Egregoros

4w

@sun skill issue

Replying to @meowski@fluf.club

Blurry Moon

4w

@meowski someone else's code not mine

Replying to @sun@shitposter.world

woodland creature

4w

@sun i will never install docker. or kubernetes for that matter

Replying to @meowski@fluf.club

Blurry Moon

4w

@meowski I ended up just biting the bullet and rewriting some of the code I didn't have permission to touch

Replying to @sun@shitposter.world

woodland creature

4w

@sun actually i have installed docker before i just usually try to run any needed libraries before reaching for docker. containers are mostly used out of laziness imo

Replying to @meowski@fluf.club

Blurry Moon

4w

@meowski I use them for moderate risk untrusted code

Replying to @sun@shitposter.world

Pseudo-intellectual White Man

@pwm@darkdork.dev remote

4w

@sun @meowski no, if you don't buy a whole new computer for each incompatible set of libraries, you're lazy and poor

Replying to @meowski@fluf.club

Blurry Moon

4w

@meowski my position is that the default permission model on operating systems is so bad that it’s beter to just run things n containers

Replying to @pwm@darkdork.dev

woodland creature

4w

@pwm @sun again skill issue. you can generally run needed versions of libraries in parallel if you can actually be arsed to configure the environment

Replying to @meowski@fluf.club

Pseudo-intellectual White Man

@pwm@darkdork.dev remote

4w

@meowski @sun wallet issue, poorfag

Replying to @sun@shitposter.world

Phantasm

4w

@sun @meowski Containers provide little isolation anyway. It's more of a "feel better" security than anything else. If you fear bad code might go sideways, your only solution is a VM really, unless you want to make a compromise and jump into the rabbit hole called SELinux.

Replying to @phnt@fluffytail.org

Phantasm

4w

@sun @meowski
>and jump into the rabbit hole called SELinux.
Which is almost Red Hat exclusive, with little to no good documentation and it requires proper OS support, which again only Red Hat does.

Replying to @phnt@fluffytail.org

Blurry Moon

@latein@cawfee.club remote

4w

@phnt @meowski containers are good enough to be a security layer now

Replying to @phnt@fluffytail.org

Protoss

4w

@phnt @meowski @sun can't they all just put a malware download into your .bashrc and call it a day even from a container anyway?

Replying to @sun@shitposter.world

Phantasm

4w

@sun @meowski Container escapes are like a yearly thing both for Docker and Podman. And with Docker it's even more dangerous as everything runs usually under root. Few months ago three different container escapes for podman dropped from how it handled bind-mounting files, which also included an LSM bypass.

Replying to @latein@cawfee.club

Phantasm

@mirq@tsogol.tsiran.org remote

4w

@latein @meowski @sun The point is that the damage is contained. You can compromise the main app, but you shouldn't be able to compromise the whole system from that entrypoint. You have no access to .bashrc.

Replying to @phnt@fluffytail.org

Vinnewed Goblin

4w

@phnt @meowski @sun
Docker doing root by default is so annoying and baffling
I've had "de-root containers" on my to-do list for months now

Replying to @phnt@fluffytail.org

Blurry Moon

@scathach@stereophonic.space remote

4w

@phnt @meowski I run all mine as unprivileged but I get you. Just, they re bugs when found not like just trusting chroot

Replying to @sun@shitposter.world

blood eagle enjoyer

4w

@sun Programmers who don't bother to learn to write deployable software should be banned from touching computers and retrained into a profession more suited to their abilities, like cleaning out sewers or handling radioactive waste

Listens to Baroque while coding murder.exe

@newt@stereophonic.space remote

4w

@SuperDicq @sun
>Software being difficult to install is a problem with that software. In this case Docker fixes an issue that shouldn't exist in the first place.

No. It's the problem with the 80s style package management that is still pervasive in Eunuchs systems.

Replying to @newt@stereophonic.space

Phantasm

@newt@stereophonic.space remote

4w

@newt @SuperDicq @sun You will dynamically link everything and you will be happy.

Replying to @phnt@fluffytail.org

Listens to Baroque while coding murder.exe

4w

@phnt @SuperDicq @sun https://blog.hiler.eu/win32-the-only-stable-abi/

Replying to @mirq@tsogol.tsiran.org

Phantasm

@mint@ryona.agency remote

4w

@mirq @meowski @sun If your distro has podman packaged, just use that. No stupid daemon required and rootless by default. If you create a new user account and start the container in it, it can also generate you a systemd user service file, which you can then enable and systemd will handle it for you (lingering enabled for the user account is required).

Replying to @phnt@fluffytail.org

4w

@phnt @meowski @sun @mirq Does it shit pu your iptables rules like d*cker?

Replying to @mint@ryona.agency

Phantasm

4w

@mint @meowski @sun @mirq It probably does, but in a different way. Instead of network interfaces, it uses network namespaces and if you don't tell it to export a port only to localhost, it will happily punch a hole through your firewall to the outside world (at least with firewalld).

Replying to @phnt@fluffytail.org

Phantasm