Skip to main content
العربية
Menu

Why we built Rasid

Published · Fahad

For a decade, every team I have worked with — banks, government, energy — has had the same conversation about container images. Where does this image come from. Who patched it. What is in it. Will it be there in six months.

The honest answer has rarely been good. Most teams use the upstream image and hope for the best. The ones with budget pay a foreign vendor for a hardened build and accept the geopolitical and procurement headaches that come with it. The ones without budget ship vulnerabilities to production and sleep poorly.

Rasid is the third option.

What we are committing to

  1. Apache 2.0 binaries, free, forever. The images at images.rasid.cc are Apache 2.0 licensed. Pull them. Redistribute them. Repackage them. There is no rate-limit gate, no per-pull fee, no free-for-non-commercial trick. If we ever sell this company, the licence on the image binaries does not change.

  2. Patch latency is the product. Every image is rebuilt every 24 hours against the latest advisory data. We publish a patch SLA — critical advisories within 24 hours of upstream disclosure — and we will say so on this blog if we miss it.

  3. Provable provenance. Cosign signatures, CycloneDX and SPDX SBOMs, and in-toto build attestations on every image. Signing chain self-hosted at fulcio.rasid.cc + rekor.rasid.cc. Verification key at rasid.cc/.well-known/rasid-cosign.pub. You can prove what you are running and where it came from, against Rasid-operated infrastructure only.

  4. Sovereignty. The company is in Saudi Arabia. The infrastructure is operated by Saudi engineers. Enterprise customer data — sales contracts, support tickets, custom-build sources — stays in KSA residency. None of that requires a glossy press release. It just is.

  5. Arabic-first. The documentation, the support, and the catalogue itself are bilingual from day one. Not machine-translated as an afterthought.

We are a vendor, not an open-source project. The build pipeline, the signing infrastructure, the internal tooling — that’s proprietary, by design. What you get from us, free and forever, is the binary, the SBOM, the attestation, and the signature. That is what production needs.

Where we are today

The catalogue is small. The team is small. We are not going to pretend otherwise. What we are doing is building the foundation — the supply-chain plumbing, the daily rebuild loop, the signed-everything pipeline — that this kind of work depends on. The image count grows from there.

If you want to try it: pull an image, verify the signature, and let us know what breaks. We will fix it.

If you operate a regulated workload and want to talk about FIPS variants, NCA attestation packages, air-gap bundles, or private custom builds, the enterprise tier is the contact path.

— Fahad