Arch Linux Now Has a Bit-for-Bit Reproducible Docker Image(antiz.fr)

97 pointsby maxloh10 hours ago6 comments

nickjj11 minutes ago
It is nice to have this confidence.
I ran Arch Linux for almost a year in WSL 2, it was really good.
Then I ran Arch natively for ~5 months, it's really good.
Now I still run Arch natively, but I also use the Arch Docker image to test my dotfiles[0] with a fresh file system.
Also, for when I want to run end to end tests for my dotfiles that set up a complete desktop environment I run Arch in a VM.
I have 99 problems but running Arch isn't one of them.
[0]: https://github.com/nickjj/dotfiles
dev_l1x_be4 hours ago
All docker containers should have been like that. apt-get update in a docker build step is an anti pattern.
- bluGillan hour ago
  You are screwed either way. If you don't update your container has a ton of known security issues, if you do the container is not reproducable. reproducable is neat with some useful security benefits, but it is something a non goal if the container is more than a month old - day might even be a better max age.
  - dev_l1x_be36 minutes ago
    I update my docker containers regularly but doing it in a reproducible, auditable, predictable way
    tom133711 minutes ago
    Could you explain how you achieve this?
- DuncanCoffee4 hours ago
  I know it's an anti-pattern, but what is the alternative if you need to install some software? Pulling its tagged source code, gcc and compile everything?
  - Filligree31 minutes ago
    Run “nix flake update”. Commit the lockfile. Build a docker image from that; the software you need is almost certainly there, and there’s a handy docker helper.
    klodolph3 minutes ago
    Recently I’ve been noticing that Nix software has been falling behind. So “the software you need is almost certainly there” is less true these days. Recently = April 2026.
  - kandrosan hour ago
    Copying from another image is an under appreciated feature
    FROM ubuntu:24.04
    COPY --from=ghcr.io/owner/image:latest /usr/local/bin/somebinary /usr/local/bin/somebinary
    CMD ["somebinary"]
    Not as simple when you need shared dependencies
  - bennofs2 hours ago
    Both Debian and Ubuntu provide snapshot mirrors where you can specify a date to get the package lists as they looked at that time.
    bluGillan hour ago
    Which is only useful for historical invesigation - the old snapshot has security holes attackers know how to exploit.
  - liveoneggsan hour ago
    pretend you don't do it and add your extra software to the layer above
  - dev_l1x_be34 minutes ago
    base image
    software component image
    both should be version pinned for auditing
  - rowanG0773 hours ago
    With a binary cache that is not so bad, see for example what nix does.
    Pay083 hours ago
    I don't really see how that's different from a normal binary install of a reproducible package. Especially with the lacking quality of a lot of Nix packages.
    bandramian hour ago
    If you're in a situation where you want reproducibility you're using nix to build your own packages anyways, not relying on their packages
    rowanG0773 hours ago
    It's not if you can pin the package. It gives you reproducable docker containers without having to rebuild the world. Wasn't that the entire question?
- bandramian hour ago
  This has been a solved problem for over two decades now with Nix but people can't be asked
  - dev_l1x_be35 minutes ago
    It has been solved even without Nix for a long time, just laziness is probably why we are not doing it
- malikolivier3 hours ago
  This is to solve such issues that I am using and running StableBuild.
  It is a managed service that keeps a cached copy of your dependencies at a specific time. You can pin your dependencies within a Dockerfile and have reproducible docker images.
  - schonfinkel2 hours ago
    I don't wanna be that guy but...
    NIX FIXES THIS.
    dijit2 hours ago
    So does Bazel. :p
kippinsula4 hours ago
reproducible images are one of those features where the payoff is mostly emotional until the day it isn't. we had an incident where two supposedly identical images on two machines had a three byte delta in a timestamp and it cost us an afternoon to bisect from the wrong end. boring win, but a real one.
- loloquwowndueoan hour ago
  How did a differing timestamp cause an incident in the first place? Curious.
  - bluGillan hour ago
    My guess is it was the only obvious evidence of an attack.
azangru2 hours ago
A totally unrelated comment; but — there is an animation on that page that moves practically everything on the page about 20 pixels down over the course of 1 second.
I thought that would completely trash the Cumulative Layout Shift core web vital. Because, hey! the layout is shifting in front of my very eyes. But no, the CLS on the page is 0.
Is CLS a misleading metric then?
- chrisweeklyan hour ago
  It's happening as a result of a deliberate animation. The CLS metric relates to initial render. So yes, there is layout shift, but it's not CLS per se.
- epolanskian hour ago
  The layout isn't shifting, so it's not a layout shift.
  And it's not unexpected, because it comes from a css transition.
  - azangru39 minutes ago
    Sure.
    It's just that the spirit of Google's core web vitals has been to measure the properties of a web page that have the most impact on users. How quickly content appears on a page, how visually stable the content is, and how long it takes the page to respond to an interaction.
    In the case of this page, I don't think it can be considered visually stable at all in the first second after it's loaded.
    And yet, core web vitals cannot demonstrate this.
aa-jv4 hours ago
This is a really interesting accomplishment - I am also working heavily on reproducible builds for my firmware projects, and .. lo and behold .. the package manager key administrivia is the final bone to be broken.
I wonder if Arch leading the way on this will prompt other distro's to attempt the same feat. Reproducible builds are important for certification, security and safety-critical applications .. it'd be great to see Linux distros become more conformant to this method.
- Pay083 hours ago
  Debian already has an ongoing project for this: https://wiki.debian.org/ReproducibleBuilds.
fragmede4 hours ago
and they said compilers are deterministic...
This is a huge accomplishment! But it wouldn't be so huge if compilers were trivially deterministic. It took 5 decades of development for compilers to get here. I'm sure ChatGPT in 2073 is going to be more deterministic than it was in 2023.