diff --git a/README.md b/README.md
index cdab9223..14ab9f1d 100644
--- a/README.md
+++ b/README.md
@@ -5,20 +5,28 @@
 This repository holds recipes for building the base images for [Heroku stacks](https://devcenter.heroku.com/articles/stack).
 The recipes are also rendered into Docker images that are available on Docker Hub:
 
-| Image                                     | Base                                  | Type               | Status      |
-|-------------------------------------------|---------------------------------------|--------------------|-------------|
-| [heroku/heroku:18][heroku-tags]           | [ubuntu:18.04][ubuntu-tags]           | Heroku Run Image   | End-of-life |
-| [heroku/heroku:18-build][heroku-tags]     | [heroku/heroku:18][heroku-tags]       | Heroku Build Image | End-of-life |
-| [heroku/heroku:18-cnb][heroku-tags]       | [heroku/heroku:18][heroku-tags]       | CNB Run Image      | End-of-life |
-| [heroku/heroku:18-cnb-build][heroku-tags] | [heroku/heroku:18-build][heroku-tags] | CNB Build Image    | End-of-life |
-| [heroku/heroku:20][heroku-tags]           | [ubuntu:20.04][ubuntu-tags]           | Heroku Run Image   | Available   |
-| [heroku/heroku:20-build][heroku-tags]     | [heroku/heroku:20][heroku-tags]       | Heroku Build Image | Available   |
-| [heroku/heroku:20-cnb][heroku-tags]       | [heroku/heroku:20][heroku-tags]       | CNB Run Image      | Available   |
-| [heroku/heroku:20-cnb-build][heroku-tags] | [heroku/heroku:20-build][heroku-tags] | CNB Build Image    | Available   |
-| [heroku/heroku:22][heroku-tags]           | [ubuntu:22.04][ubuntu-tags]           | Heroku Run Image   | Recommended |
-| [heroku/heroku:22-build][heroku-tags]     | [heroku/heroku:22][heroku-tags]       | Heroku Build Image | Recommended |
-| [heroku/heroku:22-cnb][heroku-tags]       | [heroku/heroku:22][heroku-tags]       | CNB Run Image      | Recommended |
-| [heroku/heroku:22-cnb-build][heroku-tags] | [heroku/heroku:22-build][heroku-tags] | CNB Build Image    | Recommended |
+| Image                                     | Type                   | OS           | Supported Architectures | Default `USER` | Status          |
+|-------------------------------------------|------------------------|--------------|-------------------------|----------------| ----------------|
+| [heroku/heroku:20][heroku-tags]           | Heroku Run Image       | Ubuntu 20.04 | AMD64                   | `root`         |  Available      |
+| [heroku/heroku:20-build][heroku-tags]     | Heroku Build Image     | Ubuntu 20.04 | AMD64                   | `root`         |  Available      |
+| [heroku/heroku:20-cnb][heroku-tags]       | CNB Run Image          | Ubuntu 20.04 | AMD64                   | `heroku`       |  Available      |
+| [heroku/heroku:20-cnb-build][heroku-tags] | CNB Build Image        | Ubuntu 20.04 | AMD64                   | `heroku`       |  Available      |
+| [heroku/heroku:22][heroku-tags]           | Heroku Run Image       | Ubuntu 22.04 | AMD64                   | `root`         |  Recommended    |
+| [heroku/heroku:22-build][heroku-tags]     | Heroku Build Image     | Ubuntu 22.04 | AMD64                   | `root`         |  Recommended    |
+| [heroku/heroku:22-cnb][heroku-tags]       | CNB Run Image          | Ubuntu 22.04 | AMD64                   | `heroku`       |  Available      |
+| [heroku/heroku:22-cnb-build][heroku-tags] | CNB Build Image        | Ubuntu 22.04 | AMD64                   | `heroku`       |  Available      |
+| [heroku/heroku:24][heroku-tags]           | Heroku/CNB Run Image   | Ubuntu 24.04 | AMD64 + ARM64           | `heroku`       |  In Development |
+| [heroku/heroku:24-build][heroku-tags]     | Heroku/CNB Build Image | Ubuntu 24.04 | AMD64 + ARM64           | `heroku`       |  In Development |
+
+The build image variants use the run images as their base, but include additional packages needed
+at build time such as development headers and compilation toolchains.
+
+The CNB image variants contain additional metadata and changes required to make them compatible with
+Heroku's Cloud Native Buildpacks [builder images](https://github.com/heroku/cnb-builder-images).
+
+For images where the default `USER` is `heroku`, you will need to switch back to the `root` user when
+modifying locations other then `/home/heroku` and `/tmp`. You can do this by adding `USER root` to
+your `Dockerfile` when building images, or by passing `--user root` to any `docker run` invocations.
 
 ### Learn more
 
diff --git a/bin/build.sh b/bin/build.sh
index bad62847..c16fbcd7 100755
--- a/bin/build.sh
+++ b/bin/build.sh
@@ -108,7 +108,11 @@ write_package_list() {
 		output_file="${dockerfile_dir}/installed-packages-${arch}.txt"
 		display "Generating package list: ${output_file}"
 		echo "# List of packages present in the final image. Regenerate using bin/build.sh" > "$output_file"
-		docker run --rm --platform="linux/${arch}" "$image_tag" dpkg-query --show --showformat='${Package}\n' >> "$output_file"
+		# We include the package status in the output so we can differentiate between fully installed
+		# packages, and those that have been removed but not purged (either because we forgot to purge,
+		# or because we intentionally left config files behind, such as for `ca-certificates-java`).
+		docker run --rm --platform="linux/${arch}" "$image_tag" dpkg-query --show --showformat='${Package} (package status: ${db:Status-Status})\n' \
+			| sed -e 's/ (package status: installed)//' >> "$output_file"
 	done
 }
 
@@ -121,21 +125,21 @@ display "Building ${RUN_DOCKERFILE_DIR} / ${RUN_IMAGE_TAG} image"
 # from upstream ubuntu images are included.
 docker "${DOCKER_ARGS[@]}" --pull \
 	--tag "${RUN_IMAGE_TAG}" "${RUN_DOCKERFILE_DIR}" | indent
-	write_package_list "${RUN_IMAGE_TAG}" "${RUN_DOCKERFILE_DIR}"
-
-	for VARIANT in "${VARIANTS[@]}"; do
-		VARIANT_NAME=$(echo "$VARIANT" | cut -d ":" -f 1)
-		DEPENDENCY_NAME=$(echo "$VARIANT" | cut -d ":" -f 2)
-		VARIANT_IMAGE_TAG="${REPO}:${STACK_VERSION}${VARIANT_NAME}${PUBLISH_SUFFIX}"
-		VARIANT_DOCKERFILE_DIR="heroku-${STACK_VERSION}${VARIANT_NAME}"
-		DEPENDENCY_IMAGE_TAG="${REPO}:${STACK_VERSION}${DEPENDENCY_NAME}${PUBLISH_SUFFIX}"
-
-		[[ -d "${VARIANT_DOCKERFILE_DIR}" ]] || abort "fatal: directory ${VARIANT_DOCKERFILE_DIR} not found"
-		display "Building ${VARIANT_DOCKERFILE_DIR} / ${VARIANT_IMAGE_TAG} image"
-		# The --pull option is not used for variants since they depend on images
-		# built earlier in this script.
-		docker "${DOCKER_ARGS[@]}" --build-arg "BASE_IMAGE=${DEPENDENCY_IMAGE_TAG}" \
-			--tag "${VARIANT_IMAGE_TAG}" "${VARIANT_DOCKERFILE_DIR}" | indent
+write_package_list "${RUN_IMAGE_TAG}" "${RUN_DOCKERFILE_DIR}"
+
+for VARIANT in "${VARIANTS[@]}"; do
+	VARIANT_NAME=$(echo "$VARIANT" | cut -d ":" -f 1)
+	DEPENDENCY_NAME=$(echo "$VARIANT" | cut -d ":" -f 2)
+	VARIANT_IMAGE_TAG="${REPO}:${STACK_VERSION}${VARIANT_NAME}${PUBLISH_SUFFIX}"
+	VARIANT_DOCKERFILE_DIR="heroku-${STACK_VERSION}${VARIANT_NAME}"
+	DEPENDENCY_IMAGE_TAG="${REPO}:${STACK_VERSION}${DEPENDENCY_NAME}${PUBLISH_SUFFIX}"
+
+	[[ -d "${VARIANT_DOCKERFILE_DIR}" ]] || abort "fatal: directory ${VARIANT_DOCKERFILE_DIR} not found"
+	display "Building ${VARIANT_DOCKERFILE_DIR} / ${VARIANT_IMAGE_TAG} image"
+	# The --pull option is not used for variants since they depend on images
+	# built earlier in this script.
+	docker "${DOCKER_ARGS[@]}" --build-arg "BASE_IMAGE=${DEPENDENCY_IMAGE_TAG}" \
+		--tag "${VARIANT_IMAGE_TAG}" "${VARIANT_DOCKERFILE_DIR}" | indent
 
 	# generate the package list for non-cnb variants. cnb variants don't
 	# influence the list of installed packages.
diff --git a/heroku-20-build/installed-packages.txt b/heroku-20-build/installed-packages.txt
index 6f822e56..48d4360e 100644
--- a/heroku-20-build/installed-packages.txt
+++ b/heroku-20-build/installed-packages.txt
@@ -23,7 +23,7 @@ build-essential
 bzip2
 bzr
 ca-certificates
-ca-certificates-java
+ca-certificates-java (package status: config-files)
 clang-10
 cmake
 cmake-data
@@ -127,6 +127,7 @@ libbsd-dev
 libbsd0
 libbz2-1.0
 libbz2-dev
+libc-ares2
 libc-bin
 libc-client2007e
 libc-client2007e-dev
@@ -542,6 +543,7 @@ mlock
 mount
 mtools
 mysql-common
+nano
 ncurses-base
 ncurses-bin
 netbase
diff --git a/heroku-20-build/setup.sh b/heroku-20-build/setup.sh
index 6d865919..24dbc156 100755
--- a/heroku-20-build/setup.sh
+++ b/heroku-20-build/setup.sh
@@ -13,7 +13,6 @@ packages=(
   cmake
   gettext
   git
-  jq
   libacl1-dev
   libapt-pkg-dev
   libargon2-dev
diff --git a/heroku-20/installed-packages.txt b/heroku-20/installed-packages.txt
index 5597a58e..c9901886 100644
--- a/heroku-20/installed-packages.txt
+++ b/heroku-20/installed-packages.txt
@@ -15,7 +15,7 @@ binutils-x86-64-linux-gnu
 bsdutils
 bzip2
 ca-certificates
-ca-certificates-java
+ca-certificates-java (package status: config-files)
 coreutils
 cpp
 cpp-9
@@ -69,6 +69,7 @@ imagemagick-6.q16
 init-system-helpers
 iproute2
 iputils-tracepath
+jq
 language-pack-en
 language-pack-en-base
 less
@@ -93,6 +94,7 @@ libblkid1
 libbrotli1
 libbsd0
 libbz2-1.0
+libc-ares2
 libc-bin
 libc-client2007e
 libc-dev-bin
@@ -186,6 +188,7 @@ libjbig0
 libjbig2dec0
 libjpeg-turbo8
 libjpeg8
+libjq1
 libjson-c4
 libk5crypto3
 libkeyutils1
@@ -339,6 +342,7 @@ mlock
 mount
 mtools
 mysql-common
+nano
 ncurses-base
 ncurses-bin
 netbase
diff --git a/heroku-20/setup.sh b/heroku-20/setup.sh
index 41244045..cdfd1240 100755
--- a/heroku-20/setup.sh
+++ b/heroku-20/setup.sh
@@ -51,11 +51,13 @@ packages=(
   imagemagick
   iproute2
   iputils-tracepath
+  jq # Used by Heroku Exec at run time, and buildpacks at build time.
   language-pack-en
   less
   libaom0
   libargon2-1
   libass9
+  libc-ares2 # Used by PgBouncer in heroku-buildpack-pgbouncer.
   libc-client2007e
   libc6-dev
   libcairo2
@@ -130,6 +132,7 @@ packages=(
   locales
   lsb-release
   make
+  nano # More usable than ed but still much smaller than vim.
   netcat-openbsd
   openssh-client
   openssh-server
@@ -160,16 +163,21 @@ apt-get install -y --no-install-recommends "${packages[@]}"
 
 cp /build/imagemagick-policy.xml /etc/ImageMagick-6/policy.xml
 
-# Temporarily install ca-certificates-java to generate the certificates store used
-# by Java apps. Generation occurs in a post-install script which requires a JRE.
-# We're using OpenJDK 8 rather than something newer, to work around:
-# https://github.com/heroku/base-images/pull/103#issuecomment-389544431
+# Install ca-certificates-java so that the JVM buildpacks can configure Java apps to use the Java certs
+# store in the base image instead of the one that ships in each JRE release, allowing certs to be updated
+# via base image updates. Generation of the `cacerts` file occurs in a post-install script which requires
+# a JRE, however, we don't want a JRE in the final image so remove it afterwards.
 apt-get install -y --no-install-recommends ca-certificates-java openjdk-8-jre-headless
-# Using remove rather than purge so that the generated certs are left behind.
+# For Ubuntu versions prior to 24.04 the ca-certificates-java package has a direct dependency on a JRE, so
+# we can't remove the JRE without also removing ca-certificates-java. However, we can work around this by
+# not using `--purge` when removing ca-certificates-java, which leaves behind the generated certs store.
 apt-get remove -y ca-certificates-java
-apt-get purge -y openjdk-8-jre-headless
-apt-get autoremove -y --purge
-test "$(file -b /etc/ssl/certs/java/cacerts)" = "Java KeyStore"
+apt-get remove -y --purge --auto-remove openjdk-8-jre-headless
+# Check that the certs store (a) wasn't purged during removal of ca-certificates-java, (b) uses the JKS
+# format not PKCS12, since in the past there was an upstream regression for this:
+# https://github.com/heroku/base-images/pull/103#issuecomment-389544431
+# https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363
+test "$(file --brief /etc/ssl/certs/java/cacerts)" = "Java KeyStore"
 
 rm -rf /root/*
 rm -rf /tmp/*
diff --git a/heroku-22-build/installed-packages.txt b/heroku-22-build/installed-packages.txt
index d22af05b..87f9d681 100644
--- a/heroku-22-build/installed-packages.txt
+++ b/heroku-22-build/installed-packages.txt
@@ -22,7 +22,7 @@ build-essential
 bzip2
 bzr
 ca-certificates
-ca-certificates-java
+ca-certificates-java (package status: config-files)
 cmake
 cmake-data
 comerr-dev
@@ -127,6 +127,7 @@ libbsd-dev
 libbsd0
 libbz2-1.0
 libbz2-dev
+libc-ares2
 libc-bin
 libc-client2007e
 libc-client2007e-dev
@@ -541,6 +542,7 @@ mlock
 mount
 mtools
 mysql-common
+nano
 ncurses-base
 ncurses-bin
 netbase
diff --git a/heroku-22-build/setup.sh b/heroku-22-build/setup.sh
index a95dba27..1a367c34 100755
--- a/heroku-22-build/setup.sh
+++ b/heroku-22-build/setup.sh
@@ -13,7 +13,6 @@ packages=(
   cmake
   gettext
   git
-  jq
   libacl1-dev
   libapt-pkg-dev
   libargon2-dev
diff --git a/heroku-22/installed-packages.txt b/heroku-22/installed-packages.txt
index d2fe333c..476af34f 100644
--- a/heroku-22/installed-packages.txt
+++ b/heroku-22/installed-packages.txt
@@ -15,7 +15,7 @@ binutils-x86-64-linux-gnu
 bsdutils
 bzip2
 ca-certificates
-ca-certificates-java
+ca-certificates-java (package status: config-files)
 coreutils
 cpp
 cpp-11
@@ -68,6 +68,7 @@ imagemagick-6.q16
 init-system-helpers
 iproute2
 iputils-tracepath
+jq
 language-pack-en
 language-pack-en-base
 less
@@ -93,6 +94,7 @@ libbpf0
 libbrotli1
 libbsd0
 libbz2-1.0
+libc-ares2
 libc-bin
 libc-client2007e
 libc-dev-bin
@@ -187,6 +189,7 @@ libjbig0
 libjbig2dec0
 libjpeg-turbo8
 libjpeg8
+libjq1
 libjson-c5
 libk5crypto3
 libkeyutils1
@@ -344,6 +347,7 @@ mlock
 mount
 mtools
 mysql-common
+nano
 ncurses-base
 ncurses-bin
 netbase
diff --git a/heroku-22/setup.sh b/heroku-22/setup.sh
index 1708fb45..3f84891e 100755
--- a/heroku-22/setup.sh
+++ b/heroku-22/setup.sh
@@ -51,11 +51,13 @@ packages=(
   imagemagick
   iproute2
   iputils-tracepath
+  jq # Used by Heroku Exec at run time, and buildpacks at build time.
   language-pack-en
   less
   libaom3
   libargon2-1
   libass9
+  libc-ares2 # Used by PgBouncer in heroku-buildpack-pgbouncer.
   libc-client2007e
   libc6-dev
   libcairo2
@@ -133,6 +135,7 @@ packages=(
   locales
   lsb-release
   make
+  nano # More usable than ed but still much smaller than vim.
   netcat-openbsd
   openssh-client
   openssh-server
@@ -162,16 +165,21 @@ apt-get install -y --no-install-recommends "${packages[@]}"
 
 cp /build/imagemagick-policy.xml /etc/ImageMagick-6/policy.xml
 
-# Temporarily install ca-certificates-java to generate the certificates store used
-# by Java apps. Generation occurs in a post-install script which requires a JRE.
-# We're using OpenJDK 8 rather than something newer, to work around:
-# https://github.com/heroku/base-images/pull/103#issuecomment-389544431
+# Install ca-certificates-java so that the JVM buildpacks can configure Java apps to use the Java certs
+# store in the base image instead of the one that ships in each JRE release, allowing certs to be updated
+# via base image updates. Generation of the `cacerts` file occurs in a post-install script which requires
+# a JRE, however, we don't want a JRE in the final image so remove it afterwards.
 apt-get install -y --no-install-recommends ca-certificates-java openjdk-8-jre-headless
-# Using remove rather than purge so that the generated certs are left behind.
+# For Ubuntu versions prior to 24.04 the ca-certificates-java package has a direct dependency on a JRE, so
+# we can't remove the JRE without also removing ca-certificates-java. However, we can work around this by
+# not using `--purge` when removing ca-certificates-java, which leaves behind the generated certs store.
 apt-get remove -y ca-certificates-java
-apt-get purge -y openjdk-8-jre-headless
-apt-get autoremove -y --purge
-test "$(file -b /etc/ssl/certs/java/cacerts)" = "Java KeyStore"
+apt-get remove -y --purge --auto-remove openjdk-8-jre-headless
+# Check that the certs store (a) wasn't purged during removal of ca-certificates-java, (b) uses the JKS
+# format not PKCS12, since in the past there was an upstream regression for this:
+# https://github.com/heroku/base-images/pull/103#issuecomment-389544431
+# https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363
+test "$(file --brief /etc/ssl/certs/java/cacerts)" = "Java KeyStore"
 
 rm -rf /root/*
 rm -rf /tmp/*
diff --git a/heroku-24-build/installed-packages-amd64.txt b/heroku-24-build/installed-packages-amd64.txt
index c4575fe3..bea18d99 100644
--- a/heroku-24-build/installed-packages-amd64.txt
+++ b/heroku-24-build/installed-packages-amd64.txt
@@ -1,7 +1,6 @@
 # List of packages present in the final image. Regenerate using bin/build.sh
 adduser
 apt
-apt-utils
 autoconf
 automake
 autotools-dev
@@ -37,7 +36,6 @@ dirmngr
 dpkg
 dpkg-dev
 e2fsprogs
-ed
 file
 findutils
 fontconfig
@@ -54,8 +52,6 @@ gcc-13-base
 gcc-13-x86-64-linux-gnu
 gcc-14-base
 gcc-x86-64-linux-gnu
-geoip-bin
-geoip-database
 gettext
 gettext-base
 gir1.2-freedesktop
@@ -95,11 +91,9 @@ keyboxd
 krb5-multidev
 less
 libacl1
-libacl1-dev
 libaec0
 libaom-dev
 libaom3
-libapt-pkg-dev
 libapt-pkg6.0t64
 libarchive13t64
 libargon2-1
@@ -109,9 +103,7 @@ libass9
 libassuan0
 libatomic1
 libattr1
-libattr1-dev
 libaudit-common
-libaudit-dev
 libaudit1
 libbinutils
 libblkid-dev
@@ -125,7 +117,6 @@ libbz2-1.0
 libbz2-dev
 libc-bin
 libc-client2007e
-libc-client2007e-dev
 libc-dev-bin
 libc6
 libc6-dev
@@ -133,11 +124,10 @@ libcairo-gobject2
 libcairo-script-interpreter2
 libcairo2
 libcairo2-dev
-libcap-dev
-libcap-ng-dev
 libcap-ng0
 libcap2
 libcap2-bin
+libcares2
 libcbor0.10
 libcc1-0
 libcfitsio10t64
@@ -153,8 +143,6 @@ libcurl4t64
 libdatrie1
 libdav1d-dev
 libdav1d7
-libdb-dev
-libdb5.3-dev
 libdb5.3t64
 libde265-0
 libde265-dev
@@ -193,7 +181,6 @@ libfribidi0
 libgcc-13-dev
 libgcc-s1
 libgcrypt20
-libgcrypt20-dev
 libgd-dev
 libgd3
 libgdbm-compat4t64
@@ -201,12 +188,8 @@ libgdbm-dev
 libgdbm6t64
 libgdk-pixbuf-2.0-0
 libgdk-pixbuf-2.0-dev
-libgdk-pixbuf-xlib-2.0-0
-libgdk-pixbuf2.0-0
 libgdk-pixbuf2.0-bin
 libgdk-pixbuf2.0-common
-libgeoip-dev
-libgeoip1t64
 libgirepository-1.0-1
 libgirepository-1.0-dev
 libgirepository-2.0-0
@@ -224,7 +207,6 @@ libgnutls-openssl27t64
 libgnutls28-dev
 libgnutls30t64
 libgomp1
-libgpg-error-dev
 libgpg-error0
 libgprofng0
 libgraphite2-3
@@ -248,7 +230,6 @@ libice6
 libicu-dev
 libicu74
 libidn-dev
-libidn11-dev
 libidn12
 libidn2-0
 libidn2-dev
@@ -273,10 +254,7 @@ libk5crypto3
 libkadm5clnt-mit12
 libkadm5srv-mit12
 libkdb5-10t64
-libkeyutils-dev
 libkeyutils1
-libkmod-dev
-libkmod2
 libkrb5-3
 libkrb5-dev
 libkrb5support0
@@ -285,7 +263,6 @@ liblcms2-2
 liblcms2-dev
 libldap-dev
 libldap2
-libldap2-dev
 liblerc-dev
 liblerc4
 liblmdb0
@@ -315,8 +292,6 @@ libmagickwand-6.q16-dev
 libmagickwand-dev
 libmatio11
 libmaxminddb0
-libmcrypt-dev
-libmcrypt4
 libmd-dev
 libmd0
 libmemcached-dev
@@ -330,10 +305,8 @@ libmpc3
 libmpfr6
 libmysqlclient-dev
 libmysqlclient21
-libncurses-dev
 libncurses6
 libncursesw6
-libnetpbm11t64
 libnettle8t64
 libnghttp2-14
 libnpth0t64
@@ -357,7 +330,6 @@ libpam-modules
 libpam-modules-bin
 libpam-runtime
 libpam0g
-libpam0g-dev
 libpango-1.0-0
 libpangocairo-1.0-0
 libpangoft2-1.0-0
@@ -374,7 +346,6 @@ libpng-dev
 libpng16-16t64
 libpoppler-glib8t64
 libpoppler134
-libpopt-dev
 libpopt0
 libpq-dev
 libpq5
@@ -388,7 +359,6 @@ libquadmath0
 librabbitmq-dev
 librabbitmq4
 libraw23t64
-libreadline-dev
 libreadline8t64
 librhash0
 librsvg2-2
@@ -400,12 +370,10 @@ libsasl2-2
 libsasl2-dev
 libsasl2-modules
 libsasl2-modules-db
-libseccomp-dev
 libseccomp2
 libselinux1
 libselinux1-dev
 libsemanage-common
-libsemanage-dev
 libsemanage2
 libsepol-dev
 libsepol2
@@ -427,7 +395,6 @@ libssl3t64
 libstdc++-13-dev
 libstdc++6
 libsvtav1enc1d1
-libsystemd-dev
 libsystemd0
 libsz2
 libtasn1-6
@@ -444,7 +411,6 @@ libtirpc3t64
 libtool
 libtsan2
 libubsan1
-libudev-dev
 libudev1
 libunbound8
 libunibreak5
@@ -517,6 +483,7 @@ media-types
 mlock
 mount
 mysql-common
+nano
 ncurses-base
 ncurses-bin
 netbase
@@ -550,7 +517,6 @@ python3-setuptools
 python3.12
 python3.12-minimal
 readline-common
-rename
 rpcsvc-proto
 rsync
 sed
diff --git a/heroku-24-build/installed-packages-arm64.txt b/heroku-24-build/installed-packages-arm64.txt
index 37ae339d..760bd492 100644
--- a/heroku-24-build/installed-packages-arm64.txt
+++ b/heroku-24-build/installed-packages-arm64.txt
@@ -1,7 +1,6 @@
 # List of packages present in the final image. Regenerate using bin/build.sh
 adduser
 apt
-apt-utils
 autoconf
 automake
 autotools-dev
@@ -37,7 +36,6 @@ dirmngr
 dpkg
 dpkg-dev
 e2fsprogs
-ed
 file
 findutils
 fontconfig
@@ -54,8 +52,6 @@ gcc-13-aarch64-linux-gnu
 gcc-13-base
 gcc-14-base
 gcc-aarch64-linux-gnu
-geoip-bin
-geoip-database
 gettext
 gettext-base
 gir1.2-freedesktop
@@ -91,11 +87,9 @@ keyboxd
 krb5-multidev
 less
 libacl1
-libacl1-dev
 libaec0
 libaom-dev
 libaom3
-libapt-pkg-dev
 libapt-pkg6.0t64
 libarchive13t64
 libargon2-1
@@ -105,9 +99,7 @@ libass9
 libassuan0
 libatomic1
 libattr1
-libattr1-dev
 libaudit-common
-libaudit-dev
 libaudit1
 libbinutils
 libblkid-dev
@@ -121,7 +113,6 @@ libbz2-1.0
 libbz2-dev
 libc-bin
 libc-client2007e
-libc-client2007e-dev
 libc-dev-bin
 libc6
 libc6-dev
@@ -129,11 +120,10 @@ libcairo-gobject2
 libcairo-script-interpreter2
 libcairo2
 libcairo2-dev
-libcap-dev
-libcap-ng-dev
 libcap-ng0
 libcap2
 libcap2-bin
+libcares2
 libcbor0.10
 libcc1-0
 libcfitsio10t64
@@ -149,8 +139,6 @@ libcurl4t64
 libdatrie1
 libdav1d-dev
 libdav1d7
-libdb-dev
-libdb5.3-dev
 libdb5.3t64
 libde265-0
 libde265-dev
@@ -189,7 +177,6 @@ libfribidi0
 libgcc-13-dev
 libgcc-s1
 libgcrypt20
-libgcrypt20-dev
 libgd-dev
 libgd3
 libgdbm-compat4t64
@@ -197,12 +184,8 @@ libgdbm-dev
 libgdbm6t64
 libgdk-pixbuf-2.0-0
 libgdk-pixbuf-2.0-dev
-libgdk-pixbuf-xlib-2.0-0
-libgdk-pixbuf2.0-0
 libgdk-pixbuf2.0-bin
 libgdk-pixbuf2.0-common
-libgeoip-dev
-libgeoip1t64
 libgirepository-2.0-0
 libglib2.0-0t64
 libglib2.0-bin
@@ -217,7 +200,6 @@ libgnutls-openssl27t64
 libgnutls28-dev
 libgnutls30t64
 libgomp1
-libgpg-error-dev
 libgpg-error0
 libgprofng0
 libgraphite2-3
@@ -241,7 +223,6 @@ libice6
 libicu-dev
 libicu74
 libidn-dev
-libidn11-dev
 libidn12
 libidn2-0
 libidn2-dev
@@ -266,10 +247,7 @@ libk5crypto3
 libkadm5clnt-mit12
 libkadm5srv-mit12
 libkdb5-10t64
-libkeyutils-dev
 libkeyutils1
-libkmod-dev
-libkmod2
 libkrb5-3
 libkrb5-dev
 libkrb5support0
@@ -278,7 +256,6 @@ liblcms2-2
 liblcms2-dev
 libldap-dev
 libldap2
-libldap2-dev
 liblerc-dev
 liblerc4
 liblmdb0
@@ -308,8 +285,6 @@ libmagickwand-6.q16-dev
 libmagickwand-dev
 libmatio11
 libmaxminddb0
-libmcrypt-dev
-libmcrypt4
 libmd-dev
 libmd0
 libmemcached-dev
@@ -323,10 +298,8 @@ libmpc3
 libmpfr6
 libmysqlclient-dev
 libmysqlclient21
-libncurses-dev
 libncurses6
 libncursesw6
-libnetpbm11t64
 libnettle8t64
 libnghttp2-14
 libnpth0t64
@@ -350,7 +323,6 @@ libpam-modules
 libpam-modules-bin
 libpam-runtime
 libpam0g
-libpam0g-dev
 libpango-1.0-0
 libpangocairo-1.0-0
 libpangoft2-1.0-0
@@ -367,7 +339,6 @@ libpng-dev
 libpng16-16t64
 libpoppler-glib8t64
 libpoppler134
-libpopt-dev
 libpopt0
 libpq-dev
 libpq5
@@ -380,7 +351,6 @@ libpython3.12-stdlib
 librabbitmq-dev
 librabbitmq4
 libraw23t64
-libreadline-dev
 libreadline8t64
 librhash0
 librsvg2-2
@@ -392,12 +362,10 @@ libsasl2-2
 libsasl2-dev
 libsasl2-modules
 libsasl2-modules-db
-libseccomp-dev
 libseccomp2
 libselinux1
 libselinux1-dev
 libsemanage-common
-libsemanage-dev
 libsemanage2
 libsepol-dev
 libsepol2
@@ -419,7 +387,6 @@ libssl3t64
 libstdc++-13-dev
 libstdc++6
 libsvtav1enc1d1
-libsystemd-dev
 libsystemd0
 libsz2
 libtasn1-6
@@ -436,7 +403,6 @@ libtirpc3t64
 libtool
 libtsan2
 libubsan1
-libudev-dev
 libudev1
 libunbound8
 libunibreak5
@@ -509,6 +475,7 @@ media-types
 mlock
 mount
 mysql-common
+nano
 ncurses-base
 ncurses-bin
 netbase
@@ -537,7 +504,6 @@ python3-packaging
 python3.12
 python3.12-minimal
 readline-common
-rename
 rpcsvc-proto
 rsync
 sed
diff --git a/heroku-24-build/setup.sh b/heroku-24-build/setup.sh
index 4f6fb8f7..6dee8b50 100755
--- a/heroku-24-build/setup.sh
+++ b/heroku-24-build/setup.sh
@@ -8,67 +8,41 @@ packages=(
   autoconf
   automake
   bison
-  # Includes gcc, g++, make, patch, libc6-dev etc.
-  build-essential
+  build-essential # Includes gcc, g++, make, patch, libc6-dev etc.
   cmake
-  gettext
+  gettext # Internationalization utils used by Django, Rails etc.
   git
-  jq
-  libacl1-dev
-  libapt-pkg-dev
   libargon2-dev
-  libattr1-dev
-  libaudit-dev
   libbsd-dev
   libbz2-dev
-  libc-client2007e-dev
   libcairo2-dev
-  libcap-dev
   libcurl4-openssl-dev
-  libdb-dev
   libev-dev
   libevent-dev
   libexif-dev
   libffi-dev
-  libgcrypt20-dev
   libgd-dev
   libgdbm-dev
-  libgeoip-dev
-  libglib2.0-dev
   libgnutls28-dev
   libheif-dev
   libicu-dev
-  libidn11-dev
+  libidn-dev
   libjpeg-dev
-  libkeyutils-dev
-  libkmod-dev
   libkrb5-dev
-  libldap2-dev
+  libldap-dev
   liblz4-dev
   liblzf-dev
   libmagic-dev
   libmagickwand-dev
-  libmcrypt-dev
   libmemcached-dev
   libmysqlclient-dev
-  libncurses5-dev
-  libncursesw5-dev
-  libnetpbm10-dev
   libonig-dev
-  libpam0g-dev
-  libpopt-dev
   libpq-dev
   librabbitmq-dev
-  libreadline-dev
   librtmp-dev
-  libseccomp-dev
-  libselinux1-dev
-  libsemanage-dev
   libsodium-dev
   libssl-dev
-  libsystemd-dev
   libtool
-  libudev-dev
   libuv1-dev
   libwrap0-dev
   libxml2-dev
@@ -77,9 +51,7 @@ packages=(
   libzip-dev
   libzstd-dev
   patchelf
-  # Python is often needed during the build for non-Python apps, which aren't using the
-  # Python buildpack. e.g. Node.js packages that use node-gyp require Python during install.
-  python3
+  python3 # Often needed during the building of non-Python apps. e.g. For Node.js packages that use node-gyp.
   zlib1g-dev
 )
 
diff --git a/heroku-24/installed-packages-amd64.txt b/heroku-24/installed-packages-amd64.txt
index 7563cc96..adfccd57 100644
--- a/heroku-24/installed-packages-amd64.txt
+++ b/heroku-24/installed-packages-amd64.txt
@@ -1,13 +1,15 @@
 # List of packages present in the final image. Regenerate using bin/build.sh
 adduser
 apt
-apt-utils
 base-files
 base-passwd
 bash
 bind9-dnsutils
 bind9-host
 bind9-libs
+binutils
+binutils-common
+binutils-x86-64-linux-gnu
 bsdutils
 bzip2
 ca-certificates
@@ -21,7 +23,6 @@ diffutils
 dirmngr
 dpkg
 e2fsprogs
-ed
 file
 findutils
 fontconfig
@@ -29,7 +30,6 @@ fontconfig-config
 fonts-dejavu-core
 fonts-dejavu-mono
 gcc-14-base
-geoip-database
 gettext-base
 gir1.2-freedesktop
 gir1.2-glib-2.0
@@ -52,6 +52,7 @@ inetutils-telnet
 init-system-helpers
 iproute2
 iputils-tracepath
+jq
 keyboxd
 less
 libacl1
@@ -65,6 +66,7 @@ libassuan0
 libattr1
 libaudit-common
 libaudit1
+libbinutils
 libblkid1
 libbpf1
 libbrotli1
@@ -78,11 +80,14 @@ libcairo2
 libcap-ng0
 libcap2
 libcap2-bin
+libcares2
 libcbor0.10
 libcfitsio10t64
 libcgif0
 libcom-err2
 libcrypt1
+libctf-nobfd0
+libctf0
 libcurl3t64-gnutls
 libcurl4t64
 libdatrie1
@@ -116,8 +121,6 @@ libgd3
 libgdbm-compat4t64
 libgdbm6t64
 libgdk-pixbuf-2.0-0
-libgdk-pixbuf-xlib-2.0-0
-libgdk-pixbuf2.0-0
 libgdk-pixbuf2.0-common
 libglib2.0-0t64
 libgmp10
@@ -125,6 +128,7 @@ libgnutls-openssl27t64
 libgnutls30t64
 libgomp1
 libgpg-error0
+libgprofng0
 libgraphite2-3
 libgssapi-krb5-2
 libharfbuzz-gobject0
@@ -141,9 +145,11 @@ libicu74
 libidn2-0
 libimagequant0
 libimath-3-1-29t64
+libjansson4
 libjbig0
 libjpeg-turbo8
 libjpeg8
+libjq1
 libjson-c5
 libjxl0.7
 libk5crypto3
@@ -167,13 +173,13 @@ libmagickcore-6.q16-7t64
 libmagickwand-6.q16-7t64
 libmatio11
 libmaxminddb0
-libmcrypt4
 libmd0
 libmemcached11t64
 libmnl0
 libmount1
 libmp3lame0
 libmysqlclient21
+libncurses6
 libncursesw6
 libnettle8t64
 libnghttp2-14
@@ -221,6 +227,7 @@ libselinux1
 libsemanage-common
 libsemanage2
 libsepol2
+libsframe1
 libsharpyuv0
 libsmartcols1
 libsodium23
@@ -284,6 +291,7 @@ mawk
 mlock
 mount
 mysql-common
+nano
 ncurses-base
 ncurses-bin
 netbase
@@ -303,7 +311,6 @@ postgresql-client-16
 postgresql-client-common
 procps
 readline-common
-rename
 rsync
 sed
 sensible-utils
diff --git a/heroku-24/installed-packages-arm64.txt b/heroku-24/installed-packages-arm64.txt
index 7563cc96..59d32249 100644
--- a/heroku-24/installed-packages-arm64.txt
+++ b/heroku-24/installed-packages-arm64.txt
@@ -1,13 +1,15 @@
 # List of packages present in the final image. Regenerate using bin/build.sh
 adduser
 apt
-apt-utils
 base-files
 base-passwd
 bash
 bind9-dnsutils
 bind9-host
 bind9-libs
+binutils
+binutils-aarch64-linux-gnu
+binutils-common
 bsdutils
 bzip2
 ca-certificates
@@ -21,7 +23,6 @@ diffutils
 dirmngr
 dpkg
 e2fsprogs
-ed
 file
 findutils
 fontconfig
@@ -29,7 +30,6 @@ fontconfig-config
 fonts-dejavu-core
 fonts-dejavu-mono
 gcc-14-base
-geoip-database
 gettext-base
 gir1.2-freedesktop
 gir1.2-glib-2.0
@@ -52,6 +52,7 @@ inetutils-telnet
 init-system-helpers
 iproute2
 iputils-tracepath
+jq
 keyboxd
 less
 libacl1
@@ -65,6 +66,7 @@ libassuan0
 libattr1
 libaudit-common
 libaudit1
+libbinutils
 libblkid1
 libbpf1
 libbrotli1
@@ -78,11 +80,14 @@ libcairo2
 libcap-ng0
 libcap2
 libcap2-bin
+libcares2
 libcbor0.10
 libcfitsio10t64
 libcgif0
 libcom-err2
 libcrypt1
+libctf-nobfd0
+libctf0
 libcurl3t64-gnutls
 libcurl4t64
 libdatrie1
@@ -116,8 +121,6 @@ libgd3
 libgdbm-compat4t64
 libgdbm6t64
 libgdk-pixbuf-2.0-0
-libgdk-pixbuf-xlib-2.0-0
-libgdk-pixbuf2.0-0
 libgdk-pixbuf2.0-common
 libglib2.0-0t64
 libgmp10
@@ -125,6 +128,7 @@ libgnutls-openssl27t64
 libgnutls30t64
 libgomp1
 libgpg-error0
+libgprofng0
 libgraphite2-3
 libgssapi-krb5-2
 libharfbuzz-gobject0
@@ -141,9 +145,11 @@ libicu74
 libidn2-0
 libimagequant0
 libimath-3-1-29t64
+libjansson4
 libjbig0
 libjpeg-turbo8
 libjpeg8
+libjq1
 libjson-c5
 libjxl0.7
 libk5crypto3
@@ -167,13 +173,13 @@ libmagickcore-6.q16-7t64
 libmagickwand-6.q16-7t64
 libmatio11
 libmaxminddb0
-libmcrypt4
 libmd0
 libmemcached11t64
 libmnl0
 libmount1
 libmp3lame0
 libmysqlclient21
+libncurses6
 libncursesw6
 libnettle8t64
 libnghttp2-14
@@ -221,6 +227,7 @@ libselinux1
 libsemanage-common
 libsemanage2
 libsepol2
+libsframe1
 libsharpyuv0
 libsmartcols1
 libsodium23
@@ -284,6 +291,7 @@ mawk
 mlock
 mount
 mysql-common
+nano
 ncurses-base
 ncurses-bin
 netbase
@@ -303,7 +311,6 @@ postgresql-client-16
 postgresql-client-common
 procps
 readline-common
-rename
 rsync
 sed
 sensible-utils
diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh
index 9c0e6306..0d0f7db8 100755
--- a/heroku-24/setup.sh
+++ b/heroku-24/setup.sh
@@ -4,37 +4,17 @@ set -euxo pipefail
 
 export DEBIAN_FRONTEND=noninteractive
 
-# This is the default `ubuntu.sources` from both the AMD64 and ARM64 images
-# combined, with `noble-backports`, `restricted` and `multiverse` removed.
-cat >/etc/apt/sources.list.d/ubuntu.sources <<EOF
-Types: deb
-URIs: http://archive.ubuntu.com/ubuntu/
-Suites: noble noble-updates
-Components: main universe
-Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
-Architectures: amd64
-
-Types: deb
-URIs: http://security.ubuntu.com/ubuntu/
-Suites: noble-security
-Components: main universe
-Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
-Architectures: amd64
-
-Types: deb
-URIs: http://ports.ubuntu.com/ubuntu-ports/
-Suites: noble noble-updates
-Components: main universe
-Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
-Architectures: arm64
-
-Types: deb
-URIs: http://ports.ubuntu.com/ubuntu-ports/
-Suites: noble-security
-Components: main universe restricted multiverse
-Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
-Architectures: arm64
-EOF
+# Disable APT repositories that contain packages with potentially problematic licenses.
+# We edit the existing file rather than using our own static file contents, since the repository
+# URIs vary across architectures, so we would otherwise have to hardcode multiple file variants.
+# There are multiple repository configuration lines in the file, all of form:
+# `Components: main universe restricted multiverse`
+# See: https://manpages.ubuntu.com/manpages/noble/en/man5/sources.list.5.html
+for repository_to_disable in multiverse restricted; do
+  # sed doesn't support lookbehind so we instead have to match against the line prefix too
+  # and then preserve it using `\1` in the replacement.
+  sed --in-place --regexp-extended "s/(Components:.*) ${repository_to_disable}/\1/g" /etc/apt/sources.list.d/ubuntu.sources
+done
 
 apt-get update --error-on=any
 
@@ -58,109 +38,73 @@ apt-get update --error-on=any
 apt-get upgrade -y --no-install-recommends
 
 packages=(
-  apt-utils
-  # For dig, host and nslookup.
-  bind9-dnsutils
+  bind9-dnsutils # For `dig`, `host` and `nslookup`.
+  binutils # Python's `ctypes.util.find_library` requires `ld` to find libraries specified via `LD_LIBRARY_PATH`.
   bzip2
-  coreutils
   curl
-  ed
   file
-  fontconfig
-  geoip-database
-  gettext-base
-  gir1.2-harfbuzz-0.0
+  gettext-base # For `envsubst`.
+  gir1.2-harfbuzz-0.0 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
   gnupg
   imagemagick
   inetutils-telnet
-  iproute2
+  iproute2 # For `ip`, used by Heroku Exec.
   iputils-tracepath
+  jq # Used by Heroku Exec at run time, and buildpacks at build time.
   less
-  libaom3
-  libargon2-1
-  libass9
-  libc-client2007e
-  libcairo2
-  libcurl4
-  libdatrie1
-  libdav1d7
+  libargon2-1 # Used by the PHP runtime.
+  libass9 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libc-client2007e # Used by the PHP IMAP extension.
+  libcares2 # Used by PgBouncer in heroku-buildpack-pgbouncer.
+  libdav1d7 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
   libev4
-  libevent-2.1-7
-  libevent-core-2.1-7
-  libevent-extra-2.1-7
-  libevent-openssl-2.1-7
+  libevent-2.1-7 # Used by PgBouncer in heroku-buildpack-pgbouncer.
+  libevent-core-2.1-7 # Used by the PHP Event extension.
+  libevent-extra-2.1-7 # Used by the PHP Event extension.
+  libevent-openssl-2.1-7 # Used by the PHP Event extension.
   libevent-pthreads-2.1-7
-  libexif12
-  libfreetype6
-  libfribidi0
   libgd3
-  libgdk-pixbuf2.0-0
-  libgdk-pixbuf2.0-common
+  libgdk-pixbuf-2.0-0
   libgnutls-openssl27
-  libgnutls30
-  libgraphite2-3
-  libgraphite2-3
-  libharfbuzz-gobject0
-  libharfbuzz-icu0
-  libharfbuzz0b
-  libheif1
-  liblzf1
-  libmagickcore-6.q16-7-extra
-  libmcrypt4
-  libmemcached11
-  libmp3lame0
+  libgnutls30 # Used by the Ruby and PHP runtimes.
+  libharfbuzz-icu0 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  liblzf1 # Used by the PHP Redis extension.
+  libmagickcore-6.q16-7-extra # Used by the PHP Imagick extension (using the `-extra` package for SVG support).
+  libmemcached11 # Used by the PHP Memcached extension.
+  libmp3lame0 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
   libmysqlclient21
-  libnuma1
-  libogg0
-  libonig5
-  libopencore-amrnb0
-  libopencore-amrwb0
-  libopus0
-  libpango-1.0-0
-  libpangocairo-1.0-0
-  libpangoft2-1.0-0
-  libpixman-1-0
-  librabbitmq4
-  librsvg2-2
+  libncurses6 # Used by the Ruby runtime.
+  libonig5 # Used by the PHP runtime.
+  libopencore-amrnb0 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libopencore-amrwb0 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libopus0 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  librabbitmq4 # Used by the PHP AMQP extension.
   librsvg2-common
-  libsasl2-modules
-  libseccomp2
-  libsodium23
-  libspeex1
-  libsvtav1enc1d1
-  libthai-data
-  libthai0
-  libtheora0
-  libunistring5
+  libsasl2-modules # Used by the Ruby and PHP runtimes.
+  libsodium23 # Used by the PHP runtime.
+  libspeex1 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libsvtav1enc1d1 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libtheora0 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
   libuv1
-  libvips42
-  libvorbis0a
-  libvorbisenc2
-  libvorbisfile3
-  libvpx9
-  libwebp7
-  libwebpdemux2
-  libwebpmux3
-  libx264-164
-  libx265-199
-  libxcb-render0
-  libxcb-shm0
-  libxrender1
-  libxslt1.1
-  libyaml-0-2
-  libzip4
-  libzstd1
+  libvips42 # Used by the ruby-vips gem / Rails Active Storage Previews.
+  libvorbisenc2 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libvorbisfile3 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libvpx9 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libx264-164 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libx265-199 # Used by FFmpeg in heroku-buildpack-activestorage-preview.
+  libxslt1.1 # Used by the PHP runtime.
+  libyaml-0-2 # Used by the Ruby runtime.
+  libzip4 # Used by the PHP runtime.
   locales
   lsb-release
+  nano # More usable than ed but still much smaller than vim.
   netcat-openbsd
-  openssh-client
-  openssh-server
+  openssh-client # Used by Heroku Exec.
+  openssh-server # Used by Heroku Exec.
   patch
-  poppler-utils
-  postgresql-client-16
-  rename
+  poppler-utils # For Rails Active Storage Previews PDF support.
+  postgresql-client-16 # We need `psql` (and not just libpq) for Shield DB workflows (where connections are only possible from the dyno).
   rsync
-  shared-mime-info
   socat
   tar
   tzdata
@@ -168,26 +112,27 @@ packages=(
   wget
   xz-utils
   zip
-  zlib1g
   zstd
 )
 
 apt-get install -y --no-install-recommends "${packages[@]}"
 
-# Generate locale data for "en_US", which is not available by default. Ubuntu
-# ships only with "C" and "POSIX" locales.
+# Generate locale data for "en_US.UTF-8" too, since the upstream Ubuntu image
+# only ships with the "C", "C.utf8" and "POSIX" locales:
+# https://github.com/docker-library/docs/blob/master/ubuntu/README.md#locales
 locale-gen en_US.UTF-8
 
-# Temporarily install ca-certificates-java to generate the certificates store used
-# by Java apps. Generation occurs in a post-install script which requires a JRE.
-# We're using OpenJDK 8 rather than something newer, to work around:
-# https://github.com/heroku/stack-images/pull/103#issuecomment-389544431
-apt-get install -y --no-install-recommends ca-certificates-java openjdk-8-jre-headless
-# Using remove rather than purge so that the generated certs are left behind.
-apt-get remove -y ca-certificates-java
-apt-get purge -y openjdk-8-jre-headless
-apt-get autoremove -y --purge
-test "$(file -b /etc/ssl/certs/java/cacerts)" = "Java KeyStore"
+# Install ca-certificates-java so that the JVM buildpacks can configure Java apps to use the Java certs
+# store in the base image instead of the one that ships in each JRE release, allowing certs to be updated
+# via base image updates. Generation of the `cacerts` file occurs in a post-install script which only runs
+# if a JRE is installed, however, we don't want a JRE in the final image so remove it afterwards.
+apt-get install -y --no-install-recommends ca-certificates-java default-jre-headless
+apt-get remove -y --purge --auto-remove default-jre-headless
+# Check that the certs store (a) still exists after the removal of default-jre-headless, (b) uses the JKS
+# format not PKCS12, since in the past there was an upstream regression for this:
+# https://github.com/heroku/base-images/pull/103#issuecomment-389544431
+# https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1771363
+test "$(file --brief /etc/ssl/certs/java/cacerts)" = "Java KeyStore"
 
 # Ubuntu 24.04 ships with a default user and group named 'ubuntu' (with user+group ID of 1000)
 # that we have to remove before creating our own (`userdel` will remove the group too).