I attempted to find evidence to support this.
I found one reddit post claiming this, but they themselves did not provide any evidence.
freedom of religion is a human right bruh i did not say anything but i believe in god the banned me and claimed i was being homophobic 1. i said nothing about it 2. stfu even if i was
Not exactly the most compelling piece of evidence, and this was all I could find.
I can spiral my tongue, so that the front part is fully upsidr down - but only to the left. I can't rotate it to the right at all for some reason, it's like the equivalent muscles are missing.
The comparison isn't quite right because you can use git with any provider (Github, gitlab, etc), including multiple at once.
On the other hand, snap is hardcoded to only be able to use one store at a time, the snap store. To modify this behaviour, you would have to make changes to the snap client source code.
It's a crucial difference.
I use this too, and it should be noted that this does not require wireguard or any VPN solution. Rathole can be served publicly, allowing a machine behind a NAT or firewall to connect.
Dockers manipulation of nftables is pretty well defined in their documentation
Documentation people don't read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.
As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.
Too bad people don't read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver's webtop, because it's an example of the two of the worst footguns in docker in one
To include the rest of my comment that I linked to:
Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?
No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.
On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.
You originally stated:
I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.
And I'm trying to say that even if that was true, it would still be better than a footgun where people expose stuff that's not supposed to be exposed.
But that isn't the case for podman. A quick look through the github issues for podman, and I don't see it inundated with newbies asking "how to expose services?" because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.
(I don't have anything against you, I just really hate the way docker does things.)
Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.
I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.
My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn't be exposed.
Excerpt from another comment of mine:
It’s only docker where you have to deal with something like this:
***
services:
webtop:
image: lscr.io/linuxserver/webtop:latest
container_name: webtop
security_opt:
- seccomp:unconfined #optional
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SUBFOLDER=/ #optional
- TITLE=Webtop #optional
volumes:
- /path/to/data:/config
- /var/run/docker.sock:/var/run/docker.sock #optional
ports:
- 3000:3000
- 3001:3001
restart: unless-stopped
Originally from here, edited for brevity.
Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.
By a twitch streamer vtuber: https://github.com/cyberkaida/reverse-engineering-assistant
An AI assistant that hooks into Ghidra, explaining what things do.
Nothing that is more questionable than lxd, which now requires a contributor license agreement, allowing canonical to not open source their hosted versions, despite lxd being agpl.
Thankfully, it's been forked as incus, and debian is encouraging users to migrate.
But yeah. They haven't said what makes proxmox's license questionable.
I haven't experimented with it much, but:
My problem with this is, what stops people from simply violating the license anyways? Is futo going to go after every license violator? Do they even have the power to do so?
I've seen people make adware versions of closed source apps as well, so even not having the code public and online doesn't stop people.
If you have multiple firefox profiles, then you have to create an sync account for each one if you want to sync. Not a good idea if you have 5 profiles, some of them using a main email (like a corp or school) that won't be around forever.
Being able to sync multiple profiles with only one account is convenient for me.
Warfork
Fork of the older warsow, open source movement shooter. Think quake.
Sadly, it seems to be dead on steam.