Fifty Years of Open Source Software Supply Chain Security

(queue.acm.org)

182 points yarapavan | 2 comments | 07 Apr 25 18:04 UTC | HN request time: 0.418s | source

Show context

edoceo ◴[07 Apr 25 22:01 UTC] No.43616429[source]▶

One of my struggles is to get docker to lockdown which images it loads. I'd like to only pull from my own blessed registry and it seems Docker wants to always go back to theirs.

For other "package" managers (eg: CPAN, Debian) I can point to my own archive and be sure everything I manage down stream gets the blessed bits.

I basically have a huge archive/mirror for the supply chain for my perl, PHP, JavaScript, etc.

If anyone has pro tips on how to "lock" docker to one registry that would be cool.

replies(1): >>43618094 #

1. dgl ◴[08 Apr 25 03:25 UTC] No.43618094[source]▶

>>43616429 #

Don't use Docker, use podman (which has a registries.conf for this, with many settings). You can then use podman-docker to have command line Docker compatibility. Podman is more secure than Docker too, by default it runs as a user, rather than as root.

replies(1): >>43618200 #

2. edoceo ◴[08 Apr 25 03:50 UTC] No.43618200[source]▶

>>43618094 (TP) #

Thanks, podman has moved up on my "to eval" list.

↑