Static binary, sure, but hardly a tiny supply chain attack surface: https://github.com/go-acme/lego/blob/master/go.sum

Also their official builds are built with Alpine which is a hobby distro that does not even do signed code or packages.

Are you saying that any use of Alpine is, by definition, a supply-chain security problem?

I am, yes. Alpine is not full-source-bootstrapped, often imports and trusts external binaries blindly, has no signed commits, no signed reviews, no signed packages, and is not reproducible. It is one phished git account away from a major supply chain attack any day now.

Alpine chooses low security for low contribution friction. It is the Wikipedia of Linux distros, which granted it a huge package repository fantastic for experimental use and reference, but it is not something sane to blindly trust the latest packages of in production.

It is one of the reasons why I made stagex, which in most cases is a near drop-in replacement.

https://codeberg.org/stagex/stagex

Thanks for the detailed response!

EDIT: Also, stagex looks pretty compelling; I hope it catches on!