[unionpivo]

well it seems you answered your own question.

There is a reason why security conscious software houses vendor (and vet some of ) their dependencies, despite being pain in the ass.

Some individuals have good opsec, most don't. And no repo for any language i know of does security audits on all it's contents. they might do for targeted libs like crypto or similar, or run some automated software that might find some edge cases, but I wouldn't put too much trust in general.

Generally speaking your safety lies in using popular libs, on the theory that if something bad happens there is higher chance of somebody noticing.

But situation is not good from security perspective.

Of course in proprietary world in my experience situation is even worse.

That said, Docker files are usually simple, and I have no difficulty in inspecting the ones I care for. I do however always clone their repos, so i can simply diff the differences, so keeping up with updates is not that big of a deal.

Of course you still have to trust upstream so ...

[yoloClin]

Not really, it's a bandaid that solves the immediate problem for me but not even for my data. Even then it's not so much about 'my data' but more about herd immunity.

It'll only be so long until a major resource is poisoned that has severe outcomes for many organisations across the globe. Until that happens, status quo, I guess.

The current process of reviewing everything you use isn't maintainable, but outsourcing the reviewing is equally bad. My original post was _intending_ to ask for suggestions that solve the issue on a more widespread approach, but I guess either nobody understood me or nobody is interested.