Comment by ndriscoll
4 months ago
No, it is a defense strategy. For e.g. hobbyists, it's basically irrelevant, and having something on a private LAN is fine. There is almost no chance of an issue. Not everything in the world needs to be maximally secured, and the people who are using those IAM policies are probably not pulling a vanilla image off Dockerhub to run something as fundamental as their storage layer. They probably also have firewalls tightly locking down which machines are able to talk to MinIO on top of token auth.
The cargo-culting around security is so bizarre to me. In a context where e.g. your organization needs to pass audits, it's cheaper/easier to just update stuff and not attempt to analyze everything so you can check the box. For everyone else, most security advisories are just noise that usually aren't relevant to the actual way software is used. Notably, no one in these discussions is even bringing up what the vulnerability is.
Notably, no one in these discussions is even bringing up what the vulnerability is
That's because of two things. The first is, assessment takes a deep dive into the issue, not a summary. Conjoined with the second, in that you must be ready to update if required, without issue.
In every case, it's less time cost even for home lab users to update instead of assess.
If it isn't, you're using terrible software, for example software which pushes security updates along with API and code changes. Such software doesn't take user security seriously, and should be avoided at all costs.
There's no way around it. Just do it right, don't half ass with excuses. Don't use terrible software. If it's plugged into a network, zero trust it is.