Now if we could just get some sort of hash consensus around what is in root.tar.xz. I feel like we are all blindly trusting large binary blobs as the core of our systems without any reproducible builds or peer auditing.
You might be interested in distroless[1] base images.
The repo links to a talk that goes into more depth, but the basic idea is to a use minimal language-specific base for your runtime instead of e.g. statically linking all of ubuntu into your image.
The base images are built with bazel's docker rules[2], so you get reproducible builds.