[tarjei]

I'm not talking about private hosting of containers, I'm talking about an alternative to today's public registry of container images that is 100% verifiable so that when something like this happens it is possible to be certain that no one has tampered with any of the container images.

[6nf]

You mean something like posting signed hashes in a public place? So you can verify what you got is what you want?

[ericpauley]

Do you mean formal verification? Verifying such a vast web service may be nearly impossible, especially since you'd still have to rely on a database server, os, and kernel, the most popular of which are seemingly fundamentally incompatible with verification.

[techntoke]

This is what the Notary portion of Harbor does:

https://github.com/goharbor/harbor/blob/master/docs/use_nota...

https://docs.docker.com/notary/getting_started/

[icebraining]

You can only have 100% verifiable container images if the Dockerfiles uploaded by users are reproducible (in the sense of https://reproducible-builds.org/). The vast majority probably aren't, and I'm not sure the Hub could reliably detect those that are.