This change modernizes the container image by moving from Alpine 3.3 to the rolling Alpine 3 tag and upgrading gosu from 1.7 to 1.11, including a more current signature verification flow with hkps and explicit binary validation. It also cleans up the entrypoint script by consistently quoting paths and tightening the root-check conditional, which reduces the chance of shell breakage when paths or environment values are unexpected. The practical effect is a more reliable and maintainable Docker setup with safer privilege dropping at runtime.