[langsec-discuss] Docker

dan at geer.org dan at geer.org
Sat Jun 14 00:37:05 UTC 2014


 | On 10.06.2014 23:48, dan at geer.org wrote:
 | > 
 | > Of possible interest.
 | > 
 | 
 | Hi,
 | 
 | I fail to see where docker fits within langsec?
 | 
 | Could you please explain this a bit?


I just thought it was interesting to have yet another "write once,
run anywhere" utopia showing up when as far as I can tell such
utopias are guaranteed to exhibit the very problems that the LANGSEC
mindset so aptly warns about.  Quoting Docker's come-on,

   Docker is an open platform for developers and sysadmins to build,
   ship, and run distributed applications. Consisting of Docker
   Engine, a portable, lightweight runtime and packaging tool, and
   Docker Hub, a cloud service for sharing applications and automating
   workflows, Docker enables apps to be quickly assembled from
   components and eliminates the friction between development, QA,
   and production environments. As a result, IT can ship faster and
   run the same app, unchanged, on laptops, data center VMs, and
   any cloud.

Doesn't that have to produce impedance mismatches between components
that have been assembled with this new kind of glue (Component A
expects sanitized input but it is getting something else from
Component B)?  In any case, the idea that the operating system has
been abstracted away to the point of irrelevance just rubs me the
wrong way -- me and David Wheeler:

   All problems in computer science can be solved by another level of
   indirection... Except for the problem of too many layers of
   indirection.

In the meantime, the group of Clark, Smith, Blaze, and others at
Penn have convinced me that application code reuse is a net negative
for cyber security; that's a little orthogonal, but not entirely.

YMMV,

--dan



More information about the langsec-discuss mailing list