Hi!
Yesterday I held a talk about distroless in a large enterprise and there were two questions I couldnt really answer, maybe I can find some inspiration here 😊
1. Are there any special security issues, additional attack surfaces opened by distroless?
I could not really answer this, but I said as there is way less components inside
I would answer it with "No".
2. In which cases should distroless not be used?
This as well I could not answer. IMO for all standard applications (node.js backends, java spring apps -> most apps there are using these stacks) it should be a no-brainer to use it.
Thank you for the good work!
Michael