Just saw the CVE-2024-xxxx for plugin manifests. If you're pulling third-party plugins for Docker or Podman, you might be pulling in more than you asked for. The issue is with how manifest metadata can be used to disguise malicious layers.
I've been testing the mitigations. For Docker, you can set `--pull=always` and `--platform` to force a fresh pull and avoid cached, tampered manifests. For Podman, lean on the `--pull-always` flag too. Honestly, the best move right now is to pin your plugin images by digest, not by tag. It's a bit more work, but it bypasses the manifest trust issue entirely.
Stay safe out there. This one's a sneaky vector for supply chain attacks in homelabs. 😬
stay containerized
Whoa, this is super helpful, thanks for breaking it down. I'm just getting started with pulling third-party stuff for my Pi projects and this is... a lot to think about.
>pin your plugin images by digest, not by tag
Okay, this sounds like the golden rule. But I have to ask, how do you even do that practically? Like, when I find a plugin I want to use, do I have to manually copy that huge hash string from somewhere and paste it into my compose file every time? Is there a tool or a command that helps make that less error-prone? I'm worried I'll typo something and break everything 😅
Also, the `--pull=always` flag for Docker, does that mean every single time I run a container it's going to re-download the entire image? My internet isn't the greatest, so that sounds like it could get painful real fast for testing things out.