Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No software is perfect but there is a massive difference betwen these two boundaries. If there is a escape in KVM its news worthy unlike in docker. I don't feel like pulling up cves but anybody following the space should know this.


There's an even bigger difference between using Docker and not using any sort of protection, it's always going to be a security vs convenience tradeoff. Telling people who want to improve their security posture (currently non-existent) that "Docker is not a security boundary" isn't very pragmatic.

What percentage of malware is programmed to exploit Docker CVEs vs. just scanning $HOME for something juicy? Swiss cheese model comes to mind.


It is better the same way a rope is better than no seat belt at all. Recommending Docker as a sandbox gives a false sense of security.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: