Fully qualified is indeed the way to go. Unfortunately a lot of tutorials manifests and other materials have short names, and changing the default registry just opens up a load of typo squatting attacks.
That's a very good argument, but people have down used to dropping the domain prefix because it's always been optional.
Giving people the option to configure a default repository via the daemon.json would alleviate that issue, but I'm not sure if that's really enough to fork.
Oh great, so now it's a hidden default that might be different system-to-system. Disjoint from the actual deployment config. Please, dear god, no. I'm sorry, this is a bad idea.
The web is absolutely littered with docker tutorials and a huge proportion of them (not operated or maintained by docker themselves) would no longer be valid, I'm sure.
That said, they also maintain a list of aliases for a bunch of container images. https://github.com/containers/shortnames . My distro's podman package then drops in that file into /etc/containers/registries.conf.d/ via one of the package's dependencies.
Sure, digests are a good tool when needed, but there's a huge gulf between the risk factors here, and they don't really solve the "trust across repos" problem.
The top level image hashes tend to change between repos (because the image name changes in the manifest and is included in the hash).
So you'd have to go through an verify each layer sha.
Good tool for selecting an exact image in a repo, not a replacement for trust at the naming level (it's a bit like the difference between owning a domain and cert pinning with hpkp).
Manifests are tacked on afterwards, and have a lot of complexity that I'm not sure most folks have actually thought through.
Ex - lots of refs are to "multi-arch" images, Except... there's no such thing as a multi-arch image, the entire identifier is just a reference to a manifest that then points to a list of images (or other manifests) by arch, and the actual resolved artifact is a single entry in that list.
But it means the manifest needs to be able to reference and resolve other names, and that means including... names.
Basically - the digests weren't intended to support image verification across repos, and the tool doesn't treat them that way. The digest was intended to allow tighter specification than a tag (precisely because a publisher might push a different image to the same tag later).
The name is not being set in the manifests, though.
The only reference between objects are digests.
The only place an image name is stored is actually independent of any manifest, it is an endpoint in the registry that resolves the given name to a digest.
Once you have that digest the rest is a DAG.
not sure about the old docker image format, but most modern tools use OCI image format, and that doesn't embed the image name in the manifest, just digests, so it's totally portable everywhere.
`latest` also has many different definitions. Some people think it's tip of the dev branch (ie, pulling from `main` git branch), some people think it's most recent stable release (ie, some released tag).
One way to get around this is to just not use `latest` at all, and only push docker tags that perfectly mirror the corresponding git branches/tags.
that really depends on your thoughts of the trustworthiness of the 'owners' of those tags vs the security bugs in the sha256 you pinned and then didn't keep an eye on...
There's already a widely available way to specify exactly which repo you'd prefer in the docker client...
`docker pull [repo]/[image]:[tag]`
And that address format works across basically all of the tooling.
Changing the defaults doesn't actually make sense, because there's no guarantee that repo1/secure_image === repo2/secure_image.
Seems like a HUGE security issue to default named public images to a repo where the images may not be provided by the same owner.