<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Supply-Chain on taihen.org / 418 ... engineering in progress</title><link>https://taihen.org/tags/supply-chain/</link><description>Recent content in Supply-Chain on taihen.org / 418 ... engineering in progress</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Tue, 14 Jul 2026 15:30:00 +0200</lastBuildDate><atom:link href="https://taihen.org/tags/supply-chain/index.xml" rel="self" type="application/rss+xml"/><item><title>Distroless Was the Easy Part</title><link>https://taihen.org/posts/distroless-was-the-easy-part/</link><pubDate>Tue, 14 Jul 2026 15:30:00 +0200</pubDate><guid>https://taihen.org/posts/distroless-was-the-easy-part/</guid><description>&lt;p&gt;Last year I wrote about &lt;a href="https://taihen.org/posts/distroless/"&gt;distroless containers&lt;/a&gt; and finished with a small brag: I build my own minimal base image with &lt;a href="https://github.com/chainguard-dev/apko"&gt;apko&lt;/a&gt; and &lt;a href="https://github.com/wolfi-dev/os"&gt;Wolfi&lt;/a&gt;, look how tiny it is, look how few packages it has.&lt;/p&gt;
&lt;p&gt;This year I held that image against the standards that serious hardened-image vendors compete on. &lt;strong&gt;It failed.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Not because of what was inside the image. The contents were fine. Six packages, no shell, non-root user, signed with &lt;a href="https://github.com/sigstore/cosign"&gt;Cosign&lt;/a&gt;. It failed because of everything around the image and that is exactly where the state of the art has moved.&lt;/p&gt;</description></item></channel></rss>