Afraid of loosing posturing, like the US did when they used their economic advantage to do just that. People, even the good guys, don’t like knowing that they don’t have total control over their wealth… and by using the bad guy’s money, even in justified matters, it sends a message to everyone in the broadest of daylight: “we control the money.”

If your advantage comes from other countries being willing to invest in your currencies, then trust becomes a huge part of that advantage. People care about money, not ethics, when they’re concerned about where to store their billions.

^ Don’t trust this guy. He’s going to sell you a timeshare or some shit.

Gitea Actions, as well.

Wow, my comment was really misinterpreted. Not once did I condone Nazi ideology, nor provide any form of justification or apology to their ideology. I brought up an ethics debate regarding the practicality of a law confining the movement of one’s body. I asked about the merit of perception versus reality. Calling me a Nazi apologist completely misses the forest for the trees… and those weren’t even my trees.

I’m not a free speech absolutist. I just live in a society where a huge argument against this kind of legislation is the potential for abuse. Please forgive me for wanting to explore these concepts together, rather than hiding within my own ignorance like so many others do.

deleted by creator

The guns were legally obtained, meaning these weren’t “banned guns.”

Does that mean, in a theoretical world where wealth is by all means easily distributed, you’ve got a mere 0.001% that could triple the per-individual wealth of half of the worlds population—if we just took theirs and passed it out?

I’ve heard philosophers say, it’s a figure of authority’s continuous responsibility to justify its existence. Given, wealth is influence and influence is authority, should we not audit cases where wealth is so concentrated and ask ourselves question like ”how is this contributing to the benefit of all?”

I’d.argue, we shouldn’t allow such concentration of wealth in the first place—meaning there should be a preventative plan that Just Works. This can be compatible with whatever else you want, free markets or not. Be it a stronger progressive tax or a cultural change toward worker collectives owning the means to production, there just shouldn’t be such wealthy entities.

The concentration on wealth leads to concentration of influence, meaning politics and media. We’ve had a shrinking number of independent major news organizations since the 1980s. A 1983 analysis showed that about 50 companies “controlled more than half” of U.S. media. Today, there are estimates of a handful of people owning the vast majority. Not to mention, they can apparently choose to purchase massive Social Media platforms (like Twitter) immediately before an election.

Right now, though, we have this problem where such silos already exist. They use their influence, vast as it is, to protect and enrich themselves—PACs, Super PACs, gratuities, lobbying firms, and more recently meme coins. All acting as a conduit to influence politics and legislation. We can’t make progress while these issues continue to stand in our way, can we? So, what do you do?

Who’s to bet there’s not a strategy being honed since WWII on how to bootstrap an army as fast and effectively as possible?

These might be apples and oranges, but how does NextCloud compare to Seafile?

Maybe if by “developed” you mean capitalistic.

Littering?

I was curious and, yeah, it seems like docker hub not requiring signature means many popular publishers don’t bother to sign. But that’s not to say it can’t be done. For example: https://github.com/sigstore/cosign

Today, cosign has been tested and works against […] Docker Hub

Again we’re talking past each other. I’m sure those results are available and I’m aware docker doesn’t verify signatures automatically, but I’m asking how that necessarily makes docker insecure in spite of best practices being implemented. It’s about pinning yourself to trusted digests and having a verification process (like time) before updates. Why would you need authorship verification in that case? If there’s a good answer to that, I’d consider alternatives too. I’m just saying I don’t think it’s inherently insecure over this, and at face value It boils back down to the classic: don’t download untrusted software.

You’re making big claims on security here, like “cannot be done,” and each time you do I feel like we’re talking past each other a bit. I never claimed you can verify that the person who pushed the container had access to a private key file. I claimed you can verify the security of a container, specifically by auditing it and reviewing the publisher’s online presence. Best practices. Don’t upgrade right away, and pin digests to those which can be trusted.

When you pin a digest, you’re not going to get a container some malicious agent force pushed after the fact. You pinned the download to an immutable digest, so hot-swapping the container is out the window. What, as I understand, you’re concerned with is the scenario that a malicious actor (1) compromised the registry login beforehand, (2) you pinned the digest after hand, and (3) the attack is unnoticed by you and everyone else.

I’m trying to figure out under what conditions this would actually occur, and thus justifies the claim that docker pull is insecure. In a work setting, I only see this being an issue if the process to test/upgrade existing ones is already an insecure process. Can you help me understand why I should believe that, even with best practices in place, Dockers own insecurities are unacceptable? Docker is used everywhere and I’m reluctant to believe everyone just doesn’t care about an unmanageable attack vector.

You’re talking about authorship. Sure. But if you verify the container yourself as secure and pin the digest, what’s the issue?

What are you talking about, “yeah that’s the insecurity I’m talking about.”

I didn’t mention an insecurity and neither have you. Would you mind being a little more clear than “Docker pull is insecure?”

Frankly, I was expressing confidence in dockers security. It goes without saying though, any user can do insecure things like download from untrusted sources. That’s not dockers problem though, it’s the users.

Edit: I see now that you added “it’s the download that’s not verified.” Integrity is verified, so I assume you mean authorship (via signing)? I guess you’re saying that, if admin credentials are stolen from a container publisher and the thief force pushes malicious code into the registry under a pre-existing tag—then you would be exposed to that?

Even in that case, though, a digest cannot be overwritten. Tags can. So you’d just pin the digest to avoid this one attack vector?

You can verify the checksum to ensure the contents pulled are exactly the same as what was published. You can also use a private container registry.

How exactly would docker pull be any more insecure than something like pip install? Or, really anything… Let’s go with your preferred alternative, how are you going to get it on your machine in a more secure way than docker provides?

Docker uses TLS with registries, layers and manifests have cryptographic digests, checksums, and you can verify the publisher yourself. Push it into your own registry if you want, or just don’t use latest.

Docker is a security risk? … excuse me, what? Can’t you just, idunno, secure the environment that docker runs in? Use rootless images? Use immutable images?

And, are you asking for something that runs on bare metal? Couldn’t you just install the ISO that the dockerfile uses, then convert the dockerfile logic to an sh script?

“The tools to manipulate the central nervous system – to sedate, confuse or even coerce – are becoming more precise, more accessible and more attractive to states.”

The book traces the fascinating, if appalling, history of state-sponsored research into central nervous system (CNS)-acting chemicals.

This sounds like propaganda made into steroid form, quite literally.

They’re going to slap speeding tickets on the rubble. You laugh now, but those tickets add up fast and Ukraine might loose its drone license.