diff --git a/docker/Dockerfile.flux b/docker/Dockerfile.flux
index 4ee0c8f24c..02e0421fa4 100644
--- a/docker/Dockerfile.flux
+++ b/docker/Dockerfile.flux
@@ -1,8 +1,37 @@
-FROM alpine:3.9
+FROM debian:stable-slim
 
 WORKDIR /home/flux
 
-RUN apk add --no-cache openssh ca-certificates tini 'git>=2.12.0' 'gnutls>=3.6.7' gnupg
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openssh-client \
+    ca-certificates \
+    git \
+    dirmngr \
+    gnupg \
+  && rm -rf /var/lib/apt/lists/*
+
+ENV TINI_VERSION 0.18.0
+ENV TINI_GPG_KEY 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7
+ENV GPG_KEY_SERVERS_LIST ha.pool.sks-keyservers.net \
+                         hkp://p80.pool.sks-keyservers.net:80 \
+                         keyserver.ubuntu.com \
+                         hkp://keyserver.ubuntu.com:80 \
+                         pgp.mit.edu
+
+RUN cd /tmp && \
+  apt-get update && apt-get install -y --no-install-recommends curl && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  for server in $(shuf -e $GPG_KEY_SERVERS_LIST); do \
+    gpg --keyserver "$server" --recv-keys $TINI_GPG_KEY && break || : ; \
+  done && \
+  gpg --fingerprint $TINI_GPG_KEY | grep -q "6380 DC42 8747 F6C3 93FE  ACA5 9A84 159D 7001 A4E5" && \
+  curl -sSL "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb" -o tini.deb && \
+  curl -sSL "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb.asc" -o tini.deb.asc && \
+  gpg --verify tini.deb.asc tini.deb && \
+  apt-get install /tmp/tini.deb && \
+  apt-get purge --auto-remove -y curl && \
+  rm -r "$GNUPGHOME" tini.deb* && \
+  rm -rf /var/lib/apt/lists/*
 
 # Add git hosts to known hosts file so we can use
 # StrickHostKeyChecking with git+ssh
@@ -29,21 +58,12 @@ LABEL maintainer="Weaveworks <help@weave.works>" \
       org.label-schema.vcs-url="git@github.com:weaveworks/flux" \
       org.label-schema.vendor="Weaveworks"
 
-ENTRYPOINT [ "/sbin/tini", "--", "fluxd" ]
+ENTRYPOINT [ "tini", "--", "fluxd" ]
 
 # Get the kubeyaml binary (files) and put them on the path
 COPY --from=quay.io/squaremo/kubeyaml:0.5.2 /usr/lib/kubeyaml /usr/lib/kubeyaml/
 ENV PATH=/bin:/usr/bin:/usr/local/bin:/usr/lib/kubeyaml
 
-# Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
-# This resolves the conflict between:
-# * fluxd using netgo for static compilation. netgo reads nsswitch.conf to mimic glibc,
-#   defaulting to prioritize DNS queries over /etc/hosts if nsswitch.conf is missing:
-#   https://github.com/golang/go/issues/22846
-# * Alpine not including a nsswitch.conf file. Since Alpine doesn't use glibc
-#   (it uses musl), maintainers argue that the need of nsswitch.conf is a Go bug:
-#   https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
-RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
 COPY ./kubeconfig /root/.kube/config
 COPY ./fluxd /usr/local/bin/
 
diff --git a/docker/Dockerfile.helm-operator b/docker/Dockerfile.helm-operator
index acf6165a12..80953e62ee 100644
--- a/docker/Dockerfile.helm-operator
+++ b/docker/Dockerfile.helm-operator
@@ -1,8 +1,35 @@
-FROM alpine:3.9
+FROM debian:stable-slim
 
 WORKDIR /home/flux
 
-RUN apk add --no-cache openssh ca-certificates tini 'git>=2.12.0'
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openssh-client \
+    ca-certificates \
+    git \
+  && rm -rf /var/lib/apt/lists/*
+
+ENV TINI_VERSION 0.18.0
+ENV TINI_GPG_KEY 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7
+ENV GPG_KEY_SERVERS_LIST ha.pool.sks-keyservers.net \
+                         hkp://p80.pool.sks-keyservers.net:80 \
+                         keyserver.ubuntu.com \
+                         hkp://keyserver.ubuntu.com:80 \
+                         pgp.mit.edu
+
+RUN cd /tmp && \
+  apt-get update && apt-get install -y curl gnupg && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  for server in $(shuf -e $GPG_KEY_SERVERS_LIST); do \
+    gpg --keyserver "$server" --recv-keys $TINI_GPG_KEY && break || : ; \
+  done && \
+  gpg --fingerprint $TINI_GPG_KEY | grep -q "6380 DC42 8747 F6C3 93FE  ACA5 9A84 159D 7001 A4E5" && \
+  curl -sSL "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb" -o tini.deb && \
+  curl -sSL "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini_${TINI_VERSION}.deb.asc" -o tini.deb.asc && \
+  gpg --verify tini.deb.asc tini.deb && \
+  apt-get install /tmp/tini.deb && \
+  apt-get purge --auto-remove -y curl gnupg && \
+  rm -r "$GNUPGHOME" tini.deb* && \
+  rm -rf /var/lib/apt/lists/*
 
 # Add git hosts to known hosts file so we can use
 # StrickHostKeyChecking with git+ssh
@@ -31,7 +58,7 @@ LABEL maintainer="Weaveworks <help@weave.works>" \
       org.label-schema.vcs-url="git@github.com:weaveworks/flux" \
       org.label-schema.vendor="Weaveworks"
 
-ENTRYPOINT [ "/sbin/tini", "--", "helm-operator" ]
+ENTRYPOINT [ "tini", "--", "helm-operator" ]
 
 ENV HELM_HOME=/var/fluxd/helm
 COPY ./helm-repositories.yaml /var/fluxd/helm/repository/repositories.yaml