keeping all these containers up to date
Updates are a good way to get the security holes fixed, but unfortunately it’s also often how the holes get in in the first place.
I mean, for most projects it’s kind of sensible to assume that over long time, the code will become rather more secure and less buggy, so eventually the pros/cons might come out in favor of a strategy of updating every time. But it’s good to know that every update is inherently a double edged sword.
That’s why I like the model that distros like Debian do: they keep the code stable for long time, and only send updates for which a typically independent party (package maintainer) has already decided that a given update indeed is a necessary bugfix, or even specifically a security fix. Similar policy of course could be applied to a Docker container as well, but I don’t know how many projects do this, and it would be a per-project policy, most probably not quite independent.
i know, right?
if only there was a way to tell other people about these websites in … some kind of an … internet forum. and if the forum was on a nice, not too bot-infested, privacy-respecting, free, distributed and federated platform. that would be cool. one can wish…