I really wish places like Docker Hub and package managers (pip, npm, apt, etc) would articulate the edges of their security boundaries better.<p>Like, can I expect that every docker image I pull has been audited for at least obvious and intentional backdoors? What about if I update a trusted image, and some time down the line the original posters account is breached? Has the code had an in-depth audit that at-least indicates that it's /somewhat/ resilient to being poked with a sharp stick?<p>2Factor at least improves security, but my security model must still rely on the Dockerfile maintainer not getting breached - I've never met any of the maintaners, and cannot independently verify their operational security at all.<p>I know there's at least some foil covering my hair right now, but the security of these kinds of services means anyone who's using them is effectively building a whole bunch of infrastructure right on top of a handful of houses of cards.<p>If anyone has any solutions that would solve this, I'd be interested in hearing and maybe implementing them. I've long thought of some sort of centralized community driven independent code-review/pentest notes to at least provide some level of assurance, but I don't think there'd be enough interest to hit critical mass, and the project would just die out.
I really like the mockups in this post. It's so rare that you see discussion of authentication UI/UX.<p>Speaking of, are there any UI/UX design resources (books, tutorials, blog posts, etc.) on for modern authentication flows (2FA, OAuth, etc.)?<p>I've been searching for a while and can't seem to find anything substantial. All the design discussion I can find is around protocols/handshakes/security, but nothing about UI/UX best practices and possibilities.
I abandoned Docker Hub when the stopped allowing you to manually setup automated builds, but instead required that you link your GitHub account that gave them too many privileges. There really isn't a need for Docker Hub since they are many alternatives, including GitLab.