Arch Linux ships a repro-tagged Docker image with bit-for-bit reproducibility; pacman keys are stripped, requiring manual keyring init before packages can be installed.
Key Takeaways
The repro tag image has pacman keys removed; run pacman-key --init && pacman-key --populate archlinux in a RUN step or as a Distrobox pre-init hook before using pacman.
Reproducibility is verified via digest equality using podman inspect and layer-level diffing with the diffoci tool.
Three non-determinism sources were eliminated: SOURCE_DATE_EPOCH pinning, deletion of the ldconfig aux-cache file, and timestamp normalization via --rewrite-timestamp during image build.
The image reuses the same rootFS build system as the Arch WSL image; Docker-specific adjustments on top are minimal.
Author is considering a public rebuilder that periodically re-verifies the latest image and publishes build logs.
Hacker News Comment Review
Strong consensus that reproducible images are a low-drama win with an asymmetric payoff: commenters cited a real incident where a 3-byte timestamp delta between supposedly identical images caused an hours-long bisect from the wrong direction.
The stripped-pacman-keys caveat was flagged as the canonical hard problem in reproducible builds broadly, not just Arch; commenters expect it to pressure other distros toward certification-grade conformance.
Minor terminology pushback: the image runs fine under Podman, so “Docker image” is technically imprecise; “OCI image” is the more accurate framing.
Notable Comments
@dev_l1x_be: frames this as table stakes, arguing apt-get update inside a docker build step is an anti-pattern all base images should have eliminated already.
@nickjj: concrete usage pattern: Arch Docker image used to test dotfiles against a clean filesystem and to run end-to-end desktop-environment setup tests inside a VM.