[px43]

> Docker containers aren't provably secure.

Not only are they not provably secure (very few things are), they are explicitly not intended for use as a security boundary. Their whole gimmick is lightweight containers you can use instead of VMs if you trust everyone who's going to run code under them.

[airhead969]

To disambiguate: I don't mean formal verification like seL4, I mean it hasn't been thoroughly audited to show it is reasonably secure. Docker security of images and running containers is pretty shit as I brought up on GH in the beginning. Developers just shrugged it off and focused on whiz-bang features.

The conflation of what amounts to fancy Linux cgroups trickery with hypervisors is a depressing misunderstanding of isolation.