• 0 Posts
  • 89 Comments
Joined 1 year ago
cake
Cake day: June 12th, 2023

help-circle




  • adding PPAs or RPM repos, or installing things from source, I’d say that number is a lot higher than 0.

    Nothing wrong with that. Unlike docker that’s cryptographically protected toolchain/buildchain/depchain. Thus, a PPA owner is much less likely to get compromised.

    Installing things from source in a secure environment is about as safe as you can get, when obtaining the source securely.

    Docker contains that nonsense in a way that’s easy to update.

    Really? Ist there already a builtin way to update all installed docker containers?

    What’s uneasy about apt full-upgrade?

    Package managers don’t provide a sandbox.

    I didn’t say that.

    average user who doesn’t run updates consistently, may add sketchy dependencies, and doesn’t audit things would be better off with Docker.

    That’s false.

    but they’re less likely to cause widespread issues since each is in its own sandbox.

    Also false. Sandbox evasion is very easy and the next local PE kernel vulnerability only weeks away. Also VM evasion is a thing.

    Basically one compromised container giving local execution is enough to pwn your complete host.


  • in the same way that installing a malware-laden executable isn’t an OS problem

    except no one is doing that. Every major distro hast mechanisms for software supply chain security and reproducible builds.

    Do your due diligence, especially if you’re not a developer and thus looking at the Dockerfiles is impractical.

    You’re on to something here. If you automate that process, you end up with something we call a package manager.

    it’s likely blog posts and users that are at fault.

    Exactly. And sincer reviewing Dockerfiles is impractical, there’s no way docker prevents you from shooting your own foot. Distros learned that long ago: Insecure default configs or injected dependencies are a thing of the past there. With docker, those get reintroduced.



  • This entirely misses the point of Docker.

    It’s just pointing out the risk of letting someone you don’t know with no legal obligations setup your complete environment.

    How likely

    Probably as likely as someone cracking your really secure ssh password. Still, any sane expert will recommend disabling password auth.

    I only pull containers based on some official project.

    How do you know they weren’t compromised?

    but I don’t see anything here about Docker itself being a problem

    The problem is that rootless docker is a pain and no one does it. Privileged software sideloading other software is a huge risk.

    That risk now became an incident. Even if you’re not affected, the risk still remains.





  • Exemplarisch für den verkommenen akademischen Gedanken im Schulsystem: Nämlich sich mit einem Spezialgebiet beschäftigen, es vertiefen, Thesen aufzustellen, diese diskutieren/belegen/wiederlegen/verteidigen, gewonnene Erkenntnisse wissenschaftlich konform verschriftlichen usw.

    Genau DAS sollte die (weiterführende) Schule eigentlich spielerisch vermitteln und fördern.

    Egal ob da T-Shirts gefärbt, Stinkbomben gebastelt, Roboter konstruiert oder über irgendein Thema diskutiert wird - solange es pädagogisch wertvoll ist, erwarte ich, dass das Schulsystem jegliches freiwillige Engagement von Schülern bestmöglich unterstützt.



  • In deutschen Wohnungen produzieren sie normalerweise rasch tropische Schwüle.

    Das stimmt, aber da es immer ein Feuchtigkeitsgefälle nach aussen gibt, funktioniert das mit Lüften ganz gut.

    Mit “knochentrockener” Luft funktioniert es natürlich am besten aber Deutschland ist nicht der Amazonas und hier macht es zumindest für mich an heissen Tagen viel Unterschied und kost praktisch nix.

    Wenn die Sommer noch heisser werden, kommt Klimaanlage mit PV her.





  • 25 years in the industry here. As I said there’s nothing against learning something new but I doubt it’s as easy as “leveling up”.

    Both fields profit a lot from experience and it’s as much gain for a scientist do become a software dev as an architect becoming a carpenter. It’s simply not productive.

    there is so much time lost in research institutes because of shoddy programming

    Well, that’s the way it is. Scientific code and production code have different requirements. To me that sounds like “that machine prototype is inefficient - just skip the prototype next time and build the real thing right away.”


  • It’s always good to learn new stuff but in terms of productivity: Don’t attempt to be a programmer. Rather attempt to write better research code (clean up code, revision control, better commenting, maybe testing…)

    Rather try to improve cooperation with programmers, if necessary. Close cooperation, asking stupid questions instead of making assumptions etc. makes the process easy for both of you.

    Also don’t be afraid to consult different programmers since beyond a certain level, experience and expertise in programming is vastly fragmented.

    Experienced programmers mostly suck on your field and vice versa and that’s a good thing.