BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.coscup.org//coscup-2026//talk//UPWEEP
BEGIN:VTIMEZONE
TZID:CST
BEGIN:STANDARD
DTSTART:20000101T000000
RRULE:FREQ=YEARLY;BYMONTH=1
TZNAME:CST
TZOFFSETFROM:+0800
TZOFFSETTO:+0800
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-coscup-2026-UPWEEP@pretalx.coscup.org
DTSTART;TZID=CST:20260808T160000
DTEND;TZID=CST:20260808T163000
DESCRIPTION:Every container you deploy carries debt you didn't write. The a
 verage base image ships with 200-400 packages your application never calls
 \, each one a potential CVE\, each one expanding the blast radius of a bre
 ach. Teams run Trivy or Grype\, get a wall of 400 alerts\, patch the criti
 cals\, suppress the rest\, and ship. The scan-patch-suppress cycle creates
  an illusion of security hygiene while the actual attack surface stays eno
 rmous.\n\nThe good news: the ecosystem is finally pushing back. Google's d
 istroless project has been around for years\, Chainguard built a business 
 on minimal images\, and Docker Hardened Images went fully open source unde
 r Apache 2.0 in late 2025\, putting 1\,000+ minimal\, SBOM-signed images o
 ne pull away from every developer. Yet most teams still default to node:la
 test.\n\nThis talk dissects why container supply chain debt accumulates an
 d what a different default looks like. Through live audits comparing stand
 ard\, slim\, distroless\, and hardened base images for the same applicatio
 n\, we'll examine size\, CVE counts\, and actual runtime dependencies. You
 'll leave with practical patterns: multi-stage builds done right\, automat
 ed base image rebuild pipelines\, and policy-as-code for image provenance\
 , so minimal becomes the default without slowing teams down.
DTSTAMP:20260713T142146Z
LOCATION:TR209
SUMMARY:Your Container Images Are a Liability: The Supply Chain Debt Nobody
  Is Paying Down - Hrittik Roy\, Parth Goswami
URL:https://pretalx.coscup.org/coscup-2026/talk/UPWEEP/
END:VEVENT
END:VCALENDAR
