Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.
Distroless images are very small. The smallest distroless image, gcr.io/distroless/static-debian11, is around 2 MiB. That's about 50% of the size of alpine (~5 MiB), and less than 2% of the size of debian (124 MiB).
Not sure. Those are not available on, let's say, riscv64. Also, a package manger is required to install required packages, such as the guix package, or tools to download and install guix.
https://github.com/GoogleContainerTools/distroless#why-should-i-use-distroless-images
Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.
Distroless images are very small. The smallest distroless image, gcr.io/distroless/static-debian11, is around 2 MiB. That's about 50% of the size of alpine (~5 MiB), and less than 2% of the size of debian (124 MiB).
https://github.com/fanquake/core-review/blob/741d40294b028b7131d65746e6eb564c7de51965/guix/debian.Dockerfile#L1
These images are also signed https://github.com/GoogleContainerTools/distroless#how-do-i-verify-distroless-images