I’m talking not only about trusting the distribution chain but about the situation where some services dont rebuild their images using updated bases if they dont have a new release.
So per example if the particular service latest tag was a year ago they keep distributing it with a year old alpine base…
I have a repo for some home automation, where some hardware specific modules are required. But it’s becoming rarer since more software handle it in runtime.