We use Docker Official Images as the base images for several of our services. It's a popular choice, and there are good reasons for this. A dedicated team reviews them at Docker and gets actively maintained by experts from their respective communities, including the security community.
When we first started building these images, we struggled to integrate the process used to release fixes to the community. I can summarize our problems into two high-level buckets:
- We were missing security and bug fixes. By missing, I mean that we weren't applying them quickly, or we weren't applying them at all.
- Our builds were breaking mysteriously. Maybe all build breakages are mysterious, but this class of breakages was really bizarre!
It wasn't that patches weren't flowing in. The maintainers were doing a great job. It turned out that we needed a better approach for managing our Dockerfiles. We needed a Docker policy that could take advantage of the security and bug fixes that were reliably streaming in. And that was something we were missing entirely.
Source: Maintaining Docker Official Images an article by Jim Clark.