I’m talking not only about trusting the distribution chain but about the situation where some services dont rebuild their images using updated bases if they dont have a new release.
So per example if the particular service latest tag was a year ago they keep distributing it with a year old alpine base…
Not currently, but am planning on getting to it in 2026. I want to pull things to my Forgejo and use some workflows there to scan for vulnerabilities amd rebuild’n tweak images i deem necessary. It will be a fun project.