https://www.explainxkcd.com/wiki/index.php/2044:_Sandboxing_Cycle

Oof. I'm anxious that folks are going to get the wrong idea here.

While OCI does provide security benefits, it is not a part of a healthly security architecture.

If you see containers advertised on a security architecture diagram, be alarmed.

If a malicious user gets terminal access inside a container, it is nice that there's a decent chance that they won't get further.

But OCI was not designed to prevent malicious actors from escaping containers.

It is not safe to assume that a malicious actor inside a container will be unable to break out.

Don't get me wrong, your point stands: Security loves it when we use containers.

I just wish folks would stop treating containers as "load bearing" in their security plans.

Sounds like an ugly retrofit of bsd jail

Containerized software is huge in the sciences for reproducible research. Or at least it will/should be (speaking as someone adjacent to bioinformatics and genomics)

Isn't Docker massively insecure when compared to the likes of Podman, since Docker has to run as a root daemon?

You don't have to ship a second OS just to containerize your app.

It eliminates the dependency of specific distributions problem and, maybe more importantly, it solves the dependency of specific distribution versions problem (i.e. working fine now but might not work at all later in the very same distribution because some libraries are missing or default configuration is different).

For example, one of the games I have in my GOG library is over 10 years old and has a native Linux binary, which won't work in a modern Debian-based distro by default because some of the libraries it requires aren't installed (meanwhile, the Windows binary will work just fine with Wine). It would be kinda deluded to expect the devs would keep on updating the Linux native distro (or even the Windows one) for over a decade, whilst if it had been released as a Docker app, that would not be a problem.

So yeah, stuff like Docker does have a reasonable justification when it comes to isolating from some external dependencies which the application devs have no control over, especially when it comes to future-proofing your app: the Docker API itself needs to remain backwards compatible, but there is no requirement that the Linux distros are backwards compatible (something which would be much harder to guarantee).

Mind you, Docker and similar is a bit of a hack to solve a systemic (cultural even) problem in software development which is that devs don't really do proper dependency management and just throw in everything and the kitchen sink in terms of external libraries (which then depend on external libraries which in turn depend on more external libraries) into the simplest of apps, but that's a broader software development culture problem and most of present day developers only ever learned the "find some library that does what you need and add it to the list of dependencies of your build tool" way of programming.

I would love it if we solved what's essentially the core Technical Architecture problem of in present day software development practices, but I have no idea how we can do so, hence the "hack" of things like Docker of pretty much including the whole runtime environment (funnilly enough, a variant of the old way of having your apps build statically with every dependency) to work around it.

Docker is more than a cop out for than one use case. It's a way for quickly deploy an app irrespective of an environment, so you can scale and rebuild quickly. It fixes a problem that used to be solved by VMs, so in that way it's more efficient.

Why put in a little effort when we can just waste a gigabyte of your hard drive instead?

I have similar feelings about how every website is now a JavaScript application.

I hate that it puts package management in Devs hands. The same Devs that usually want root access to run their application and don’t know a vulnerability scan for the life of them. So now rather than having the one up to date version of a package on my system I may have 3 different old ones with differing vulnerabilities and devs that don’t want to change it because “I need this version because it works!”

If this is your take your exposure has been pretty limited. While I agree some devs take it to the extreme, Docker is not a cop out. It (and similar containerization platforms) are invaluable tools.

Using devcontainers (Docker containers in the IDE, basically) I'm able to get my team developing in a consistent environment in mere minutes, without needing to bother IT.

Using Docker orchestration I'm able to do a lot in prod, such as automatic scaling, continuous deployment with automated testing, and in worst case near instantaneous reverts to a previously good state.

And that's just how I use it as a dev.

As self hosting enthusiast I can deploy new OSS projects without stepping through a lengthy install guide listing various obscure requirements, and if I did want to skip the container (which I've only done a few things) I can simply read the Dockerfile to figure out what I need to do instead of hoping the install guide covers all the bases.

And if I need to migrate to a new host? A few DNS updates and SCP/rsync later and I'm done.

Docker or containers in general provide isolation too, not just declarative image generation, it's all neatly packaged into one tool that isn't that heavy on the system either, it's not a cop out at all.

If I could choose, not for laziness, but for reproducibility and compatibility, I would only package software in 3 formats:

• Nix package
• Container image
• Flatpak

The rest of the native packaging formats are all good in their own way, but not as good. Some may have specific use cased that make them best like Appimage, soooo result...
Yeah, no universal packaging format yet