I watched something very similar to this hit at least 40mph (65kph) down my 30mph (50kph) limit road the other day. The guy did not have a helmet on and was in a light jacket and jeans with trainers.
It was as you said, a motorcycle with pedals - only ridden by more of an idiot than the people who ride around during summer on 600cc bikes wearing shorts and t-shirts (cause at least they have a crash helmet on)
There are some justifyable reasons for kicking though. It's abuse of that process that is causing issues.
I do like the idea of grouping people with high incidents of kick actions though. It wouldn't be an instant fix but over time the two camps should separate out fairly nicely.
Docker will have only exposed container ports if you told it to.
If you used -p 8080:80 (cli) or - 8080:80 (docker-compose) then docker will have dutifully NAT'd those ports through your firewall. You can either not do either of those if it's a port you don't want exposed or as @moonpiedumplings@programming.dev says below you can ensure it's only mapped to localhost (or an otherwise non-public) IP.
Sure, I get it, this stuff should be accessible for all. Easy to use with sane defaults and all that. But at the end of the day anyone wanting to using this stuff is exposing potential/actual vulnerabilites to the internet (via the OS, the software stack, the configuration, ... ad nauseum), and the management and ultimate responsibility for that falls on their shoulders.
If they're not doing the absolute minimum of R'ingTFM for something as complex as Docker then what else has been missed?
People expect, that, like most other services, docker binds to ports/addresses behind the firewall
Unless you tell it otherwise that's exactly what it does. If you don't bind ports good luck accessing your NAT'd 172.17.0.x:3001 service from the internet. Podman has the exact same functionality.
But... You literally have ports rules in there. Rules that expose ports.
You don't get to grumble that docker is doing something when you're telling it to do it
Dockers manipulation of nftables is pretty well defined in their documentation. If you dig deep everything is tagged and natted through to the docker internal networks.
As to the usage of the docker socket that is widely advised against unless you really know what you're doing.
‘She pulled into the middle lane in an attempt to get away from him but he followed her and rammed her again.’
The woman pulled her Tesla into the hard shoulder and the silver BMW ‘got away’.
Meaning she was in the offside overtaking lane and even then still had room to pull into the nearside lane to let overtaking cars past. I don't condone what he did but fuck people who sit in the overtaking lanes.
"For example, if every time I post a new update on BlueSky, if I had to send my post to every single one of my followers’ repositories, that would be extremely inefficent"
Somewhat ironic to have this posted on and activitypub driven fediverse.
Each devices encryption keys are unique and non-transferable. Each message in a conversation is encrypted in such a way that every participating device at the time of sending can decrypt it.
New devices (like desktop clients) didn't have their keys used for old messages and so can't decrypt them. There is no way to reencrypt old messages with additional new keys.
It's both annoying as shit, and also the only way to ensure a bad actor can't just add themselves to conversations they weren't a part of.
It literally prompts you to install to your desktop, meaning it's had at least the minimum amount of effort spent to make a decent mobile experience. Did you try it?
There's a couple of caveats with it, but I think neither are worse than your proposed flow.