On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon <alan.mckin...@gmail.com> wrote: > > I don't see the part where all these latest fancy container thingymagicies > are not really just "embed everything in everything" > > We've known for years the dangers of embedding stuff in packages (it hardly > ever gets updated properly) >
Well, that strikes me as being true of these self-contained packages, but it isn't necessarily true of containers in general. I run most of my services in containers, and they're just Gentoo installations with a really small world file. Things are just as up-to-date as they would be if I ran it all in a single host. Now, if you're the sort of person who just grabs some random docker image from who knows where, then sure you're getting a big bundle of stuff that may or may not be maintained for security. This is no different. I'm sure there will be people who provide these all-in-one packages and carefully update them for upstream security flaws. And there will be a lot more providers who don't. Chromium is a good example of this. Gentoo tries to unbundle as much as it can, but if you just do a make install on it you end up with a bazillion bundled libraries. Google does a very good job of keeping them all up to date, but they're not a typical case. FWIW - the subject of this thread suggests that this is some kind of "official" Gentoo thing. As far as I can tell somebody took it upon themselves to make this available for Gentoo, but it is not in any way endorsed by the distro. Of course, if somebody wanted to package it up and maintain it we probably wouldn't have any issues with having the package manager in the repository. After all have other binary distro package managers in there. That doesn't mean that Gentoo is doing anything to ensure that whatever random repository you point it at is up to date, any more than if you emerge debootstrap. Oh, and while I generally agree with everything in the linked Maintainers Matter blog post, I'd hardly call it a security audit. It just points out in general terms the sorts of problems that this kind of approach can lead to. -- Rich
