From c13dd558eb87f060b7dafe1816db98360489bc7f Mon Sep 17 00:00:00 2001 From: Craig Osterhout <103533812+craig-osterhout@users.noreply.github.com> Date: Fri, 27 Jun 2025 09:45:59 -0700 Subject: [PATCH] dhi: update wording (#22932) ## Description Refine wording based on internal feedback. Particularly, don't say `exclude the OS layer`. Use `reduce` or some other wording. ## Related issues or tickets ## Reviews - [ ] Editorial review Signed-off-by: Craig --- content/manuals/dhi/about/what.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/content/manuals/dhi/about/what.md b/content/manuals/dhi/about/what.md index 6952a84b65..3c4de9a438 100644 --- a/content/manuals/dhi/about/what.md +++ b/content/manuals/dhi/about/what.md @@ -56,11 +56,12 @@ so you don’t have to. Level 3](../core-concepts/slsa.md), ensuring a tamper-resistant, verifiable, and auditable build process that protects against supply chain threats. -- Distroless approach: Unlike traditional base images that bundle an entire OS - with shells and package managers, [distroless - images](../core-concepts/distroless.md) exclude the OS layer and include only - your app and its runtime dependencies, reducing the attack surface by up to 95 - percent and improving performance. +- Distroless approach: Unlike traditional base images that bundle an entire OS + with shells, package managers, and debugging tools, [distroless + images](../core-concepts/distroless.md) retain only the minimal OS components + required to run your application. By excluding unnecessary tooling and + libraries, they reduce the attack surface by up to 95% and can improve + performance and image size. - Continuous maintenance: All DHIs are continuously monitored and updated to maintain near-zero known exploitable [CVEs](../core-concepts/cves.md), helping