I’m talking not only about trusting the distribution chain but about the situation where some services dont rebuild their images using updated bases if they dont have a new release.
So per example if the particular service latest tag was a year ago they keep distributing it with a year old alpine base…
Yeah, I saw that another person forked NPM and used that for awhile before moving on to something else. Work is handled outside of myself but I don’t do it at home. I did learn how to though to get an understanding of it.