[arch-general] On containers. WAS: Re: snapcraft.io ...

[Jack L. Frost]

On Thu, Nov 24, 2016 at 03:19:49PM +0100, Martin Kühne via arch-general wrote:
> This whole sandboxing and containerisation idiocy is such a pain.

Containers are useful — I'm saying this as an admin with 10 years of
experience. Having semi-isolated controlled environments for testing, building,
just plain not having useless packages pile up on the host is really
convenient. Having said that, I think using them to isolate programs is an
entirely wrong approach to security. From my experience, making something more
complex almost never leads to it being more robust or secure. Another level of
abstraction means new bugs — and security holes, of course — which is the
complete opposite of what we're trying to solve.

What's more, it will harm the ecosystem in general IMO. Even now I see projects
abandoning any efforts to make their software packageable — just drop this
docker container into your system and you'll be fine! Of course you have to now
rely on the upstream to update the container AND it's built on a system that is
very different from what you're using in your environment, but who cares, it's
a container! So convenient! So safe!

I went on a rant there — as I often do — but eh, that's my two cents.

P.S. To be fair, this approach isn't limited to containers or snap/flatpak
packages. And it's nothing new. Gitlab and Chef are mainly distributed in a
single isolated environment that might as well be a container: drop the whole
thing into /opt, let it do the rest. Gitlab has its own chef inside FFS.

BTW has anyone managed to get the chef server running on an Arch install? I'm
seriously asking.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161125/257361a0/attachment.asc>