No, it's not security. It never was.

Not from what I heard from a boss who visited a European nuclear plant.

The site contains the most dangerous poison on Earth, that is also a key component in the most feared weapon on Earth. Do you suppose in the UK they just put up signs saying "Sir or madam, kindly do not steal our plutonium"?

The shitty app requires cloud access to set boundaries to protect carpets from being washed.

From their website:

> Contrary to common expectations when it comes to software released under a FOSS-like license, Valetudo is not a community-driven project; nor does it even have a community in that sense.

And I witnessed similar, very unfriendly interactions.

No, swap is absolutely fine if used correctly.

The author is incorrect. Keeping the packaging files under git is done out of convenience but it does not help for security and reproducibility.

The packages uploaded in Debian are what matters and they are versioned.

And how are you supposed to verify that the right packages have been uploaded?

The easiest way to verify that is by using a reproducible automated pipeline, as that moves the problem to "were the packaging files tampered with".

How do you verify the packaging files? By making them auditable by putting them in a git repository, and for example having the packager sign each commit. If a suspicious commit slips in, it'll be immediately obvious to anyone looking at the logs.

> The easiest way to verify that is by using a reproducible automated pipeline

Conversely, this is also an attack surface. It can be easy to just hit "accept" on automated pipeline updates.

New source for bash? Seems legit ... and the source built ... "yeah, ok."

Actually the uploads in Debian are signed and the build process is reproducible and audited.

Distros do not need to update packages on each and every upstream commit.

> contagious license

Can I catch GPL inadvertently and against my will? No, it is not "contagious".

Sorry, I'll put that in air quotes, I don't believe free software is disease causing :) just speaking about the common concern is whether or not AGPL copyleft applies to everything involved in responding to a network request (it does not).

5. They astroturfed permissive licenses

His luck did.

It would not block many other attacks.

Can you give some examples? I think of my containers as decently good security boundaries, so I'd like to know what I'm missing.

Containers share resources at the OS level, VMs don't. That's the crucial difference.

Containers share the whole kernel (and more) so there's a massive attack surface.