The big question about using those Docker containers is security.<p>Based on past CVE history for nginx, there might be another CVE in 1-2 years. Will this git repo still be updated then? Will the user remember to pull latest version and regenerate latest image?<p>Official "nginx:alpine" image maintained by nginx team is 17MB. If you can, you should always use it. And you should subscribe to some sort of mailing list so you know when it is time to upgrade all of your servers.<p>(An alternative is to skip docker and use good old Ubuntu LTS with automatic updates; this will guarantee timely and fully automatic security updates for the next few years. The downside is that if the system will have an exploit, the attacker will often find it much easier to stay in the system and move to other parts of the network)
If predictable build compilations were published by source owners and some wider review (like CT) the build could test if the specific code used matched externally provided sigs