It'll only be a matter of time before there's a huge breach as a result of tainted software ending up in a popular docker build, github repo, or packaged into a mainstream Linux distro repo.
I have no idea if distros inspect package source, last time I googled it, I couldn't find any indication either way.
Which is why you need to build your own if this is the threat model.
> My PII/other data of value is also stored on a bunch of hosts who I have no oversight or control over,
Correct, this is why companies perform security assessments of vendors before granting access to sensitive data, and have contracts in place that help hold the vendors accountable.
> I have no idea if distros inspect package source, last time I googled it, I couldn't find any indication either way.
It would depend on the distro and maintainer of course, but I'd expect they do to some degree as their personal and professional reputations depend on it.
I am an individual, I cannot review every container I have control over, and version pinning might lead to unpatched publicly disclosed vulns. I could code review a few, but there's no way I could cover everything I run on my own. Add in $random_distro_packages and $random_git_clones and the ratio of review to functional use would be 10:1.
> Correct, this is why companies perform security assessments of vendors before granting access to sensitive data, and have contracts in place that help hold the vendors accountable.
I am an individual, I have virtually no control over which companies hold my data. Security in most medium to large organisations leaves a lot to be desired. I highly doubt project teams in large companies that don't care about security evaluate docker containers for security. I have no control over it, and laws in most/all countries to enforce professional negligence are toothless.
> It would depend on the distro and maintainer of course, but I'd expect they do to some degree as their personal and professional reputations depend on it.
That's awfully optimistic of you. Their reputation depends more on them delivering quality, functional releases in a timely manner. Larger distributions probably have some level of security audit but I don't know what level that is, and haven't seen any public details which indicate it, either.
Personally, I trust my distribution maintainers, because I know that they build packages from sources that could be audited if I wanted, and the build process is such that injecting malware into it is nontrivial (builds are done without internet access).
Backdooring upstream projects is possible, but any individual project in wide use is likely to have at least some sort of review, so it's not all that likely (compared to hijacking a docker hub image) that a backdoor would make it all the way into a distribution before it's noticed.
There is a reason why security conscious software houses vendor (and vet some of ) their dependencies, despite being pain in the ass.
Some individuals have good opsec, most don't. And no repo for any language i know of does security audits on all it's contents. they might do for targeted libs like crypto or similar, or run some automated software that might find some edge cases, but I wouldn't put too much trust in general.
Generally speaking your safety lies in using popular libs, on the theory that if something bad happens there is higher chance of somebody noticing.
But situation is not good from security perspective.
Of course in proprietary world in my experience situation is even worse.
That said, Docker files are usually simple, and I have no difficulty in inspecting the ones I care for. I do however always clone their repos, so i can simply diff the differences, so keeping up with updates is not that big of a deal.
Of course you still have to trust upstream so ...
