As it is we use a random Alpine base image - https://github.com/envoyproxy/envoy/blob/main/ci/Dockerfile-envoy-alpine#L1. Should we trust this? I recommend using the Distroless containers that support glibc natively, come from a trusted source and are similarly very small in size - ...
RUN apk add --no-cache gcompat # turns out build-base does not contain libc, https://wiki.alpinelinux.org/wiki/Running_glibc_programs RUN apk add --no-cache curl ca-certificates # so we can download stack (and other things) RUN apk add --no-cache xz # GHC seems to need xz RUN...