I’m talking not only about trusting the distribution chain but about the situation where some services dont rebuild their images using updated bases if they dont have a new release.
So per example if the particular service latest tag was a year ago they keep distributing it with a year old alpine base…
If you care about security you build it is own. No need to trust random dude in the internet. After all It just fire and forget. Copy whatever “code” is used to build container you are after, verify it once and than just rebuild it periodically to pull patches from more reliable sources.
Docker security is a joke, no need to make it worse.