Arch Linux now offers a bit-for-bit reproducible Docker image, expanding its reproducible-builds initiative to containers following a similar achievement with its WSL image. The new image is available under a separate repro tag and does not replace the standard Arch Linux container image.
For readers unfamiliar with the term, a reproducible image can be rebuilt from the same source to produce an identical, byte-for-byte result. For Arch, this ensures repeated builds yield the same image digest. The project verifies this using diffoci, a tool for comparing OCI container images.
In short, it’s all about security. Reproducibility allows users to verify that a published container image matches its source and build process, which enhances supply-chain transparency. Independent rebuilds that produce identical results reduce the risk of hidden differences.
However, the current implementation has a key limitation. To maintain reproducibility, Arch removes the pacman keys, so pacman is not immediately usable. Users must manually regenerate the keyring by running pacman-key --init && pacman-key --populate archlinux before updating or installing packages. Arch considers the separate repro tag a first milestone as it seeks a better solution.
According to the announcement, key Docker-specific changes included setting SOURCE_DATE_EPOCH, applying it to the OCI image creation label, removing the ldconfig auxiliary cache file to eliminate non-determinism, and normalizing timestamps during Docker and Podman builds.
For more details, see the announcement.
