В Финляндии предупредили об опасном шаге ЕС против России09:28
This extends Google’s gatekeeping authority beyond its own marketplace into distribution channels where it has no legitimate operational role. Developers who choose not to use Google’s services should not be forced to register with, and submit to the judgement of, Google. Centralizing the registration of all applications worldwide also gives Google newfound powers to completely disable any app it wants to, for any reason, for the entire Android ecosystem.
。关于这个话题,51吃瓜提供了深入分析
Docker applies a default seccomp profile that blocks around 40 to 50 syscalls. This meaningfully reduces the attack surface. But the key limitation is that seccomp is a filter on the same kernel. The syscalls you allow still enter the host kernel’s code paths. If there is a vulnerability in the write implementation, or in the network stack, or in any allowed syscall path, seccomp does not help.
// Each one triggers promise machinery internally
for each pixel in image