I have taken measures where I can to try and eschew problems by pinning any of the dependencies I install at the OS level when building my own containers, but in terms of the off-the-shelf variety (e.g. postgres, nginx, redis, base OS containers), I am nowhere near as qualified as the image maintainers themselves to keep track of this shit.
At some point, you have to trust somebody else. Where that point lies will vary based on your project's level of concern. 🤷
All this being said, you absolutely should be vetting your containers with at least an iota of due diligence. If they're curling from a rando's GitHub repo and piping a script into sudo sh, then maybe look elsewhere.
I just don't think that I need to care as much about the officially-blessed redis container image from DockerHub, etc. ... attackers could pwn me from a local redis binary install just as easily (or easier) given my level of expertise with this stuff (which is ... not great).
Add comment