-
Has anyone tried to combine wolfi and slim toolkit (https://github.com/slimtoolkit/slim)? I'm currently building a small image in which I need a few functions of busybox. I tried using slim to minify the image and get rid of unnecessary stuff but I keep running into problems because slim apparently prunes too aggressively and keeps killing things busybox (or other dependencies) seems to need. Now I started wondering if this is actually worth the hassle. Wolfi's whole idea is that it's very secure, does it make sense to prune it down further from a security perspective? Especially given the hassle I've had with it. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Yes, I would say there's a philosophical difference here. We try to build small images from the start and slim tries to reduce larger images. Both are valid approaches, but we would rather fix any problems by reducing our packages than running slim. Busybox is an interesting one. From a secuirty perspective it's a pain as there are often powerful utilities in there for attackers can use. We've already removed a lot of functionality from busybox, but we're currently looking at reducing it even further. I don't think slim will help here as it's a single binary; we just need to choose the right compile flags. |
Beta Was this translation helpful? Give feedback.
Yes, I would say there's a philosophical difference here. We try to build small images from the start and slim tries to reduce larger images. Both are valid approaches, but we would rather fix any problems by reducing our packages than running slim.
Busybox is an interesting one. From a secuirty perspective it's a pain as there are often powerful utilities in there for attackers can use. We've already removed a lot of functionality from busybox, but we're currently looking at reducing it even further. I don't think slim will help here as it's a single binary; we just need to choose the right compile flags.