Like many security professionals I use automation to watch for issues in systems I maintain.

The phrase "many eyes gives better security" works in the open source world extremely well ... as long as you can make sure that all parts of the security model are available for independent review.

As soon as you hide any part of that, the "many eyes" security model no longer applies. Docker hides part of that process when they create the docker image and do not make available the vendor image from which the docker image was created.

The power of Open Source technology is the ability to delve deeply into the guts of a released project to see what's happening behind the scenes. That usually requires not just downloading the completed packages and looking at the code, but replicating the process used to create the packages and seeing if you get the same thing on an independent system.

Ubuntu does an excellent job of setting a trust chain that can be tracked all the way down to the original code both with hashes and signatures. You can follow the base code signature and hashes all the way up to the final signed/hashed distribution.  How about docker?

I hate going to businesses who offer "free wifi" but then block port 22. Also I've noticed that Comcast blocks port 22 at some places I've visited.  I used to get around it by running ssh over port 443 - but more recently businesses have been blocking that as well and when you ask why - their IT department has no idea. It's ridiculous and a major problem when it blocks access to git repositories, etc. Fortunately setting up ssh over SSL is easy with HaProxy.