chore(sdk): use Debian's Docker Hardened Image

Using trivy to scan vulnerabilities in Docker images, we found that:

BEFORE: Total: 97 (UNKNOWN: 2, LOW: 82, MEDIUM: 13, HIGH: 0, CRITICAL: 0)
AFTER : Total: 88 (UNKNOWN: 2, LOW: 76, MEDIUM: 10, HIGH: 0, CRITICAL: 0)

Author: endersonmaia

packages/sdk/Dockerfile

@@ -108,12 +108,10 @@ RUN <<EOF
 apt-get install -y --no-install-recommends \
     libslirp0 \
     lua5.4 \
+    passwd \
     xz-utils
-rm -rf /var/lib/apt/lists/*
-EOF
 
-RUN <<EOF
-set -e
+# create cartesi user
 useradd \
     --comment "cartesi user" \
     --no-create-home \
@@ -123,6 +121,9 @@ useradd \
     --uid 102 \
     --user-group \
     cartesi
+
+apt-get remove -y --purge passwd
+rm -rf /var/lib/apt/lists/*
 EOF
 
 # Install cartesi-machine emulator
@@ -265,9 +266,7 @@ apt-get install -y --no-install-recommends \
     liblzo2-2 \
     libslirp0 \
     locales \
-    lua5.4 \
-    xxd \
-    xz-utils
+    xxd
 rm -rf /var/lib/apt/lists/*
 EOF
 

packages/sdk/docker-bake.hcl

@@ -8,7 +8,7 @@ target "default" {
   args = {
     ALTO_VERSION                      = "1.2.5"
     ALTO_PACKAGE_VERSION              = "0.0.18"
-    CARTESI_BASE_IMAGE                = "docker.io/library/debian:trixie-20260112-slim@sha256:e9f1b0bda36daad09fcd6779f7af47191dbee4ff52f8903fffd15240eb986bd8"
+    CARTESI_BASE_IMAGE                = "dhi.io/debian-base:trixie@sha256:1244523a2f7b6c096c6f98ce0349df6798c775c57322c51f8a4982daf60c256c"
     CARTESI_DEVNET_VERSION            = "2.0.0-alpha.9"
     CARTESI_IMAGE_KERNEL_VERSION      = "0.20.0"
     CARTESI_LINUX_KERNEL_VERSION      = "6.5.13-ctsi-1-v0.20.0"