Minimus container images are now free

Posted by dimastopel 2 days ago

Minimus container images are now free(images.minimus.io)

132 points | 77 commentspage 2

rustyturtle 1 day ago|

used bitnami images and charts that depended on them, then they pulled them back after being bought by broadcom causing headaches. not getting bit by the rugpull again sorry.

csnoob 1 day ago||

Is the cli open source? What about the images themselves?

An easy comparison is wolfi, which is completely open source.

crabique 2 days ago||

Is their ingress-nginx-controller image similar to that of Chainguard: a drop-in replacement with the CVEs fixed?

greggsy 2 days ago||

I see this is a packaging service with greater traceability and velocity than the rando images on docker hub.

I believe that they will always supply the bleeding edge stable release, but it will always be your responsibility to monitor and manage issues like CVEs, rather than expecting them to do it for you.

crabique 1 day ago||

This particular image is a bit different though.

By CVEs I mean the architectural stuff that was discovered after the original ingress-nginx repo was archived, so there is no "official" mitigation and it's not just a matter of bumping dependencies, the fixes are actual code.

Chainguard forked the repo and is maintaining their own distribution now, but it's not free.

stamod1 2 days ago||

yes it is

alfanick 2 days ago||

I truly don't get this. What is the security policy here? Why should I trust images built by minimus.io? How do I know they don't contain malicious software? What's the point?

morellonet 2 days ago|

We build all these images directly from upstream source across thousands of projects and assemble them into standard OCI images for you. We do this continuously, every time there are new versions released upstream.

The point is that you can just use these images instead of what you already have and reduce your vulnerabilities by 97%+ on average.

Think Docker Hub, just without the vulnerabilities.

alfanick 2 days ago||

Pinky promise? How do you prove that what I download from you is actually what you promise you've build (and that SBOM is right)? Is this certified with some digital signature?

From my threat attack model, you're just yet another liability - one single service to hack all your "safe" images.

morellonet 1 day ago||

Sure, but you could make the same argument for literally any software that you're getting that was built by someone else and have not personally inspected each line of source in. For example, you could make the same argument about RHEL or any image on Docker Hub or literally anything you're not building yourself.

Respect your viewpoint and if these images aren't for you, that's totally fine of course. Many others find it useful to have someone else doing the commoditized but hard work of building thousands of components from source continuously, assembling them into ready to run images, signing, and being as open as possible about their state and configuration as possible.

2OEH8eoCRo0 2 days ago||

Supply chain attack waiting to happen

kitd 1 day ago||

How? If this, then so is DHI.

alfanick 2 days ago||

Maybe it's their business model? Sell to bunch of people and hook them in, then "get hacked", whoops sorry.

Edit: honestly I'm flagging this post. This really looks like fishing for customers to make them vulnerable in future.

morellonet 1 day ago|||

Not sure what you mean here. We have many enterprise customers, in industries including government, health care, financial services around the world. The whole value of the product is helping them avoid all the risk and work associated with poorly maintained container images. We publish a full SBOM for every image so you can see exactly what's inside of it. We've worked across the industry and OSS communities to enable scanning support as well, so you can easily use whatever scanning tools you currently use (e.g. Wiz, AWS Inspector, Grype, etc) to check our images.

csnoob 21 hours ago||

How can we trust the image if we don't know what is inside? An sbom says what packages are installed but what is in the packages?

Alpine/debian packages show you the code that compiles the package from source, do you have that as well?

cedws 2 days ago|||

What are you even talking about?

concerned_ctzn 2 days ago||

good job!

tamimio 2 days ago||

I have no idea what the heck is this, maybe it’s a great product but a very poor website in telling what I am getting into, is this better than the usual containers? How? Supported platforms? Can I run it on arm? The usuals

morellonet 2 days ago||

It’s a library of near 0 CVE images available to use for free. Think Docker Hub, just without vulnerabilities.

They’re all normal, OCI compliant images. You can pull them, run them, and build on them like you would any other image.

arm64 and amd64 builds for everything

alfanick 2 days ago||

> just without vulnerabilities

You surely mean "without known and reported vulnerabilities". I doubt you're proactively fixing the world across thousands of software packages /s

morellonet 1 day ago||

Correct, we are not claiming to be auditing the source of every software package in the world. The value we provide is a minimalistic architecture so you start with a significantly smaller attack surface and continuous builds of upstream so you stay at a near 0 CVE state without the substantial work required to do so yourself. Basically, we help you get all the upstream fixes from across the OSS ecosystem as quickly, safely, and easily as possible.

sara_halper 2 days ago|||

Minimus images support both amd64 and arm64. When you run the docker pull command, it will automatically pull the correct architecture for your system.

You can also review the different SBOMs for the amd64 and arm64 images, for example - https://images.minimus.io/gallery/images/python-fips/lines/3...

assafShapira 2 days ago||

yes all the images have ARM64 versions as well as x86_64

tuananh 2 days ago||

this space is too crowded now. everyone is copying whatever Chainguard is doing

- Chainguard Images

- Chainguard Libraries

- Chainguard VM

...

morellonet 1 day ago||

Free markets work :)

With Minimus Community Edition, you now have access to 1,000s of built from source, near 0 CVE images without cost or friction

cedws 2 days ago||

Because Chainguard cost an arm and a leg.

qwer123vbtf 2 days ago||

noice!

Flingerthing 2 days ago|

[dead]