> I think that Docker is a great time saver for those who want just to play with a new piece of software, and don't have the time to learn all the details of some arcane install procedure.
That's true, but if you do that in production you're running untrusted code that could do pretty much anything.
If you don't have your own Docker registry full of containers you either made yourself or have audited yourself, you might as well let anyone in the world run their code on your servers.
And if you do have your own registry, it's a lot of work and it involves chasing down libraries and working with arcane install procedures. You can't really trust the public base images unless you fork them and audit them yourself, or just create your own.
At some point you need to take responsibility for your own stack. Docker fine for messing around on your laptop but the real work starts when you need to get past that.
But if you are not reviewing every other piece of code that you run without Docker it’s not much different from running it in Docker without reviewing the base image / images pulled in as dependencies.
That's true, but if you do that in production you're running untrusted code that could do pretty much anything.
If you don't have your own Docker registry full of containers you either made yourself or have audited yourself, you might as well let anyone in the world run their code on your servers.
And if you do have your own registry, it's a lot of work and it involves chasing down libraries and working with arcane install procedures. You can't really trust the public base images unless you fork them and audit them yourself, or just create your own.
At some point you need to take responsibility for your own stack. Docker fine for messing around on your laptop but the real work starts when you need to get past that.