Imagine working an a project for the first time, having a Dockerfile that works or compose file, that just downloads and spins up all dependencies and builds the project succesfully. Usually that just works and you get up and running within 30 minutes or so.
On the other hand, how it used to be: having to install the right versions of, for example redis, postgres, nginx, and whatever unholy mess of build tools is required for this particular hairball, hoping it works on you particular (version) of linux. Have fun with that.
Working on multiple projects, over a longer period of time, with different people, is so much easier when setup is just 'docker compose up -d' versus spending hours or days debugging the idiosyncrasies of a particular cocktail that you need to get going.
Maybe you are right about kubernetes, I don't have enough experience to have an opinion. I disagree about containers though, especially the wider docker toolchain.
It is not that difficult to understand a Dockerfile and use containers. Containers, from a developer pov, solve the problem of reliably reproducing development, test and production environments and workloads, and distributing those changes to a wider environment. It is not perfect, its not 100% foolproof, and its not without its quirks or learning curve.
However, there is a reason docker has become as popular as it is today (not only containers, but also dockerfiles and docker compose), and that is because it has a good tradeoff between various concerns that make it a highly productive solution.
The problem as stated in the original comment isn't that child porn as drawings is forbidden, or even that the interpretation of such is ambiguous. Or to be precise, it is not the only problem. The argument made is that these laws do not exist for their apparent intent (safety of children), but only as an excuse to exercise otherwise unlawful oppression and suppression of freedoms.
I don't find this assertion very plausible honestly, especially if this would be an argument against the existence of these very laws, because its not really an argument against government backdoors and such.
You could make the same argument (of ambiguity) with almost any crime, because there are always cases where a crime is hard to prove completely without any risk of failure, especially in the realm of sexual assault.
I'm not taking a position here, honestly I'm unsure about it, but the reasoning is sloppy and the allegations of abuse seemingly pulled out of thin air. There is also no case for why the poster is being investigated other than the pornography. It would be more plausible if there was some kind of civil disobedience involved. As stated, I'm inclined to put this in the category conspiracy theory.
Maybe this is taking it too far, but anyway: corporations don't have any agency. They are not persons. The organization and constellation of interests of corporations may be such that:
1. immoral people (such as psychopaths) will be disproportionately at the helm of large corporations
2. regular people will make immoral decisions, because to do otherwise would be against their own interests or because the consequences / moral impact are hidden from their awareness
There is no way to act in life that isn't in some sense moral or political, because it also impacts others and you are always responsible for your what you do (or don't do). And corporations are just a bunch of people doing stuff together. To maintain otherwise is in itself a (im)moral act, intentionally or not, see point 2 above.
It is and it isn't. Relative wealth within society has consequences regardless of absolute wealth. But globally power is absolutely shaped by wealth distribution as well, as wealth distribution is influenced by power relations too.
Why not give them credit for that? There is no moral rule that to be virtuous, it has to be self-sacrificial. If you narrow a commendable course of action to some sort of ascetic vision of martyrdom and self-punishment, then yes everybody and everything is evil.
So they may pivot to closed source when the circumstances will benefit it, or they may actually not do that. They have no shareholders that force them to squeeze the bottom line. The perceived benefits may just be slight and their culture will push them to stay the course on the long term, where other companies will do the reverse. Maybe if their survival is at stake, but wouldn't anyone faced with existential danger do anything to stay alive, including the worst imaginable?
Within certain commercial boundaries that keeps the business profitable, companies can and do make all sorts of decisions based on values and visions that are more than just economical, especially companies not beholden to shareholders that only care about short-term profits. Even the economical decisions aren't purely rational and often done from some kind of cultural bias.
You're severely limiting the blast radius. This malware works by exfiltrating secrets during installation, if I understood it correctly. If you would properly containerize your app and limit permissions to what is absolutely required, you could be compromised and still suffer little to no consequences.
Of course, this is not a real defense on its own, its just good practice to limit blast radius, much like not giving everybody admin rights.
> Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.
Even a properly containerized app will still have these things, because you need things like environment variables (that contain passwords, api keys, etc) for your app to function.
You are just reducing the blast radius with use of podman; you will likely need secrets for your app to work, which will be exposed regardless of the podman approach.
If you're developing in a container then you would have to be doing it without doing something like say, mounting your home directory into it.
The reality here is this is the sort of attack SELinux should be good at stopping (it's not because no one uses SELinux, the policies most commonly used don't confine the user profile in a useful way, and a whole bunch of tools love ambient credentials in environment variables).
>You have to make sure you're not putting any secrets in the container environment.
How does this work exactly?
containers still need env vars and access to databases and cloud environments. Without these the container is just useless isolated pod.
Not who you asked, but I have a similar setup. I can run everything I need for local development in that image (db, message queue emulator, cache, other services). So, setting things like environment variables or running postgres work the same as they do outside the container.
The image itself isn't the same image that the app gets deployed in, but is a portable dev environment with everything needed to build and run my apps baked in.
This comes with some nice side effects like being able to instantly spin up clean work environments on my laptop, someone elses, or a remote vm.
This really depends on your setup. If possible, I have local development containers as much as possible. nginx, postgres, redis, etc. I have several containers, each only has access to what it needs. We have an isolated cloud environment for development, in its own aws account.
Its not going to stop attacks, but it will limit blast radius a lot.
So it turns itself back into oil and seeps into the well where it originated from? You know this sounds like putting your hands on your ears shouting 'lalala I can't hear you'?
The thing I'm wondering is, if you don't care, why make the effort to comment at all? Clearly you care enough to do so. What are you afraid will happen by merely acknowledging what is the case? Whenever someone presents the finding of facts as hysterical, I'm left wondering who is actually the hysterical one.
The microplastic particles in our air aren't hysterical. They are just there. Research revealing they are present isn't hysterical either, nor is research about the consequences. At most, such research is more or less accurate, or distorted. I'm starting to think you are the one who is hysterical in this matter.
But for what reason? I can only think of only three:
you agree with the dangers but find it so overwhelming that you want to shut it down
you fear losing the benefits of plastic and want to undermine any action on the subject
you just can't take any kind of panic, regardless of the reasons and to maintain your sanity, you vehemently push away anything that might otherwise makes you feel alarmed
Imagine working an a project for the first time, having a Dockerfile that works or compose file, that just downloads and spins up all dependencies and builds the project succesfully. Usually that just works and you get up and running within 30 minutes or so.
On the other hand, how it used to be: having to install the right versions of, for example redis, postgres, nginx, and whatever unholy mess of build tools is required for this particular hairball, hoping it works on you particular (version) of linux. Have fun with that.
Working on multiple projects, over a longer period of time, with different people, is so much easier when setup is just 'docker compose up -d' versus spending hours or days debugging the idiosyncrasies of a particular cocktail that you need to get going.
reply