Interesting take given your project is mostly an installer with a quick start of trusting a compose file.

You think an unprivileged docker container is more dangerous than a curl to bash with sudo inside? I beg to differ.

If you care to please elaborate as to why I would be better off piping to bash rather than installing per the documentation? I am honestly interested in your take.

Two things here, from my perspective...

First is that trusting my suggestion is no different than trusting the instructions in your repo. Both can equally harbor nefarious things. So, the question is: do I trust Docker's script over someone that was just on the front page of HN? Probably.

To address the technical side - there are a number of things that can be improved from a security point of view in your compose file:

1) Restrict any new privs. security_opt: - no-new-privileges

2) Drop all privs then selectively add. cap_drop: - ALL cap_add: - NETADMIN

3) Limit CPU and memory. deploy: resources: limits: cpus: '0.50' memory: 50M reservations: cpus: '0.25' memory: 20M

4) Change the running users - looks like all the containers are running as root, which is no different from the system user.

There are others, but.. Just because the container isn't explicitly 'privileged' doesn't mean it's operationally safe.

I understand that it’s better to have less dependencies. And I understand that a pipe to bash thing can do more than a naive user would think. But the header of get.docker.com doesn’t pipe directly to bash anymore. You can inspect the downloaded shell script or compare hashes.

The problem is where do we automate the pulling of the hash to verify against? I do not know of a source.