I know it's an anti-pattern, but what is the alternative if you need to install some software? Pulling its tagged source code, gcc and compile everything?

Copying from another image is an under appreciated feature

FROM ubuntu:24.04

COPY --from=ghcr.io/owner/image:latest /usr/local/bin/somebinary /usr/local/bin/somebinary

CMD ["somebinary"]

Not as simple when you need shared dependencies

Both Debian and Ubuntu provide snapshot mirrors where you can specify a date to get the package lists as they looked at that time.

Which is only useful for historical invesigation - the old snapshot has security holes attackers know how to exploit.

> the old snapshot has security holes attackers know how to exploit.

So is running `docker build` and the `RUN apt update` line doing a cache hit, except the latter is silent.

The problem solved by pinning to the snapshot is not to magically be secure, it's knowing what a given image is made of so you can trivially assert which ones are safe and which ones aren't.

In both cases you have to rebuild an image anyway so updating the snapshot is just a step that makes it explicit in code instead of implicit.

where does the apt update connect to? If it is an up to date package repo you get fixes. Howerer there are lots of reasons it would not. You better know if this is your plan.

You get fixes that were current at docker build time, but I think GP is referring to fixes that appear in the apt repo after your docker container is deployed.

If you've pulled in a dependency from outside the base image, there will be no new base image version to alert you to an update of that external dependency. Unless your container regularly runs something like apt update && apt list --upgradable, you will be unaware of security fixes newly available from apt.

Yeah that's yet another annoying thing to consider

Also I'm tired of doing these hacks:

    # increase to bust cache entry
    RUN true 42 && apt update

Pinning to a snapshot just makes so many things easier.

if anyone wants to know how, i wrote about it here https://tuananh.net/2024/01/21/reproducibility/

Run “nix flake update”. Commit the lockfile. Build a docker image from that; the software you need is almost certainly there, and there’s a handy docker helper.

Recently I’ve been noticing that Nix software has been falling behind. So “the software you need is almost certainly there” is less true these days. Recently = April 2026.

That's been an issue for years from my impression of the state of NixOS. There are other problems too, like a lot of open source packages doing straight binary downloads instead of actually building the software.

Are you referring to how the nixpkgs-unstable branch hasn't been updated in the past five days? Or do you have some specific software in mind? (not arguing, just curious)

It’s a variety of different software that just isn’t updated very often.

I don’t mind being somewhat behind, but it seems like there are a lot of packages that don’t get regular updates. It’s okay to have packages that aren’t updated, but those packages should be clearly distinguishable.

oh, great, adding more dependency, and one that just had serious security problem

as if other sandboxing software is perfect

Nothing is perfect. (FreeBSD jails come close but still no.)

Use https://github.com/reproducible-containers/repro-sources-lis...

With a binary cache that is not so bad, see for example what nix does.

I don't really see how that's different from a normal binary install of a reproducible package. Especially with the lacking quality of a lot of Nix packages.

If you're in a situation where you want reproducibility you're using nix to build your own packages anyways, not relying on their packages

It's not if you can pin the package. It gives you reproducable docker containers without having to rebuild the world. Wasn't that the entire question?

Wasn't the question about modifying an existing image?

No, it was about putting apt update in docker file and it not being reproducible.

pretend you don't do it and add your extra software to the layer above

base image

software component image

both should be version pinned for auditing

I feel strongly about advertising. Long before streaming, my parents used to leave the ads on in between programs, and it always made me mad. I think my ADD comes into play, the idea of voluntarily watching them feels really strange.

I also wonder how the world would change if we made targeted advertising illegal. One can dream...

Last week I added to my dolphin toolbar the "Show Hidden Files" button so it was always shown, my only issue was that it was a really long because of its text. "But wait!" I thought, "This is not windows, I'm sure I can change it!". Lo and behold, my button now says "Hidden" and it's as short as I want it, just by editing the normal settings, no mods required.

I used minumm keyboard a long time ago and it was actually good, 1-2 cm of keyboard height, sadly I think it's been discontinued long ago, but you can see a couple of screenshots here

http://minuum.com/

Nice! Wish the supported rotation was bigger, maybe +- 90 instead of only 90 deg?

Maybe it was done this way so that they don't have to sort the tiles by depth?

Would it just be the opposite depth of the current sorting once you pass 180 degrees?

I installed stylish for Firefox and sometimes use some custom CSS to enlarge the body. I recently did it for chatgpt, on a 32" having the main content filling 1/4 of the display is ridiculous

Nice game, I'm going to sink some time on these! Got 86 points today

https://enclose.horse Day 8 PERFECT! 100%

Love it, I discovered it last week and bought a supporter pack after two days! Everytime I get stuck I'm 100% sure you made a mistake... Until I find my own mistake

Thank you so much! Indeed, it's quite tempting to blame the game, but the algorithm that ensures all valid deductions are enabled hasn't been wrong a single time since it was finished in June. Often I don't believe it myself, but it always turns out to be smarter than me!

Yeah I sign my project APKs so people can install them from the action's artefact

  - name: Retrieve keystore for apk signing
    env:
      KEYSTORE: ${{ secrets.KEYSTORE }}
      run: echo "$KEYSTORE" | base64 --decode > /home/runner/work/keystore.pfk

Exactly. This workflow step takes a rather important secret and sticks it on a VM where any insufficiently sandboxed step before or after it can exfiltrate it.

GitHub should instead let you store that key as a different type of secret such that a specific workflow step can sign with it. Then a compromised runner VM could possibly sign something that shouldn’t be signed but could not exfiltrate it.

Even better would be to be able to have a policy that the only thing that can be signed is something with a version that matches the immutable release that’s being built.

Because when you floss you create more particles

Doesn't rinsing your mouth out with water solve this?

Nowadays the advice is not to rinse so you don't rinse away the fluroide from the toothpaste.

I can’t imagine not rinsing after brushing, with your mouth full of toothpaste