1. 13

  2. 2

    Each package manager adds a layer of convenience. (…) But each layer here adds an element of required trust.

    This fact is something that all developers and devops people should be aware of. The length that the author needed to go in order to verify just the top layer of everything is astronomically expensive.

    1. 1

      Great read! (I read the entire thing! :O)

      Should we be worried/concerned that you cannot actually have reproducibility in docker build? I tried a few other OCI Image build tools (img for example) and they all suffer from the same problem.

      Part of me thinks this is something worth solving, but OTOH if you read some of the other related articles in this post you can see arguments against cryptographically reproducible builds…

      1. 3

        Nix’s support for building Docker images allows for reproducible images, here is a talk I gave on the issue: https://www.youtube.com/watch?v=pfIDYQ36X0k