Arch Linux ships a repro-tagged OCI/Docker image with verified bit-for-bit reproducibility; pacman keys are stripped, requiring manual keyring init before package use.
Key Takeaways
The repro tag is a new dedicated image; the existing default tag is unchanged for normal Dockerfile workflows.
Reproducibility required three concrete fixes: setting SOURCE_DATE_EPOCH, stripping the ldconfig aux-cache file, and normalizing all layer timestamps via --source-date-epoch and --rewrite-timestamp flags at build time.
Verified by digest equality across independent builds using podman inspect --format '{{.Digest}}' and layer-level comparison via diffoci.
Before running pacman, containers must execute pacman-key --init && pacman-key --populate archlinux; Distrobox users can pass this as a --pre-init-hooks argument.
Shares the same deterministic rootFS build pipeline as the Arch WSL reproducible image shipped a few months prior.
Hacker News Comment Review
Consensus treats this as a “boring win” with real operational value: one commenter described an incident where a three-byte timestamp delta between two supposedly identical images triggered an afternoon of misdirected bisecting.
Several commenters pushed for “OCI image” as the correct framing since the image runs identically under podman, and pinning to the Docker brand undersells its portability.
A side thread debated whether pragmatic mutable distros like Arch and Alpine – where an install script can express anything – will outlast declarative NixOS-style configs in container workflows over the long run.
Notable Comments
@dev_l1x_be: frames apt-get update inside a docker build step as an anti-pattern, implying pinned reproducible base images are the architecturally correct default.
@bastawhiz: “The amount of time and effort that goes into a headline like this is unreal.”
