Docker and the OCI container ecosystem

Posted Jul 26, 2022 21:24 UTC (Tue) by jordan (subscriber, #110573)
In reply to: Docker and the OCI container ecosystem by Cyberax
Parent article: Docker and the OCI container ecosystem

Sure, but using Debian snapshots would mean that you'd have to take all the updates in the snapshot that you moved to at once, and that you'd have to take updates in the order they were supplied upstream. Having a packrat mirror that holds on to all the versions gives you more flexibility in deciding what you want to update and when.

Docker and the OCI container ecosystem

Posted Jul 26, 2022 21:34 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

> Sure, but using Debian snapshots would mean that you'd have to take all the updates in the snapshot that you moved to at once

Yeah, but this is usually OK. It also makes it easier to audit dockerfiles to check if they cover all CVEs in the base Debian image.

We also have a script that checks if an image contains packages that are different between two snapshots, this helps to automate "empty" version bumps. Not perfect, but it helps.

We also tried Nix that gives strong reproducibility gurantees, but it wastes way too much time on rebuilding everything.