so small use case, it borders on the irrelevant. Not worth accepting the risk of less than stellar security game.
-
Look, this bug begins and ends at not using https. The scene that doesn’t see that is the scene with the stale game.
-
It actually continues with extracting the archive before verifying the checksum.
- 15 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.