Hacker News new | past | comments | ask | show | jobs | submit login

PS: I love that Mozilla uses Rust for the media-parser to boost security. But in the context of wider system engineering, there's a danger that crates.io will become another malware distribution system (like dockerhub[0]).

Personally I think TUF[1] is still too academic and at least for now doesn't offer practical solution to this yet.

[0] https://blog.valbonne-consulting.com/2015/04/14/as-a-goat-im...

[1] https://github.com/rust-lang/crates.io/issues/75

EDIT: typos




They're slightly different problems. Docker images are, as everyone loves to point out, immutable. Once built, they're built, and if you want to patch a vulnerability you have to rebuild and replace.

A lot of folk on Dockerhub are just folk. They don't have security teams keeping an eye for relevant CVEs and triggering rebuilds.

I work for one of those companies (Pivotal) that does have a security team keeping an eye out for relevant CVEs. I work in buildpacks. If you send an app to a Cloud Foundry installation, you used the rootfs image and buildpack binaries that we built. When a high-value CVE lands we commit to providing replacement bits within 48 hours. We usually do it in much less.

But even with extensive automation -- and ours is pretty extensive -- this requires humans to watch the firehose of flaws. Most people who write a Dockerfile and forget it don't have that luxury.

Incidentally, Docker now offer security scanning of dockerhub images, for a fee.


> Incidentally, Docker now offer security scanning of dockerhub images, for a fee.

This is weird. I thought it would be in their best interest that dockerhub's images would have better reputations.


Well I think I may have mis-stated it. They offer scanning for Docker Cloud, which I understand to be their private registry / dev platform / once-and-future-PaaS. So it's an additional paywalled feature for private images, not for the public ones.

And, in fairness, it's a surprisingly tricky problem which many well-heeled customers see as worth paying for.

At Pivotal we've been working on "AppDog" to do something similar: inspect running applications on Cloud Foundry, tell you what dependencies are installed, what their licenses are, whether there are updates available and so on.

And yeah. It's harder than it looks. There are edge cases upon edge cases.

(Of course, nothing I say should be considered official comment etc etc).


I think they also offer scanning for repositories on https://hub.docker.com/account/billing-plans/ but only if you pay.

> Docker Cloud and Docker Hub can scan images in private repositories to verify that they are free from known security vulnerabilities or exposures, and report the results of the scan for each image tag https://docs.docker.com/docker-cloud/builds/image-scan/


I need to get better at actually reading people's websites :)




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: