IMHO, I think that distros advertising tiny install sizes are not competitive with similar offerings derived from RHEL and Debian. Alpine, Yocto, and friends generally trade size for compatibility/functionality by doing things like removing all drivers and substituting GNU CoreUtils with BusyBox. Once you install everything needed to run mainstream software, the image swells back up again:
| smallest | VM/container | IoT/NAS/“cloud” | |
|---|---|---|---|
| Alpine | 2.5 | 120 (Xen) | 469 (router) |
| ubi8/Fedora | 30-52 | 70-250 | 300-460 |
| Deb/Ubuntu | 26-30 | 280 | 300-500 |
I’m also very wary of community distros without any commercial offerings to draft off of. From Yocto’s security page:
Yocto Project does not have a Security team … there is some research and proof of concept work occurring with some tools but its struggling due to lack of people/resources.