#52
in
Command line interface
#48
in
Docker
You can inspect the layers of a Docker image. Tools like dive[0] provide a quick and easy way to navigate through the different components your image of choice is made up of.
In terms of functionality once the container is running, you'll have to put some amount of trust into the project maintainers, no more or less than the trust you need om amd64. For containers repackaged by third parties that's quite a pain, but in most cases you can get by just fine with the official container.
If your container of choice has been made by someone real fancy, you may be able to get reproducible builds for all the files inside the container. That would verify that the source and the binary match (though container metadata may not, so a direct image compare would be challenging).
Not necessarily. It is certainly easier to read a dockerfile, but there are tools like https://github.com/wagoodman/dive (im sure there are others) that allow you to inspect images themselves in a very detailed manner.
I very much enjoy dive[1] for this purpose, though it doesn't seem to be maintained anymore...
Thanks for sharing, very useful blog post (not just the linked section). Reference to https://github.com/wagoodman/dive will help a lot today.