alt Hacker NewsHas anyone made a sandbox site running every type of container and presenting a shell where users can try to break out of any uncompromised ones remaining?
It's self-evident that we should only run containers that haven't been pwned yet.
I suspect that with all of the CVE-20XX exploits, Heartbleed, Meltdown, Rowhammer, Spectre, etc, that we're all living in a fantasy and there simply are no secure containers.
Seems a good place to repeat a quote from Theo de Raadt:
You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.
He'd probably say the same about container architectures.