*Bot propaganda?

You clearly haven’t tried using one of there services APIs.

Get it while it’s hot!

My work processes PDFs from government sites, filling them out for end users automatically. Would be cool if the API could do this somehow. Parse fields, and let you put text into them.

Imagine what the internet would look like if legislators prevented that particular monetization strategy (targeted advertising). For example, classifying it as behavior influencing technology—we could start to analyze a lot (social media algorithms, advertising, news feeds, …) for its potential to become propaganda and influence our fellow citizens. Free speech is protected, sure, but you can’t shout “bomb” in an airport anymore than you should be able to harvest heroine data and use it to lure addicts to your marketplace.

Imagine if we saw things like Amazon and said, “woah woah woah. We as a society left feudalism behind. You can’t own the land (the “platform”) that everyone sells on, monetize the exchange of products on your land (taxes, or “platform fees”), and have control over which exchanges should occur in the first place (the “algorithm”). That’s just too much power and doesn’t follow the same free market principles that got us here in the first place.”

Imagine if the government saw things like web3.0, blockchain, federation, and said: “you know, it was public funding that built the internet. Maybe now, public funding should secure the democratic process of the internet. Let’s research the potential for using the internet as a platform for building and supporting a digital space that helps propel society into its next stages of human development.”

Instead, we got something where technology was allowed to develop into an alternative form of control. We regulated the land, so they made new land in unregulated territory while moving all the goods over there. Capitalism allowed feudalism to sprout from within if. We are the peasants who “work the land.” That’s why these platforms are free to us, because (just like in feudalism) they need us there for any of this to work. We work the land, comment and like posts, only to teach their algorithms how to better influence us. It’s not what I was hoping for back in the early 2000s.

Gitea Actions, as well.

deleted by creator

Depends, are you China? Because if not, then probably not.

These might be apples and oranges, but how does NextCloud compare to Seafile?

I was curious and, yeah, it seems like docker hub not requiring signature means many popular publishers don’t bother to sign. But that’s not to say it can’t be done. For example: https://github.com/sigstore/cosign

Today, cosign has been tested and works against […] Docker Hub

Again we’re talking past each other. I’m sure those results are available and I’m aware docker doesn’t verify signatures automatically, but I’m asking how that necessarily makes docker insecure in spite of best practices being implemented. It’s about pinning yourself to trusted digests and having a verification process (like time) before updates. Why would you need authorship verification in that case? If there’s a good answer to that, I’d consider alternatives too. I’m just saying I don’t think it’s inherently insecure over this, and at face value It boils back down to the classic: don’t download untrusted software.

You’re making big claims on security here, like “cannot be done,” and each time you do I feel like we’re talking past each other a bit. I never claimed you can verify that the person who pushed the container had access to a private key file. I claimed you can verify the security of a container, specifically by auditing it and reviewing the publisher’s online presence. Best practices. Don’t upgrade right away, and pin digests to those which can be trusted.

When you pin a digest, you’re not going to get a container some malicious agent force pushed after the fact. You pinned the download to an immutable digest, so hot-swapping the container is out the window. What, as I understand, you’re concerned with is the scenario that a malicious actor (1) compromised the registry login beforehand, (2) you pinned the digest after hand, and (3) the attack is unnoticed by you and everyone else.

I’m trying to figure out under what conditions this would actually occur, and thus justifies the claim that docker pull is insecure. In a work setting, I only see this being an issue if the process to test/upgrade existing ones is already an insecure process. Can you help me understand why I should believe that, even with best practices in place, Dockers own insecurities are unacceptable? Docker is used everywhere and I’m reluctant to believe everyone just doesn’t care about an unmanageable attack vector.

You’re talking about authorship. Sure. But if you verify the container yourself as secure and pin the digest, what’s the issue?

What are you talking about, “yeah that’s the insecurity I’m talking about.”

I didn’t mention an insecurity and neither have you. Would you mind being a little more clear than “Docker pull is insecure?”

Frankly, I was expressing confidence in dockers security. It goes without saying though, any user can do insecure things like download from untrusted sources. That’s not dockers problem though, it’s the users.

Edit: I see now that you added “it’s the download that’s not verified.” Integrity is verified, so I assume you mean authorship (via signing)? I guess you’re saying that, if admin credentials are stolen from a container publisher and the thief force pushes malicious code into the registry under a pre-existing tag—then you would be exposed to that?

Even in that case, though, a digest cannot be overwritten. Tags can. So you’d just pin the digest to avoid this one attack vector?

You can verify the checksum to ensure the contents pulled are exactly the same as what was published. You can also use a private container registry.

How exactly would docker pull be any more insecure than something like pip install? Or, really anything… Let’s go with your preferred alternative, how are you going to get it on your machine in a more secure way than docker provides?

Docker uses TLS with registries, layers and manifests have cryptographic digests, checksums, and you can verify the publisher yourself. Push it into your own registry if you want, or just don’t use latest.

Docker is a security risk? … excuse me, what? Can’t you just, idunno, secure the environment that docker runs in? Use rootless images? Use immutable images?

And, are you asking for something that runs on bare metal? Couldn’t you just install the ISO that the dockerfile uses, then convert the dockerfile logic to an sh script?

All that but we can’t grow new teeth in our mouths. What’s up with that, nature?

I’d buy stock, bonds, or perhaps a lifetime supply of an air freshener. We’ll see.

You need to wipe it in honey first, and cover the honey in cinnamon. Then take a toothpick and push it through the center of that. Then, kid you not, chocolate syrup. Put it in the freezer and it’ll last a millennium.

intergalactic tour guide: now if you look to your left, you’ll see the natural habitats of the Xpheno217 species. This is the only location in the whole universe they can live. And to your right, a brand new residential community fit with Walmart and their very own Chick-fil-A.