Confucius says: man who runs in front of car gets tired; man who runs behind car gets exhausted.

The pun is so bad it made me sigh. Top quality dad joke!

Using containers from public registries is no worse than using third party software. In both cases there’s a risk of malicious code. The big difference is that for containers you can scan the image before running it, SBOMs are becoming ubiquitous so dependency vulnerabilities are easier to detect, and runtime protection software is more effective on containers because each container has a deterministic expected behaviour, making it easier to find deviations. I’d much rather manage runtime controls for containers than craft selinux policies.

The bottom line (which the OP article misses) is that while individual container configurations require more effort to set up the additional work to manage them at scale is low, whereas compliance for host based installs is requiring more and more effort. In fact given how popular curl | sh ... is becoming for host based installs I’d argue that they are regressing in terms of safety and reproducibility.

Many much housen.

Why not both?

Configure port forwarding for the VM.

Stör is German for sturgeon. And it happens to sound like a lot of other words. Stör Wars, stört your engines, etc. The admins let it run for a while and then put a ban on Stör memes, so everything quieted down. Until this week, when c/risa got the Morn/Gorn/Rom bug.

“Drink verification can…”