Produce a distroless-based Docker image

[sandhose]

This minimises the docker image by using a distroless-based runtime image.

This means:

• Runtime native dependencies must be installed in another stage
• The Python interpreter we'd like must also be manually installed, as the distroless python image is frozen on py3.11 and doesn't seem to move regularly

To do both, we add a new stage that runs on the build platform arch (rather than the target platform) which sets up those environments for both x86-64 and aarch64.

For the former, we download the debs using apt-get download, and manually unarchive them.

For the latter, we use uv python to download Python distributions from the indygreg/python-build-standalone project.

---

I then looked how I could further improve build speeds, especially when cross-compiling:

• Because this was using uv anyway, I figured I could swap pip install calls with uv pip install, which saves a few minutes by itself
• I then looked at what packages were not using binary wheels: I upgraded MarkupSafe to have binaries for py3.12, and got back to Python 3.12 because hiredis didn't have builds for py3.13 with the version we were using
• The generation of the requirements.txt is arch-agnostic, so I've switched this one to run on the build architecture, so that both arch can share it
• We were using -slim images, but still installed a bunch of -dev dependencies. Turns
  out, all the dev dependencies were already installed in the non-slim image, which saves a bunch of time as well

[sandhose]

Superseded by #18038 and #18039