Without any official hat, I agree with Md that the changes to the installed packages seem reasonable, as sparse as possible, and driven by technological necessity.
I would like to see an official list of packages and checksums (ideally both SHA-512 and SHA 3-512 as compute & storage are cheap and using two families increases resilience significantly) & size of the base image and all files in the base install, sent to list and signed by a DD, though. Putting said base image and signed list into a place where DSA can safe-guard it long-term would be the cherry on top. This seems to be reasonable in terms of actual effort and could help establish a baseline for a published list of known-good system states. It's also a request which we could reasonably extend to everyone interested in publishing their images on the respective platforms, both retroactively and going forward. Richard
