Hacker News new | past | comments | ask | show | jobs | submit login

It's layers. Docker is better than nothing, but a VM is better still, and even better is docker on a dedicated VM on dedicated hardware on a dedicated network segment.



That's sacrificing an awful lot of latency cost for each transcode job though.


Firecracker says it can start a VM in 125 ms, for most transcode jobs that seems like it'd be a trivial cost.


Each job sends a provisioning ticket to a thermal printer. 1 business day turnaround, unless we need to order more servers


To make a bit of a strawman of what you are saying even better still would be an unplugged power cable as a turned off machine is (mostly) unhackable.

To be more serious seurity is often in conflict with simplicity, efficiency, usability, and many other good things.

A baseline level of security (and avoidance of insecurities) should be expected everywhere, docker allows many places to easily reach it and is often a good enough tradeoff for many realities.


that escalated quickly.

but I agree.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: