alt Hacker NewsWe build all these images directly from upstream source across thousands of projects and assemble them into standard OCI images for you. We do this continuously, every time there are new versions released upstream.
The point is that you can just use these images instead of what you already have and reduce your vulnerabilities by 97%+ on average.
Think Docker Hub, just without the vulnerabilities.
Pinky promise? How do you prove that what I download from you is actually what you promise you've build (and that SBOM is right)? Is this certified with some digital signature?
From my threat attack model, you're just yet another liability - one single service to hack all your "safe" images.