This is the key. The OP's major complaint is with prebuilt containers from potentially untrustworthy sources, but he passes this off as a fundamental problem with containers themselves.
The reality is that you can (and probably should) build your own container rather than using a public one from docker hub. You know exactly what is in it, and can trust it completely.
in reality a dev will pass a prebuilt and non updatable container to the sysadmin tho.
so the op is exactly right! it doesnt matter where its coming from if you cant verify,rebuild or update it.
The reality is that you can (and probably should) build your own container rather than using a public one from docker hub. You know exactly what is in it, and can trust it completely.