Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Blog claims Alpine is based around being secure and light weight...but gives no indication on why it is secure. Oh, lightweight because of busy box? Is there scrutiny on packages installed? I don't see the security component.

Maybe Docker can reveal more there, though given how they iterate and things break, I'm not sure they are willing (or capable).



From the Alpine linux site: "Alpine Linux was designed with security in mind. The kernel is patched with grsecurity/PaX out of the box, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities."

I got excited, but then remembered - grsec will not affect containers. Neither will PaX unfortunately. PIE + stack smashing protection is already available in most serious distros. From the basic info I can find, I don't see a huge difference.

For comparison Ubuntu provides its list here: https://wiki.ubuntu.com/Security/Features It's similar to Fedora: https://fedoraproject.org/wiki/Security_Features_Matrix And to Arch (no nice table though) https://wiki.archlinux.org/index.php/DeveloperWiki:Security - Alpine doesn't seem to provide similar summary.

[edit: sorry, I stealth-edited the realisation]


Containerization uses the host's kernel, so it doesn't matter what the kernel is in the image.

Edit: I see your edit. Yep.


Having less crap in by default reduces the attack surface area. Having a smaller libc makes it easier to audit. (It still needs to actually be audited of course)


I'd like to hear who audits obscure libcs.


musl isn't very obscure to those who are..."into" (for want of a better term) libc alternatives


Since I'm getting downloaded into oblivion over this, where is the latest audit?


This does not give me a vote of confidence: http://lists.alpinelinux.org/alpine-security/


From the article > 2. Security is improved as the image has a smaller footprint thus making the attack surface also smaller

Not saying you need to agree with that. But that does appear to be at least an "indication"


Image footprint has nothing to do with the packages installed in that image.

This is complete hogwash from a security point of view.

Yes "smaller" could = "more secure", but, yeah, no.


Remind them that DOS was pretty small. Must be way more secure than Linux due to reduced attack surface. ;)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: