Build from source is a great idea, I assume you provide SLSA/sigstore like provenance as well?
The chainguard folks built sigstore :)