Rocket, a new container runtime from CoreOS

[rant]

One could also point out that while the security of running random code you download from the internet is always problematic, that the vast majority of the people on the internet and the code you download actually does just what it says and isn't trying to harm you, so that for the vast majority of the cases downloading Docker images isn't going to be an actual problem, only a potential one. This goes hand in hand with the fact that the vast majority of the people you meet aren't trying to kill you, so it's probably not a rational risk assessment to leave your house in the morning in a tank, unless maybe you live in a warzone.

There are real costs to security measures, they may prevent future loss, but they are always a loss now, time and money spent not making things better but instead potentially making them not worse. We should all be trying to make security technology either cheap (like signature verification) or unnecessary (only running code in the same security zone one a shared host), rather than pouring resources into more and more complicated security technology, that we then become reliant on because systems don't have more fundamental robustness.