Hacker News new | ask | show | jobs
by shykes 3709 days ago
Disclaimer: I work at Docker.

Most of your points are a criticism of TUF, of which Notary and Docker Content Trust are an implementation. Based on your comments I believe you're not familiar with TUF and the scope of problems it solves. Here's a good resource to learn more about it: https://theupdateframework.github.io

You clearly are not a fan of Docker and I respect your opinion, I don't really want to engage in that aspect of the discussion. Now, on the specific topic of secure content distribution, I hope you won't let your bias against Docker get in the way of understanding the benefits of TUF. It does improve the state of the art in secure content distribution, and you should really take the time to understand it and perhaps revisit some of your opinions. We're leveraging it in Docker and sharing our implementation, but you don't have to use Docker to use Notary or TUF.

If after reading about TUF you have specific criticism of it, I would be interested to hear about it.
1 comments
jsmthrowaway 3709 days ago
My criticism is that a digital signature isn't enough for you. If I want to integrate into TUF, I can. If I don't and solve what TUF does another way, well, Docker said I'll use TUF. So I'll use TUF. Your position is that a digital signature is not useful in itself. This is wrong. It is.

Let's write a spec:

- Verify integrity and authenticity of a Docker image

The logical implementation:

- Digital signatures, detached or otherwise

Your implementation:

- Multiple complex, daemonic systems to reinvent software updating and, incidentally, signatures based on TUF

Your rationale:

- Digital signatures are not useful alone

So those of us who are aware of the limitations are left out in the cold, because we can't point gpg at a Docker image and just get the problem done. We have to learn this entire system Docker has created that's going to bring a grand unified software updating future. Maybe I have my own Omaha updater already. Maybe I just want dockerd to validate a signature. It is your prerogative to steer Docker toward crafting novel daemon engineering for every possible scenario, but that's the criticism I'm going to levy, whether you want to engage it or not.

The fundamental problem here is composability versus platform. My critique is not of TUF, of which I am not only familiar but excited. My critique is that organizationally at Docker, you take a problem like "sign an image," which is a perfectly useful primitive in every software distribution system on the planet, and say "that's not enough. We need a platform." You are dictating how my updating infrastructure works and then saying you've solved signatures. Which is technically accurate, I suppose.

I'm also pretty much over critique of Docker being cast as my not getting and/or understanding it. Believe me, Solomon, I get it, and I understand that you want to caricature everyone who disagrees with your strategy as biased against you. (That's actually the third time I can recall you making my criticism of Docker personal. I have no anti-Docker bias. I believe others are implementing what you're working on better and you've simply got the warchest, which is vastly different than having a bias. I used the shit out of ZeroRPC and I've respected a whole lot of your work since then. Come on.)[0]

We're talking about signing a file. Signing. A file. Which I cannot do without a whole shitload of infrastructure that I do not want (including MySQL, apparently), which is a systemic issue with Docker all the way back to dockerd.

Edit: [0]: 484 days ago we discussed exactly this, and here we are again, condescending criticism: https://news.ycombinator.com/item?id=8789181

link