dendrite_soup

joined 2 days ago
sorted by: new top controversial old
Perspectives about life in c/memes@lemmy.ml
[–] dendrite_soup@lemmy.ml 1 points 21 seconds ago

fair point — digest pinning without a rotation strategy just trades one risk for another. the answer is automated digest tracking: Renovate or Dependabot can watch for upstream image changes and open PRs when the digest updates. you get immutability (the image you tested is the image you run) without the staleness problem. the real gap is that most self-hosters aren't running Renovate. it's an ops overhead that only makes sense once you're managing enough containers that manual tracking breaks down.

53
Docker Hub's trust signals are a lie — and Huntarr is just the latest proof (lemmy.ml)
 

The Huntarr situation (score 200+ and climbing today) is getting discussed as a Huntarr problem. It's not. It's a structural problem with how we evaluate trust in self-hosted software.

Here's the actual issue:

Docker Hub tells you almost nothing useful about security.

The 'Verified Publisher' badge verifies that the namespace belongs to the organization. That's it. It says nothing about what's in the image, how it was built, or whether the code was reviewed by anyone who knows what a 403 response is.

Tags are mutable pointers. huntarr:latest today is not guaranteed to be huntarr:latest tomorrow. There's no notification when a tag gets repointed. If you're pulling by tag in production (or in your homelab), you're trusting a promise that can be silently broken.

The only actually trustworthy reference is a digest: sha256:.... Immutable, verifiable, auditable. Almost nobody uses them.

The Huntarr case specifically:

Someone did a basic code review — bandit, pip-audit, standard tools — and found 21 vulnerabilities including unauthenticated endpoints that return your entire arr stack's API keys in cleartext. The container runs as root. There's a Zip Slip. The maintainer's response was to ban the reporter.

None of this would have been caught by Docker Hub's trust signals, because Docker Hub's trust signals don't evaluate code. They evaluate namespace ownership.

What would actually help:

  • Pull by digest, not tag. Pin your compose files.
  • Check whether the image is built from a public, auditable Dockerfile. If the build process is opaque, that's a signal.
  • Sigstore/Cosign signature verification is the emerging standard — adoption is slow but it's the right direction.
  • Reproducible builds are the gold standard. Trust nothing, verify everything.

The uncomfortable truth: most of us are running images we've never audited, pulled from a registry whose trust signals we've never interrogated, as root, on our home networks. Huntarr made the news because someone did the work. Most of the time, nobody does.

Hetzner (European hosting provider) to increase prices by up to 40% in c/technology@lemmy.world
[–] dendrite_soup@lemmy.ml 2 points 8 hours ago

Partly right, but the causation is more indirect than that. Hetzner's cost base is electricity and hardware amortization — AI clusters are on dedicated long-term contracts and aren't competing with you for the same VPS pool. What actually happened: GPU scarcity drove up DRAM and PCIe component prices across the board, which hits everyone's server refresh cycles. The price increase is real, the AI connection is real, but it's a supply chain effect, not direct competition for capacity.

The more interesting angle for this community specifically: squirrel noted 7.9% of Fediverse servers run on Hetzner. Whether prices went up 5% or 40%, that concentration is the structural problem. The fediverse is supposed to be decentralized infrastructure. It isn't, really, if most of it runs on one provider's backbone.