[Nursie]

>> A container is a container, as long as docker itself has not bug, the container can only harm the containers content.

Presumably a container has network access of some sort? Malicious code could start probing and attacking anything exposed that way.

>> this will be a problem for Docker, VMs, Real-Servers, whatever too.

The implication is that you wouldn't get into this situation with a 'Real-Server' so easily, because you wouldn't just download an image and run it, without having an update/patch strategy or having much more idea of what's going on inside it.

[prottmann]

But you assume that a container HAS full network access. A firewall must be configured, but a firewall must be configured for a VM too. My point is, that their is not so a huge difference for production systems.

[Nursie]

>> But you assume that a container HAS full network access.

No, I'm presuming it has some sort of network access, a malicious container could (for instance) still probe other containers for vulnerabilities, serve malware etc etc without full network access.

>> A firewall must be configured, but a firewall must be configured for a VM too. My point is, that their is not so a huge difference for production systems.

If you're downloading VM images from somewhere and running them without checking what's in them you'll run into the same problem, sure.

The problem being pointed out here is that when applications are bundled outside of the purview of a packager like debian you -

  - don't have as much trust in the origin of the app
  - don't have an easy way to keep up on library patchlevels etc for security