Is this a stab at the fact that there's no hashing? Or that the credentials are pointless when you could just generate a random url to authenticate, since the HTTP channel is encrypted anyway?
If you do benchmarks you should also keep in mind that EC2 micro instances are terrible because they have highly variable CPU speeds which will be greatly reduced if the CPU load is high for a short time.
On the bright side, this project acknowledges the killer issue with these kinds of marketplaces: scalably managing quality, scope, and disputes.
But on the other hand, I see nothing but assurances and a woefully low cut that I can't imagine could keep this train chugging without shoveling time (=money) into the furnace. At ~$140 revenue a pop, if even 4% of projects go off the rails, the "insurance" policy already puts the company in the red -- forget profit.
There is a huge problem to solve here, for sure. I want someone to solve it. But I'm not seeing a solution.
Perhaps it's worth considering that maybe the reason that checklists aren't the norm in the FOSS "meritocracy" is that they hinder progress, for a certain value of progress. Maybe there was a stealth project that could have been OpenSSL, developed with scrict adherance to checklists, but OpenSSL won because it didn't have that burden? I suspect this applies more broadly to startups, too.
Maybe checklists are a silent killer in the natural selection of the software ecosystem, and that's why so much of our software is tripping over peacock feathers?
First, in the real world private registries are used for builds containing source, sensitive keys, and so forth. There is a use case here.
But second, no enterprisey company will use a service that bills like this, because
-$4 and $250 per month all rounds down to zero, so it's not a selling point
-$4 signals no support when the shit inevitably hits the fan
-$4 signals this company will tank along with your data in a month
An enterprise company with actual money will take an hour or two of dev time to boot up one of the open source registries (https://github.com/dotcloud/docker-registry) and stay in control.
Source: working at a Docker startup for almost a year
I've worked with organizations where it would be impossible to get a $5 DigitalOcean box, while, at the same time, a $1,000 subscription for something would not be an issue. Enterprise companies would rather pay you a hundred times what you think is a reasonable price, if it can save them time.
I assure you we've debated this a lot before putting out that pricing. There is a way to do this and do this well. For us pricing docker hosting competitively is the best way to do it, especially for a startup ecosystem that is only just beginning to wake up to the potential of docker-based testing and deployment.
If you are interested in the corporate market, you probably will want to offer a special 'Enterprise' pricing plan that includes 'Enterprise-y' features at a higher price point [e.g. $249 / 250 repository minimum]
We will. But we won't be offering an enterprise plan while we're in beta :)
Sure we're sending a signal that we're not ready for enterprise folks. I can be candid in saying that we'd rather be the digital ocean of dockers than an AWS. at this point :p
Because space isn't this thing where you eject stuff like a garbage chute.
I recommend reading up on rocketry, orbital mechanics, and modern space programs because a) it's really cool stuff! and b) you'd quickly realize how ridiculous, dangerous, and counterproductive this suggestion is.
Just classic marketing psychology, of the "stopped beating your wife yet?" variety. By pondering why Google missed the forecast you automagically dump the blame on Google instead of the shitty forecast.
Vocab is hardly more twisted now, though; journalism has always chosen its words deliberately.
Except the cups must be recycled where you bought them, and when they accidentally turn out to be super toxic Bob insists the recycling fee was clearly posted.
I don't know who's right here, but it's definitely not that simple.
It really is that simple. Bob didn't know the cups were toxic, there's no way he could have know, every lemonade stand had toxic cups, and he didn't raise the price of recycling in response. Bob isn't responsible for letting people off the hook due to circumstances outside of his control.
Well, this is not like the first time the TLS stack has a disastrous vulnerability. I think that giving out free certificates and charging for revocations is bad business since it sets bad incentives. Better then to charge upfront for issuing the certificates.
Well, I’d say the most valuable data is generally TLS-protected. E.g. Gmail, Outlook.com, Dropbox, etc. I sure would like to see even better TLS adoption rates than what the web currently has, but I don’t think that we should compromise the trustworthiness of the certificates in order to achieve this goal.
What makes the CA-issued certificates trustworthy is that they are in fact verified to belong to the legitimate owner of the domain. Doing the verification and maintaining the CA’s infrastructure is not free so I don’t think it’s very surprising that the vendors charge for their service.
"What makes the CA-issued certificates trustworthy is that they are in fact verified" ahahaha good one.
You should read about the history of Certstar, the Comodo RA. Why take money, expand ressources to verify the informations and issue the certificate when you can shortcut the verifications...
No matter how you look at it, the CA system is full of perverse incentives...
First off, TLS is crypto bread-and-butter that's used for a lot more than HTTPS. You're not out of the woods because you're not running a webserver.
Second, SSH itself doesn't use TLS; it has its own protocol, so sshd isn't vulnerable.
But third, read overflows like this can be escalated in countless ways to total compromise if some credential, key, canary, or such gets leaked. So just because sshd isn't vulnerable doesn't mean you're not screwed.
