Be more selective what gets copied from cross builder stage?

[mthalman]

There's an issue with an outdated Python package, Pygments, that is included in the cross container image and causing vulnerabilities: https://github.com/dotnet/dotnet-buildtools-prereqs-docker-internal/issues/164

Example image:

mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux-3.0-net10.0-cross-armv6@sha256:9060cc2e7080451bc18aca2c9591d6c3bd8d9a222f83ef46cbce6cb15b7d0d60

has path: /crossrootfs/armv6/usr/lib/python3/dist-packages/Pygments-2.14.0.egg-info

Are these packages even needed in the final images? This one ends up getting installed as a result of this line:

dotnet-buildtools-prereqs-docker/src/azurelinux/3.0/net10.0/cross/armv6/Dockerfile

Line 13 in 2ab7ab1

RUN /scripts/eng/common/cross/build-rootfs.sh armv6 bookworm lldb13

If Python packages are not needed in the final image, can we clean things up before they get copied to the final image here:

dotnet-buildtools-prereqs-docker/src/azurelinux/3.0/net10.0/cross/armv6/Dockerfile

Line 18 in 2ab7ab1

COPY --from=builder "$ROOTFS_DIR" "$ROOTFS_DIR"

cc @sbomer

[mthalman]

[Triage]

@sbomer - Can you take a look at this and provide some feedback on if all of these Python packages are needed in the final image? It would be nice if we could exclude them if they're unnecessary.