Re: [atomic-devel] Screen in Atomic

[Stephen Major <smajor gmail com>]

I wasn't saying that adding screen by itself was a huge security decision as you have pointed out in comparison; docker itself has a history.

What I was pointing out was my concerns of more and more packages being added to atomic increasing the attack footprint.

Today the discussion is about screen tomorrow it is about another and everyone uses the same lame comparison to the security of docker.

A system with just docker is a harder target than a system with docker plus 100 other packages  but what would I know ;)

---

From: Trevor Jay
Sent: ‎4/‎21/‎2015 7:16 PM
To: Colin Walters
Cc: atomic-devel projectatomic io
Subject: Re: [atomic-devel] Screen in Atomic

On Tue, Apr 21, 2015 at 06:31:07PM -0400, Colin Walters wrote:
> [...]
> One thing I should emphasize though is that while you *can* run `screen`
> or `tmux` from inside a Docker container, it has many flaws, among them
> that a major point of the tool is to be able to run commands on the host
> - so you need to purely escape. [...]
>

Exactly. screen/tmux aren't on the same "slippery slope". Asking for screen/tmux isn't like asking for vim. It's a meta-feature for managing your containers themselves. 

In fact, adding screen or tmux would make using containers to extend functionality easier, so in the long run it makes it less likely for people to ask for other features/utilities. It decreases the angle of the slippery slope.

On extending the vulnerabilty surface: I certainly appreciate that adding tmux/screen is also adding potential CVE's. However, let's be real. If we were to prioritize feature addition by likelihood of security issues... Atomic wouldn't have Docker. :)

_Trevor

-- 
Sent from my Amiga 500.
(Trevor Jay) Red Hat Product Security
gpg-key: https://ssl.montrose.is/chat/gpg-key