I'm not familiar with the 'root namespace squatting' or the typo issue. Do you mean the image namespace as described here: https://www.informit.com/articles/article.aspx?p=2464012&seq... or is there something else? What sort of typo would cause problems?

Yeah, this is a good summary of the problem. If I write a dockerfile with

    FROM ubuntu:20.04 
    WORKDIR /app
    ADD mySecretAppBinary .

it will pull the base image from hub.docker.io, and there is no way to stop it from doing so. If I run:

    image_tag = test-app
    docker build -t $image_tag .
    docker push $image_tag

it will push a container with my secret application to the public docker hub, assuming I am logged in (which of course I am, because docker rate limits you if you don't). I don't ever want to do that, ever, under any circumstances, and it's just not possible to opt out of whiel using docker.

This was the proposed PR that is summarized in that article: https://github.com/moby/moby/pull/10411

if you did `docker tag supersecret/app:latest && docker push` instead of `docker tag registry.corp.com/supersecret/app:latest` guess where your code just went?

Same on the pull side, if you wanted your corp's ubuntu base rather than just `docker pull ubuntu`.