Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There are many facets to security. I would not like someone to have shell access + bash, curl, awk, jq in a container that has full network access to sensitive systems in my applications both upstream and downstream.

As per the dependencies of important projects: yep, I read their release notes. And since I do no like to do it, I try to keep them to a minimum, unless it is a prototype or a research project.

I get everyone has his sensibility, but please next time try to respect those who have a different attitude. Nobody attacked you or wants to.



> I would not like someone to have shell access + bash, curl, awk, jq

Having an OS as the container doesn't mean shipping with everything. bash and awk are commnon, and curl might be for some as well since it may be a dependency for something else, buy jq won't be, as well as many other things (and often you have to include the few things I noted anyway, as many applications will call external items and strict exec use isn't always the norm).

> I get everyone has his sensibility, but please next time try to respect those who have a different attitude. Nobody attacked you or wants to.

Please consider that perhaps you're being a bit too sensitive, given this is a text medium and you can't hear my inflection.

I understand I may have sounded a bit facetious, but I was being honest there. It's a lot of work keeping up with dependencies, so good luck with that if you, I wouldn't want to do it myself, and if you are doing that, I'm always interested in hearing about ways in which people manage it[1]. It's directly relevant to my job. If you weren't doing that, then it was meant as a gentle note that hey, you really should be if you're concerned about security, because anyone that's statically compiling external requirements into a single binary and isn't has got much more to worry about then whether there's other utilities shipped in their container.

1: For example, I wrote https://news.ycombinator.com/item?id=36450815 just the other day, which is directly relevant to that idea.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: