This 1 page poorly titled wrong rant is the #2 story on this site?

"Ever tried to security update a container?" lol. you are doing it wrong.

"Essentially, the Docker approach boils down to downloading an unsigned binary, running it, and hoping it doesn't contain any backdoor into your companies network." nope https://blog.docker.com/2014/10/docker-1-3-signed-images-pro...

"»Docker is the new 'curl | sudo bash'«" no it's not. most intelligent companies are building their own images from scratch.

People that care about what's in their stack take the time to understand what's in there & how to build things.

I think you're wrong. I think most users are not installing trusted builds from their OS vendors. Piping curl to bash is incredibly common--many popular software packagers are doing it [1].

About a year and a half ago, I was playing around with Docker and made a build of memcached for my local environment and uploaded it to the registry [2] and then forgot all about it. Fast-forward to me writing this post and checking on it: 12 people have downloaded this! Who? I have no idea. It doesn't even have a proper description, but people tried it out and presumably ran it. It wasn't a malicious build but it certainly could have been. I'm sure that it would have hundreds of downloads if I had taken the time to make a legit-sounding description with b.s. promises of some special optimization or security hardening.

The state of software packaging in 2015 is truly dreadful. We spent most of the 2000's improving packaging technology to the point where we had safe, reliable tools that were easy for most folks to use. Here in the 2010's, software authors have rejected these toolsets in favor of bespoke, "kustom" installation tools and hacks. I just don't get it. Have people not heard of fpm [3]?

[1] http://output.chrissnell.com/post/69023793377/stop-piping-cu...

[2] https://registry.hub.docker.com/u/chrissnell/memcached/

[3] https://github.com/jordansissel/fpm