I have no idea about their internals but I’m curious how many people used docker’ own registry offering as their repo manager of choice because it’s configured to lookup the docker registry by default. Easier to setup pipelines and dev env workflows etc.
If this move means that people have to now manage access to multiple registries like quay and ghcr, will that also incentivize people to go ahead and try migrating to these other registries. Especially given that dockers own registry has such poor permission management.
The problem runs much deeper than that. Most of what Docker offers is commodity software. You can get docker image hosting from a variety of sources and hosting your own registry isn't that hard. All you need is a docker container and some file storage or bucket. Docker for desktop is nice but there are free alternatives.
Docker registries are included with most cloud services (AWS, Azure, Gcloud, digital ocean) and you can use those to self host as well without too much issues. Github and gitlab offer docker registries as well. As do lots of other companies. Mostly, those services make money from other things than hosting docker images. That's just a low value commodity that they need to offer the really interesting stuff. If you are going to charge people for some expensive kubernetes cluster, they need a place to dump their container images. So you offer that for free. It's just a few GB of storage. It literally is a rounding error on the total bill. It does not matter. Charging for that does not make sense.
That's the problem docker has right now: they need companies to pay them absurd amounts of money for something that is essentially a low value commodity and they don't really have anything with a lot of value that they could charge for instead. And the harder they insist people need to pay, the more they erode their position as a leader in this space (which arguably they lost years ago). While it was free and convenient, people used them. But now that that's no longer the case, people engineer around them. They are throwing the baby out with the bathwater. The one asset they still had (people treating them as the de-facto place to park docker containers) is basically being lost. And as soon as that stops, it's going to get harder for them to gain new customers or even retain existing ones.
Contrast that with Github that used to charge for stuff that they now give away for free. I paid for it back in the day. And now I don't. Except Github is making loads of money from companies that outgrow the freemium tier. And they have a steady supply of happy freemium users using their services for free transitioning to valuable paid services. And they get to host the entirety (well close to it) of the software developer population on this planet. It's the largest professional network outside of linkedin. Which of course MS also owns. It would be madness to incentivize users to not use that by charging for it. It's way too valuable for that.
Speaking of MS, they should just buy out Docker. Fire the management. Get rid of their sales department and revitalize docker and dockerhub development and integrate it into github. It's so complementary to Github that it's a no-brainer. And probably investors are getting fed up with the way things are going at docker. I imagine this could be a relatively cheap acquisition for them. This isn't OpenAI, LinkedIn, or Github.
Very much so. Write first for yourself. Write to your own standard of quality. A borrowed standard is one never fully understood, nor knowingly achieved.
Does this passwordless future still involve getting a cookie in your browser that can be stolen and used from an attackers machine? If so, we still have a problem to fix.
This is no way to defend against inside threats. Any real threats will use other means of communication. Meanwhile this is just treating everybody as if they can't be trusted.
Have you never worked for a bank or financial company? Never had to take a drug test for your programming job?
US Federal law and the Hundreds of billions of dollars spent on audit, insider trading, cyber security, ex filtration tools STRONGLY point to a corporate culture that is obsessed with defending against internal threats, because that’s the highest source of risk.
sure, highest source of risk. What’s the risk that, say, the FBI director is going to run a borderline op where he selectively exfiltrates information to the press. Still an insider or no?
This is the whole point of culture and society. Mass surveillance didn’t/doesn’t work for the NSA/CIA and it sure isn’t going to work for corporate paymasters either.
Suing a journalist is not a good look. I wonder what other vendors out there will take up some market share from them after this nonsense is over. Hopefully this in the end this turns into a net positive for Krebs.
That's just a reality of corporate disclosures, I'm afraid. No one is going to let something like this go to press without a full round of legal and PR editing.
I think there's two ways about it though. Most "good" companies (e.g. Cloudflare) will try to be transparent and proactive without taking on liability.
In this case it reads as though Okta are obfuscating the truth, and that's not good.
Besides the opening it doesn't appear to have moved very much. I wonder if LAPSUS$ have short positions open and are frustrated it's not moving which is why they're posting responses to Okta and then updated their response with more information (as linked above).
