Tomasz Torcz wrote:

> On Wed, Jul 10, 2024 at 10:09:49AM +0200, Didier Kryn wrote:
>> Le 08/07/2024 à 16:06, Steve Litt a écrit :
>> > Olaf Meeuwissen via Dng said on Mon, 08 Jul 2024 20:26:58 +0900
>> >
>> >
>> > > Rather that running apt-get upgrade (which is generally advised against
>> > > IIRC),
>> > I'm not knowledgeable with the apt system. What's wrong with apt-get
>> > upgrade?
>>
>>     I often run apt-get upgrade. I too would like to know why it isn't
>
> It makes container images non-reproductible. Each build could end up
> with different package versions. It breaks collaboration with others.
> On the other hand, if you are building containers on the same machine,
> apt-get invocation will be cached and not repeated. So if you build
> container again after few months and expect to have fresh upgrades
> applied, it won't work.

As much as I love reproducible environments, docker was not designed
or implemented with an eye toward reproducibility. If you do care
about reproducible builds and environments, I'd suggest looking into
a distro like GNU Guix (similar in several technical aspects to NixOS,
but doesn't use systemd like NixOS does) for a GNU/Linux distro and
accompanying tools where reproducibility is a first-class citizen.

Please see the links Tom posted in another part of this thread for
more on why you *should* do 'apt-get upgrade', most importantly to
install security upgrades for the packages you'll be building into
your docker image, rather than using potentially-vulnerable ones.