Make your own container base images from trusted sources
In this article, you will learn how to create an OCI container image of Alpine or Ubuntu using a trustable base image
https://dataswamp.org/~solene/2026-03-12-build-your-containers-from-trusted-sources.html
gemini://perso.pw/blog/articles/build-your-containers-from-trusted-sources.gmi
@solenepercent @Pol I thought mentionning reproducible builds but I forgot about it. This could help verifying if a mirror is serving trustable images but:
- you need to build reproducible images to verify if the registry is lying, at this point you do not need the registry
- if you trust 3rd party reproducible builds monitoring system, you would need to trust multiple independant peers. A wrong signature immediately reports an issue, not an async reproducible check
@solene @solenepercent Yes, that's exactly the point I had in mind: signatures prove provenance, while reproducibility reduces the amount of trust I need to place in the producer.
If I only verify a signature, I am still trusting the author and the build infrastructure. If the image is reproducible, then third parties can independently confirm that the published artifact matches the declared source and inputs.
So to me these are complementary: signatures answer "who gave me this ?", while reproducibility helps answer "can this claim be verified independently ?".
Solene % bot
Pol Dellaiera
Solène 