Zero CVEs doesn’t mean secure. It means unexamined. New code has zero CVEs because no one has studied it yet, and if you’re rebuilding nightly from upstream, you’re signing first and asking questions later. In software supply chain security, the freshest code isn’t always the safest. Sometimes the most secure component in your pipeline is […]

The Ubuntu Blog provides updates, tutorials, and insights on the Ubuntu operating system and related projects. Covering topics such as Linux desktops, server administration, and cloud computing, the blog offers resources for developers and sysadmins working with Ubuntu. Developers can learn how to set up, configure, and optimize Ubuntu systems for development, deployment, and production environments by following the Ubuntu Blog.

Ubuntu

Nightly container rebuilds from upstream sources introduce a hidden security risk: code that has zero CVEs simply because no one has examined it yet. Using the September 2025 npm supply chain attack as a backdrop, the post argues that constantly pulling the latest upstream packages means a malicious commit can be automatically built, signed, and shipped before anyone notices. Ubuntu's intentional-update model — freezing package versions and applying only backported security patches — is presented as a deliberate counterpoint. Older, stable packages are predictable precisely because they have been scrutinized over time. The core argument is that CVE counts are a lagging indicator, rebuilding is replication not verification, and 'zero CVEs' on brand-new code means unexamined, not safe.

Hot code burns

The breach we got, and the one that’s coming