[chousuke]

It is expected that you can't review everything you use, but you can still control the amount of trust you put in random blobs downloaded from the internet. If you're using dozens of docker images, perhaps you're trusting too much? You're trusting the security of the base the image is built on, the quality of the image, the builder, and the security of whoever pushes the images. That's a lot to trust.

Personally, I trust my distribution maintainers, because I know that they build packages from sources that could be audited if I wanted, and the build process is such that injecting malware into it is nontrivial (builds are done without internet access).

Backdooring upstream projects is possible, but any individual project in wide use is likely to have at least some sort of review, so it's not all that likely (compared to hijacking a docker hub image) that a backdoor would make it all the way into a distribution before it's noticed.