<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title>Distroless - vo.rs</title><link>https://vo.rs/tags/distroless/</link><description>Latest from the Distroless desk at vo.rs.</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.</copyright><lastBuildDate>Fri, 19 Dec 2025 15:07:00 +0000</lastBuildDate><atom:link href="https://vo.rs/tags/distroless/" rel="self" type="application/rss+xml"/><item><title>Distroless and Multi-Stage Builds: Smaller, Safer Images</title><link>https://vo.rs/story/distroless-and-multi-stage-builds-smaller-safer-images/</link><description>&lt;p&gt;The first Docker image I ever built for a small Go service was 900 megabytes. The compiled binary inside it was eleven. Everything else — the Go toolchain, a full Debian userland, a package manager, a shell, compilers, a hundred libraries the binary never touched — came along for the ride because I had done the obvious thing and built the image &lt;code&gt;FROM golang&lt;/code&gt;. It worked. It was also a comically oversized attack surface wrapped around a program that needed almost none of it, and every one of those hundred unused libraries was something a scanner could find a CVE in.&lt;/p&gt;</description><pubDate>Fri, 19 Dec 2025 15:07:00 +0000</pubDate></item></channel></rss>