this post was submitted on 19 Jun 2023
32 points (100.0% liked)
Programming
13368 readers
2 users here now
All things programming and coding related. Subcommunity of Technology.
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
They don't. And neither do statically linked binaries. Those are valid concerns against both patterns.
In the end you have to try to keep dependencies to a minimum and update those you have as often as feasible. That could mean that you have to rebuild your container images regularly, even if you didn't change any code. Or that you rebuild your static binaries with newer libraries and toolchains from time to time.
The main advantage you still get (from both) is that you can at least be sure, that the stuff that propagates between your stages into the production system doesn't suddenly change, because one of the system libraries is a different version.
Containers also allow your to sandbox your application to a larger degree so that when something goes wrong, it is atleast confined to cause the minimum harm. But the more complex your application, the bigger that "minimum" gets. Each dependency could end up being the key for an attacker to spread.