It blows my mind that developers will install things like npm, random libraries and so on on their machine, sometimes their personal one with the keys to the kingdom so to speak. But then again, people are now installing MCP servers the same way and letting LLMs run the show. Incredible really.
So, what do you do for Windows and macOS users, in corporate environments, who don’t have access to virtualization on local machines? This describes most of the places I’ve worked as a consultant.
Container technology is awesome, and it’s a huge step forward for the industry, but are places where it’s not feasible to use, at least for now.
No software is perfect but there is a massive difference betwen these two boundaries. If there is a escape in KVM its news worthy unlike in docker. I don't feel like pulling up cves but anybody following the space should know this.
There's an even bigger difference between using Docker and not using any sort of protection, it's always going to be a security vs convenience tradeoff. Telling people who want to improve their security posture (currently non-existent) that "Docker is not a security boundary" isn't very pragmatic.
What percentage of malware is programmed to exploit Docker CVEs vs. just scanning $HOME for something juicy? Swiss cheese model comes to mind.
But the result of a compiler will run on the machine anyway, but once again, it should be in a Docker.