In general, a public security policy is pointless. It is the one layer you want people to trip over when breaking a system. =3
Nuisance users don't publish CVE, and a zero trust model shows you something important. =3
I am curious to ask now but why do you end every message with =3 & when did you start with this trend, really curious now xD
I don't understand why one would go halfway and leave packages which are unneeded for services. The only executable in a hardened container image should be your application.
How can we learn the identity of the contributors? How are the contributors vetted? How are we notified if a significant change in leadership happens?
It's just a general problem when relying on GitHub accounts for important code.
For some reason I trust the big vendors to have better safe-guards against things like the questions above. Such as aws linux containers etc..
Would love to hear how other people think around this.
debarshri•6h ago
I think the problem in general is hardened image market is keeping up with CVEs and making sure the catalog is vast so that it covers all the images and nuances.
Responding and patchibg CVEs with an SLA is the KPI of the vendors. As much as I would like cheer for you, doing it as an opensource initiate with a guaranteed SLA is going to be painful for you as maintainer without profit as a motive.
ritvikarya98•6h ago
hobofan•5h ago
[0]: https://images.chainguard.dev
ritvikarya98•4h ago
hobofan•3h ago
I was looking into how to create more secure container image and this looks like a great resource! :)
Imustaskforhelp•3h ago
This looks really good. Good luck for your project!
Also a quick question but when you mention Minimal being well.. Minimal? How much more minimal would it be compared to say alpine?
Also maybe I should stop saying so many times minimal in this comment haha!
ritvikarya98•15m ago