Hot code burns

Nightly container rebuilds from upstream sources introduce a hidden security risk: code that has zero CVEs simply because no one has examined it yet. Using the September 2025 npm supply chain attack as a backdrop, the post argues that constantly pulling the latest upstream packages means a malicious commit can be automatically built, signed, and shipped before anyone notices. Ubuntu's intentional-update model — freezing package versions and applying only backported security patches — is presented as a deliberate counterpoint. Older, stable packages are predictable precisely because they have been scrutinized over time. The core argument is that CVE counts are a lagging indicator, rebuilding is replication not verification, and 'zero CVEs' on brand-new code means unexamined, not safe.