Hey there, Thanks for your feedback and interest in our Ubuntu-based BIND9 OCI image ! I'm Valentin, the Product Manager for these Ubuntu-based container images with a maintenance commitment from Canonical. Let me address your comments separately. First, on the "edge" to "stable" risk information: We decided to tag our images using the following scheme - "X.Y-A.B_risk", where "X.Y-A.B" is what we call a "track". The track identifies the application version delivered (X.Y) and the base image used to deliver it (A.B). That way, it's super easy to track maintained software versions and get alignment in your dependencies. The "risk" gives maturity information about the tagged content. An "edge" channel will represent a higher risk than "beta", "beta" than "candidate", and "candidate" than "stable". This scheme is meant to represent the lifecycle of software components, - from a version still under active development ("edge"), - to a version under user testing ("beta"), - selected for stable promotion ("candidate"), - and finally, a version that is under vendor maintenance and won't receive more than security fixes ("stable".) We require you to explicit the risk you're accepting by specifying it in the image tag. It makes it very clear in your deployments what version you're using. You won't ever receive something riskier than your explicitly requested risk. A good read: https://snapcraft.io/docs/channels#heading--risk-levels. On the multiple tags pointing to the same content (i.e., same hash): I am sorry this seems confusing on your side; feedback taken. In OCI registries, images are available to download in 3 different ways: - no tags, 'latest' implied, for development purposes, - using an image tag, i.e. a dynamic pointer, - utilising the content hash, e.g. SHA256, to access specific content. The hash to tags relationship is a one-to-many kind. It is usual that many tags could refer to the same hash. The tag is only a reference. Think about the "X.Y-A-B_edge" channel; it will receive frequent updates (i.e. new hashes/SHA256). Using the tag, you will roll to the latest development version. From the "X.Y-A-B_stable" channel, you're guaranteed that we won't send breaking changes. However, using "stable" channel tags will automatically benefit from the latest security patches applied. Now, why does "edge" and "beta" point to the same content? "Is "beta" the same quality as "edge"?" Good question. The answer is: No, It's the other way. "Edge" is now the same quality as "Beta". The software matured, we decided to move it to "Beta", and the users who explicitly accepted the riskiest level ("Edge") will now receive a more stable image. Usually, a newer track with the latest software will become available on a different "Edge" channel. You can manually switch to it (in fact, upgrading versions). (This is explained in https://hub.docker.com/r/ubuntu/bind9#tags-and-architectures.) Finally, on the images not being signed: 100% valid, and it's on our roadmap. We currently provide all the images under the "Ubuntu" namespace as "Beta" content for our community to experiment with freely and provide feedback. We have great plans in the container space; we are still feeling the waters for now. Signing the images will be critical in building a trusted supply chain. If you're interested in more commercial offerings, feel free to reach out directly! (Also, not sure what you mean with "the "edge" channel has been deprecated for several years". The "edge" channel still receives updates from the current "beta",... and the image was published a few months ago.) Happy new year, and apologies for the reply delay caused by a well-deserved Winter break for our teams! Valentin