What if the environment needs more packages installed via apt, do you save those hashes somewhere, too?

Debian & Ubuntu provide daily snapshots of their repositories, see snapshot.debian.org and https://ubuntu.com/blog/ubuntu-snapshots-on-azure-ensuring-p...

See e.g. https://github.com/reproducible-containers/repro-sources-lis... for how to use them.

Also, at least for Debian there are official images available that use snapshot.debian.org as package repository from the get-go – unfortunately those images are not published on a daily basis yet.

It seems the overall topic if reproducibility is on the Docker team's to do list, though, see https://github.com/docker-library/official-images/issues/160...

But if you read those links, you'll see that it's not quite there yet.

Docker in general can't solve reproducibility - it's the package manager within any container that does that.

> But if you read those links, you'll see that it's not quite there yet.

Anything you're referring to specifically? I think I made it pretty clear that Docker images based on package repo snapshots are not fully "there" yet.

> Docker in general can't solve reproducibility - it's the package manager within any container that does that.

No doubt, but right now the issue is that the package managers have done their part and the Docker images need to catch up.

Then you would create a Dockerfile that uses the digest SHA you want as a parent image, add your packages, build a new image from that Dockerfile with an updated tag, and push the image into the registry. a digest will be created for it once uploaded into its registry.

If you are not uploading images into registries (why?), you can use "docker save" to turn that image into a tarball and then checksum the tarball.

With nix, you wouldn't need to back up the images - you can start from source every time.