I make the assertion that Docker's public registry is not safe and I offer "nijtmans" as an example. I was looking to deploy fossil in a docker container but I was too lazy to build my own "scratch" container from scratch. Since I had just installed bosun and grafana from their "trusted" images I felt good about looking for a fossil version. Sorry, FAIL.
- A docker registry search for "fossil" yielded some 5 images.
- The first image was 8 months old and makes the claim that it was forked from nijtmans
- I noticed that nijtmans is not trusted with the docker regitry (no badge)
- The former image included it's Dockerfile so I could fork it if I wanted
- The later, niftmans, did not offer any good documentation and it was missing the Dockerfile
- I decided to try to track the project down and looked for the author on github; sadly he only had the one project
- when I looked in his repo I could not locate the Dockerfile and the README was unflattering
I do not know anything about this guy. I have no idea what his motives are or what the source looks like. I appreciate that he has shared, but when it comes to putting something in my server it has to have something, anything.
From this vantage point nijtmans and his project are suspicious.