# Introduction I really like containers, but they are something that is currently very bad from a security point of view: distribution We download container images from container registries, whether it is docker.io, quay.io or ghcr.io, but the upstream project do not sign them, so we can not verify a CI pipeline or the container registry did not mess with the image. There are actually a few upstream actors signing their images: Fedora, Red Hat and universial-blue based distros (Bluefin, A...
No comments yet. Log in to discuss on the Fediverse