I know I’m just dreaming and this will never happen, but I’d like to share my idea on how to change the software world.
It would be nice if there was an option to mark an image as ‘curated, autoupdated’.
Such images would be viewed as more reliable and trusted.
How that should work?
When marking an image as such - the hub should require the user to provide a link to a git-repository with a dockerfile (+ extra files) to build the image from.
The hub should then manually build the image from the repo and put it to the hub, replacing manually uploaded images.
This should be available only for those images whose base images are already marked as ‘curated, autoupdated’ too, to maintain a chain of trust, so that when a user selects an image with a ‘curated, autoupdated’ badge - he knows that such image can be trusted.
To solve 2 problems at once:
A. Docker images are not really reproducible, because providing Dockerfile (+ extra necessary files) doesn’t guarantee that the image built by that instruction will be the same as the one built by that instruction some time ago, because some of parental images may receive an update.
B. Sometimes (not always, just in some set of cases) users need an option of keeping images autoupdated: there are vulnerabilities discovered here and there and they usually get patched, but an application image uploaded before a patch was issued for a parental image - will stay vulnerable unless image maintainer re-builds the image and re-uploads it (and that usually doesn’t happen if the application itself received no updates).
In my opinion, all uploaded images should be accepted temporarily, for a short period of time, until the uploader provides a link to git repository with Dockerfiles (+ extra files) necessary to build the image.
Only the images build by Docker Hub’s robots should be accepted for permanent storage, the rest should be accepted temporarily.
To criticize my own idea:
A. This would require a huge amount of resources.