#JFrog found that nearly 20% of #DockerHub repositories contained malicious content, so perhaps it is time for a reminder: Do not use random images you know nothing about.
I had two repositories in my account that were (I deleted them) not directly malicious, but were also very much not intended to be used by anyone but me. One of them was even called donotuse! Yet they were pulled hundreds of times. 🤷
I have an interesting problem at work. We aren't using one of our #opensource projects any more, but metrics seem to indicate that others are. But since we don't track end users in any way whatsoever, we have no way of reaching out to whoever they are to see how disruptive it would be for us to pull the plug or even if it's used within our own org! It's not much overhead to keep going at this point, but it's not zero.
One interesting point here is that #DockerHub doesn't give you pull analytics with regular paid tiers (there are two special programs that get it). You can query current amount of pulls with an API call, but if you haven't been doing that all along because you didn't know you needed that, then you don't get that info, so I can see it has a high number of pulls and the last time it was pulled, but I don't know how many unique IPs or regularity.
This all makes it so much easier to understand why #DockerHub is littered with massive numbers of stale, insecure images and other than maybe making analytics available to everyone, I don't see any obvious way for how #Docker could make this better without being massively disruptive. It also doesn't seem sustainable for them to carry such an incredible amount of ever-growing technical debt that so much of the internet depends on.