Debian inspired container-first Linux distro

Submitted Apr 11, 2025

Topic of your submission: Supply chain security Type of submission: 30 mins talk I am submitting for: Rootconf Annual Conference 2025

Description

Kubernetes drove the transition from VMs to Containers, but Linux distro tooling (package manager & package archives) remained focussed on a full blown OS. Distros didn’t adapt to serve the needs of a containerised SDLC.

Containers are meant to run single-processes in isolation, but package management is built for VMs, leading to bloated containers that increase attack surface for applications and lead to patching overhead for developers.

Minimal containers have become the standard for modern application development.

This talk explores an approach for creating a Debian-inspired distro with a container-first design.

Debian container bloat stems from:

Essential packages needed for VMs but not containers - like bash, libc6, perl-base, gcc
APT package manager footprint - installs 59 packages
Maintainer script dependencies in Debian packages - scripts can require runtimes like perl, python etc

Proposing a new approach:

Portable APT replacement implemented in Go
Reimplementing maintainer scripts with minimal dependencies
Bootstrapping a distro so that only required packages can be installed, no “essentials”

Security and compatibility
The core idea stems from 1. Importance of minimal containers to reduce attack surface while maintaining 2. Compatibility with current debian distro.

Such an approach sets up tooling & packages for minimal container creation but compatibility scope is limited to container lifecycle functionalities only.