Arch Linux ships a repro-tagged Docker image with bit-for-bit reproducibility; pacman keys are stripped, requiring manual keyring init before package installs.
Key Takeaways
The repro tag is a separate image from the standard one; run pacman-key --init && pacman-key --populate archlinux before invoking pacman.
Distrobox users can automate keyring init via --pre-init-hooks flag on distrobox create.
Reproducibility required three concrete fixes: pinning SOURCE_DATE_EPOCH, deleting the ldconfig aux-cache file, and normalizing all timestamps with --rewrite-timestamp.
Builds are verified equal using podman inspect --format '{{.Digest}}' and the diffoci tool to compare layer-by-layer diffs.
The Docker image reuses the same rootFS build system as the earlier reproducible WSL image milestone; author plans a public rebuilder to periodically re-verify the latest tag.
Hacker News Comment Review
Consensus is that reproducible images are a low-drama win until they aren’t: one commenter traced a production incident to a three-byte timestamp delta between two “identical” images, taking an afternoon to bisect.
Commenters frame apt-get update in a Dockerfile RUN step as the canonical anti-pattern this work opposes; reproducible base images shift responsibility upstream where it belongs.
Arch is seen as a likely forcing function for other distros: package manager key handling is the last hard subproblem, and solving it publicly creates a reference implementation others can follow.
Notable Comments
@aa-jv: confirms package manager key admin is the same final blocker in firmware reproducible builds; calls Arch’s solution a potential template for certification and safety-critical Linux use.
@fragmede: frames the achievement against compiler history – “it took 5 decades of development for compilers to get here” – underscoring why bit-for-bit Docker reproducibility is non-trivial.