[otterley]

Can you please take some time here to explain why their post was incorrect, with a brief technical explanation of why SELinux enforcement failed to stop the attack that exploits the particular vulnerability?

I realize you're busy, but it would be much more helpful than a curt statement that simply claims they are wrong.

[krakensden]

Especially given Docker Inc.'s history of counterproductive Red Hat hostility.

[andrewguenther]

This shouldn't be downvoted. Docker has been very openly history towards Red Hat in the past. To the point of openly mocking their developers at DockerCon.

[shykes]

Hi, I'm the founder of Docker. It's not my place to say whether comments should be downvoted or not, and I don't want to ignite teenage-drama arguments over who was mean to whom at recess - we get enough of that level of discourse on the US political scene these days.

But I think there is an interesting topic to address here, that we deal with a lot at Docker.

The problem in a nutshell: if you choose to take the moral high ground and only promote your products with positive marketing (and that is our strategy at Docker - you will never see any Docker marketing content criticizing competitors), you are vulnerable to bullying and unfair criticism by competitors who don't mind hitting under the belt. Then the question is: do you allow yourself to respond and set the record straight? Or would that just legitimize the criticism by bringing more attention to it? On the other hand, not responding is also risky because it emboldens the trolls to take more and more liberties with facts and ethics. This dilemma becomes more and more pressing as you become more successful and more incumbents start considering you a possible threat to their business. Some of these incumbents have been defending their turf for decades by perfecting negative messaging. Like one competing executive once told me - "we eat startups like yours for breakfast". This situation can be bad for morale also, because your team sees their work and reputation dragged in the mud, and can interpret their employer's silence as a failure to stand up and defend them.

The most perverse variation of this problem is when trolls start preemptively painting you as bullies. If that narrative sticks, then you're in trouble, because any attempt to set the record straight will be interpreted as hostility. Now you have two problems: defending yourself against the bullies AND defending yourself against unfair accusations of being a bully.

The root cause of the problem, I think, is the diminishing importance of facts and critical reasoning in the tech community. We are all guilty of this: when was the last time you repeated a factoid about "X doesn't scale", "Y isn't secure", "I heard Z is really evil" without fact-checking it yourself? Be honest. Because of this collective failure to do our own thinking and researching, bullies have a huge first-mover advantage.

I see an direct parallel between the problem of corporate bullying in tech and the problem of partisan bullying in politics. And I think in both cases, there is a big unresolved problem: how do you succeed and do the right thing? How do we collectively change the rules of the game to make bullying and negative communication a less attractive strategy?

I tried really hard to make this a constructive post about a topic I care about. If you interpret any of this as hostile or defensive, that is not at all the intention.

[jwildeboer]

When the top comment is a claim that we at Red Hat post incorrect information and that we at Red Hat are expected to delete said supposedly incorrect information without any technical explanation on why said information is incorrect, I do wonder who is the bully in your opinion.

I posted this entry and I work at Red Hat.

[shykes]

The post is in fact incorrect. The reason Nathan is not sharing more technical details is to protect the security of Red Hat users.

Also, if hypothetically the full details made Red Hat look bad, is it fair to assume you would be calling Nathan hostile for sharing them? In that scenario is there any course of action we could follow that would satisfy you?

[jwildeboer]

The article is about how SELinux helps in mitigating or even blocking paths that would lead to a working exploit.

The article explicitly states the CVE number and the fact that updated packages are available.

The article IMHO doesn't attack nor provoke Docker and its people. Yet the first comment posted here DOES contain direct accusations against Red Hat. I don't think that's helpful nor needed. That's all.

I still think that SELinux and Docker are a good combination and this article helps in understanding why.

[Rapzid]

Work with RedHat and let them issue a correction; HN seems like hardly the forum to be calling this out in such a manner. The fact that you even made the "bully" post leads me to believe that Docker views RedHat as a threat and their post promoting SELinux as an affront to Docker. I'd wager it didn't appear that way to the many individuals that understand both the benefits of systems like SELinux and AppArmour, as well as the difficulty in promoting them. Very interesting at the least; one could read a lot into that.

Honestly, Docker stepped in it here. This appears to be a theme, and with your posts in particular. I personally can't think of another project that causes more drama on HN.

[BeefySwain]

>The reason Nathan is not sharing more technical details is to protect the security of Red Hat users.

Security through obscurity?

[lclarkmichalek]

> you will never see any Docker marketing content criticizing competitors

http://img.scoop.it/vr-SoyYI8yKYsOf0vxriWrnTzqrqzN7Y9aBZTaXo..., from http://www.docker.com/sites/default/files/WP_IntrotoContaine... (page 9)

Don't know if it was marketing material when you published it in that whitepaper, but it definitely became marketing material when the @Docker twitter account tweeted it (https://twitter.com/docker/status/768232653665558528).

[shykes]

I don't think the material you're referring to qualifies as criticizing competitors at all.

- The comparison table is part if an independent study, not authored or commissioned by Docker.

- The table shows the strengths and weaknesses of different container runtimes; weaknesses are highlighted for all of them, including Docker

- The table is used in Docker material to illustrate the point that independent security researchers consider Docker secure. Nowhere do we make the point that other products are insecure. I encourage you to read the whole material and decide for yourself.

- The context for this material was to respond to a massive communication campaign painting Docker as insecure.

[mjg59]

Even when written, the study made inaccurate claims about rkt (the SELinux support in rkt is identical to that in Docker, because rkt uses the same code from libcontainer - there is literally no difference there). It certainly wasn't an accurate depiction of rkt's state of security as of August.

(Disclaimer: I implemented some, but definitely not all, of those security features in rkt, and I currently work at CoreOS)

[FireBeyond]

Come on. This comes across as entirely disingenuous.

"This was independent, not authored or commissioned by us." - "the fact that we posted it on our Twitter as "why your containers are safer with Docker", posted a lengthy blog article in no way means we were criticizing competitors..."

"Nowhere do we make the point that other products are insecure." No, just "less secure".

"The context we were in was responding to a massive communication campaign ... " - so you were responding to criticism by what, exactly? Oh, yeah, that independent study that you just decided to post about?

[otterley]

Haters gonna hate, man. It's fine to correct misinformation, but in the long run -- and whether they say so or not -- there's much greater respect earned in taking the high ground and not dragging oneself down into the muck of name-calling, ascribing malicious intent to others, and other ill behaviors.

If I were your counselor, I'd advise you to do nothing other than stick to the facts; make the best product you can; delight your customers; take pride in the great work you do; and apologize openly and honestly when you make avoidable mistakes. You can't make everyone happy, so focus on the people you can, and aim to exceed their expectations.

[cookiecaper]

>Haters gonna hate, man. It's fine to correct misinformation, but in the long run -- and whether they say so or not -- there's much greater respect earned in taking the high ground and not dragging oneself down into the muck of name-calling, ascribing malicious intent to others, and other ill behaviors.

This is a naive perspective that doesn't bear out in the real world. It's important to know that by taking the "high road", you are putting yourself at a competitive disadvantage. Someday, those with fewer scruples may have to pay the piper and their dubiously-maintained prosperity may disintegrate ... but then again, maybe not.

Most often, the truth is that large companies are pretty ruthless, and have consolidated such a huge amount of control that it's extremely difficult to do anything about anything they do or have done. They control the messaging, they have a reputation that supersedes any complaint an individual may make, etc. Those companies do slowly atrophy, but usually it's more because they've lost sight of the founder's vision that originally connected with the masses than that they're engaging in questionable tactics.

If you're taking a position out of principle, that has to suffice for itself, because it probably will cost you in material terms.

[nul_byte]

That whole thing with the docker developer smugly wearing a name badge with 'I reject red hat patches' was just sad.

[veidr]

That's a funny comment, because you are "taking liberties with facts" exactly as lamented by shykes above.

You start with a grain of truth — something that actually happened in reality. In this case, it was a joke protesting systemd hegemony.

Perhaps you thought that joke was in poor taste. But lets leave that aside for now.

So you start with an actual fact. Then, you exaggerate/falsify it, changing the details pretty wildly, and present this story of something that supposedly happened. In fact, nothing like that happened... but it sort of feels like something that might have happened. It vaguely resembles the actual event that did happen (in that, a Docker employee did wear a badge with an opinionated phrase on it at a conference).

The key thing, though, is that what you describe is completely and utterly different from the thing that actually happened in reality world[1].

You might not even be the person who changed the details to make the story more compelling (and false). Maybe you got this information from a post shared on Facebook, or from an email forwarded by your uncle.

Either way, though, the impact of your comment is to pollute the body of discussion and degrade the collective understanding of this topic. (If this process feels familiar, it's because it is exactly the process that eventually caused the failure of the American democracy... just at a much smaller scale).

Personally I don't have any stake in the Docker/RedHat relationship and I don't care about it. I only looked up what actually happened[1] because the idea of a Docker employee wearing an official badge that says "I reject red hat patches" seemed so unlikely to have occurred that it sent my bullshitometer into the red.

Suggestion: when something smells like bullshit, don't eat it without conducting a bit of research.

[1]: https://www.facebook.com/hackerspace.budapest/photos/a.40703...

[otterley]

That badge seems pretty unprofessional to me. I would discipline my employees for that sort of behavior, especially if it occurred at my own conference.

[veidr]

Well, I don't disagree. If I were in charge at Docker, I would be embarrassed and very annoyed by that badge.

But not nearly as furious as I'd be had it actually read "I reject red hat patches" as claimed above.

[dsacco]

Meh...I wouldn't. It's definitely an ingroup-humor signaling thing, but I find it hard to believe that someone would read that and seriously get offended unless they're being self-righteous.

[cpuguy83]

This isn't even true. The badge, which was a joke btw, said "I say no to systemd specific PRs."

[m-p-3]

Very openly history?

[JadeNB]

> Very openly history?

Given krakensden's posting (https://news.ycombinator.com/item?id=13399853):

> Especially given Docker Inc.'s history of counterproductive Red Hat hostility.

I think that it is clear that andrewguenther meant 'hostile' instead of 'history' in (https://news.ycombinator.com/item?id=13400383):

> Docker has been very openly history towards Red Hat in the past.

Let he who has never typed a passing thought rather than the word he meant cast the first stone.

[nanodeath]

Guessing "hostile" was intended.

[bigmac]

We're working with Red Hat now. Folks can expect more technical details when everyone is on the same page.

That said, the solution is the same as with every other piece of software -- update to latest to get security fixes.