# Year Zero Plan — Debian-Based Boring Base Images

## Goal
Establish credibility through **restraint**, not scale.

Year Zero is about proving:
- governance works
- CVE response is real
- scope stays small

## Scope (Hard Limits)
Ship only:
- base
- base-slim
- container-host (optional)

OCI images only in Year Zero.
No desktops. No language stacks.

## Staffing (Minimum Viable)
- 1 security/CVE triage lead (part-time acceptable)
- 1 build & release operator
- Shared governance/admin support

## Infrastructure
- Git-based declarative image definitions
- Debian stable + security + LTS
- Reproducible builds (sbuild/pbuilder)
- Public CI logs
- Public SBOM generation

## CVE Workflow
1. Monitor Debian Security Tracker and NVD
2. Triage within defined targets:
   - Critical: 72 hours
   - High: 7 days
3. Publish rationale for all decisions
4. Rebuild images on fix or mitigation

## Release Cadence
- Weekly rebuilds
- Emergency rebuild path
- Signed digests only
- No silent changes

## Transparency
- Public funding ledger
- Public CVE dashboard
- Public roadmap (limited to maintenance)

## Success Criteria
- Images used quietly in production
- No feature creep
- No “enterprise” pressure
- Trust earned through boredom

## Explicit Risks
- Underestimating CVE workload
- Sponsor pressure
- Scope creep

Mitigation: say “no” early and often.