Description
I would like to add the “Rule 0” for Writing Dockerfiles for Reproducible Artifacts" and it is:
“Do not use docker”.
Docker makes it hard to be reproducible, the eco system (docker hub, tutorials…) are changing and hard to “burn on DVD and put into a safe” (e.g. for escrow). Whatever starts with “apt update” cannot be reproducible by definition ("depends on the internet") and this is very common in docker communities.
Even if having all input data reproducible, then the docker images still are not, because docker has no way to omit or fix timestamps included in the built artifacts, so was can at most be “functional reproducible”, which is hard to prove (reproducibility is easy to prove, just secure hash the input and the result – same hashes (for same input), then it must have same result, if and only if hashes match it is reproducible).