Paper on reproducible Docker images: "Docker Does Not Guarantee Reproducibility"
Ludovic Courtès
ludo at gnu.org
Sun Jan 25 20:44:59 UTC 2026
Hello,
kpcyrd <kpcyrd at archlinux.org> skribis:
> - https://arxiv.org/pdf/2601.12811
> - https://dl.acm.org/doi/10.1145/3736731.3746146
Great work to raise awareness on the opacity of images produced by
‘docker build’ and to debunk common misconceptions!
> For people reading along who are not super familiar with the topic,
> note there's a distinction between "Docker image" and "Dockerfile":
>
> - the Docker image is the compiled artifact
> - the Dockerfile is a file with build instructions
It’s the build process that goes from ‘Dockerfile’ to binary image
that’s not reproducible.
In the scientific community, people often argue that Docker is the tool
of choice for computation reproducibility (the ability to reproduce, and
thus verify, computational results).
The truth is: there is no way to verify that a Docker image (build
result) corresponds to its supposed source (‘Dockerfile’).
> The Docker image is what you get out of `docker build`, but since this
> is essentially just a tar file you could also use something like
> apko[0] to generate them.
Or ‘guix pack’, which provides “recursive reproducibility” (both the
image itself and everything it contains are reproducible, modulo bugs)
and can also save provenance information in the image itself so anyone
can reproduce it:
https://hpc.guix.info/blog/2021/10/when-docker-images-become-fixed-point/
https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix-pack.html
Cheers,
Ludo’.
More information about the rb-general
mailing list