I like ORM's because they prevent sql injection. Mostly. Sql injection is a really bad vuln that's nowhere near as ubiqitous as it used to be for every php app, and that's partly due to ORM's.

Debian repos are basically guaranteed safe: https://programming.dev/comment/22863237

Flathub is much, much safer than say, the google play store, but it ultimately does follow a model of app developers submitting packages which get reviewed and approved. In theory, someone could sneak malware past that, although there haven't been any incidents (perhaps flathub's review is very effective?). But the snap store, which follows a similar model has had malware. But canonical hasn't been the best steward of that one.

In addition to this, not all stuff on flathub is open source, which is definitely concerning.

Thankfully, flatpak has a built in sandboxing system, which lets you limit what the appps have access to. KDE has a UI for it, and there is also the GUI app flatseal.

https://music.youtube.com/playlist?list=PLXW0UFGge4IU4SZE1rsCkKlVbmYgATN96

My curated playlist of entirely "nerdcore", which is music inspired by (but not directly from), anime and video games.

Microblog clients, which may expect mastodon like interfaces, do this by default.

I find this comparison unfair becuase k3s is a much more batteries included distro than the others, coming with an ingress controller (traefik) and a few other services not in talos or k0s.

But I do think Talos will end up the lighest overall because Talos is not just a k8s distro, but also a extremely stripped down linux distro. They don’t use systemd to start k8s, they have their own tiny init system.

It should be noted that Sidero Labs is the creator of Talos Linux, which another commenter pointed out.

No. There was malware in the releases. The issue was most likely accidental, something that spread from their computer. But they didn't handle it well.

Discussed here:

https://www.reddit.com/r/EmulationOnAndroid/comments/1k95pzb/winlator_and_its_forks_reported_to_be_infected_by/?share_id=UJbVQpRO9yp5PAWKIFf3I

The emulation on android community definitely has a problem with ungrateful trolls though, particularly on the discords, which is why I am annoyed whenever projects bother to create one. I've seen 2-3 projects get shut down because of harassment on their discords.

The FSF doesn't seem to have teeth when it comes to things like this, instead it's the SFC who intervenes.

In January, the Software Freedom Conservancy, an open source advocacy group that intervened to help Suhy several years ago, submitted an amicus brief to the Ninth Circuit

Warfork

Fork of the older warsow, open source movement shooter. Think quake.

Sadly, it seems to be dead on steam.

Dockers manipulation of nftables is pretty well defined in their documentation

Documentation people don't read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.

As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.

Too bad people don't read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver's webtop, because it's an example of the two of the worst footguns in docker in one

To include the rest of my comment that I linked to:

Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?

No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.

On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.

You originally stated:

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

And I'm trying to say that even if that was true, it would still be better than a footgun where people expose stuff that's not supposed to be exposed.

But that isn't the case for podman. A quick look through the github issues for podman, and I don't see it inundated with newbies asking "how to expose services?" because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.

(I don't have anything against you, I just really hate the way docker does things.)

Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn't be exposed.

Excerpt from another comment of mine:

It’s only docker where you have to deal with something like this:

***
services:
  webtop:
    image: lscr.io/linuxserver/webtop:latest
    container_name: webtop
    security_opt:
      - seccomp:unconfined #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SUBFOLDER=/ #optional
      - TITLE=Webtop #optional
    volumes:
      - /path/to/data:/config
      - /var/run/docker.sock:/var/run/docker.sock #optional
    ports:
      - 3000:3000
      - 3001:3001
    restart: unless-stopped

Originally from here, edited for brevity.

Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.

You could write the entire program in awk,

https://github.com/djanderson/aho

400+ years, Native American Haudenosaunee (improper name Iroquois) tribe:

https://atlantaciviccircle.org/2021/11/17/native-americas-influence-on-american-democracy/

And they let women vote, too.