What "validating" does docker/podman pull do that is in excess of a curl of a file?
One of the advantages of a real package manager is that it checks signatures on the content that is downloaded. The supply chain on a linux distro's package repos is much harder to break into than typosquatting into a docker registry somewhere.
> What "validating" does docker/podman pull do that is in excess of a curl of a file?
Every single thing has a sha hash so verifying that I actually downloaded what I meant to download is easy. This gets tedious if I have to `curl https://github.com/someUser/someProject/release/latest.tar.g...` and also get the `tar.gz.sha256` file (if they even publish one ...).
Curl supports resuming a partial file (assuming the sending server also does) but it can't "know" ahead of time that the first 1/3 of the file I am downloading has already been fetched because it's also used by $someOtherArtifact.
> One of the advantages of a real package manager is that it checks signatures on the content that is downloaded.
So does docker/podman.
> The supply chain on a linux distro's package repos is much harder to break into than typosquatting into a docker registry somewhere.
Perhaps. For every "secure" package repo, I'll show you a much more up-to-date package in AUR/Nix.
One of the advantages of a real package manager is that it checks signatures on the content that is downloaded. The supply chain on a linux distro's package repos is much harder to break into than typosquatting into a docker registry somewhere.