"The CentOS managed base image uses `yum` and `rpm` for package management, and these pull RPM files only over HTTPS connections."<p>That's interesting. Is there a reason for that?<p>IIRC the stock CentOS doesn't use HTTPS for its yum/rpm repos and I figured it wasn't necessary to use HTTPS since the package signature is verified.
The Ubuntu base image is Ubuntu 16.04, which is an interesting choice. 18.04 LTS has been out for <i>awhile</i> now, so I would have expected it to at least be an option.
What's the difference between this and pulling an official image from dockerhub? For example <a href="https://hub.docker.com/_/ubuntu/" rel="nofollow">https://hub.docker.com/_/ubuntu/</a>
This is awesome - is there any thing similar for Azure? Or possible 3rd party solutions that do the same? We don’t leverage GCP but I am very envious of this feature. Would love the community to help point me in the right direction to get same functionality - mainly not having to maintain and patch Ubuntu 16.0.4 images
Does Google (or any of the other cloud vendors) audit/review the actual source code of packages used in the images? such as apache, nginx, openjdk, etc? or do they just run a scanner that test for known vulnerabilities?