[paaaaaaaaaa]

What's the difference between this and pulling an official image from dockerhub? For example https://hub.docker.com/_/ubuntu/

[LaGrange]

It's betting that Google are better package maintainers than Debian/CentOS/Ubuntu, especially when it comes to maintaining container images. From a purely technical, and financial, point of view, it's likely true.

Of course, they could have bolstered the distro teams. And the fact that the repositories are within GCR, not Docker, is just convenience.

It brings you closer into Googles warm, technototalitarian embrace, is what I mean.

[ramses0]

I would suggest you look a little deeper into Debian's history and work on reproducible builds: https://wiki.debian.org/ReproducibleBuilds

They've been at it (looks like) since ~2014, and their goals and motivations seem 100% in line with google, but at the package/distro level, not the container-base-image level (highly related): https://tests.reproducible-builds.org/debian/unstable/amd64/...

[dlor]

Exactly! This work builds on top of the Debian team's work on reproducible package builds, providing a way to combine all of these packages into a reproducible container image.

This is difficult with Docker directly today because timestamps appear all over the place. We designed and built a custom set of bazel rules to make this possible.

[Confiks]

I came across a tool that will generate a bit-for-bit identical Debian container [1], using Debian package snapshots.

[1] https://github.com/debuerreotype/debuerreotype

[LaGrange]

> goals and motivations seem 100% in line with google,

It's been a long time since I've believed in their idealism, yes, but I still think accusing Debian of being in the advertising and surveillance business is a bit harsh.

[ramses0]

> Google are better package maintainers than Debian

My intent was to challenge your statement that google are better package maintainers than Debian, specifically w.r.t. reproducibility of builds.

It's disrespectful to Debian to think that they haven't been pushing for secure, auditable, trusted software running on trusted computers.

It's practically their reason for existing: taking open, auditable software, packaging it in reproducible fashion for use by anyone who wants it.

https://www.debian.org/social_contract.html#guidelines

Imagine if Debian had similar financial support available compared to Google/RedHat? The best info I could find is here: https://www.spi-inc.org/corporate/annual-reports/2017.pdf

`This covers the Period January 1, 2017 – December 31, 2017`

`Gross Income -------- 635,311.59`

...and in that way, yes: google can afford more package maintainers, more scrutiny, but if they are "better package maintainers" it's at those margins and due to economics rather than ability or desire.

[LaGrange]

> My intent was to challenge your statement that google are better package maintainers than Debian, specifically w.r.t. reproducibility of builds.

Ah, I believe there's a misunderstanding coming from misreading of my statement: what I wrote is that the _reason to upgrade_ would be the _belief_ that they are better, and that if you restrict yourself to _certain measures_, they probably can, by throwing more money at the problem. I hoped that he latter part of my comment probably makes it rather clear that Google wouldn't actually be better as far as I'm concerned. Even from purely technical perspective, I'm fairly sure Debian is willing to support many architectures Google will ignore.

[ProAm]

I would be worried google will cancel this project in 18 months like most projects. At least with the other distros there is proven longevity.

[skj]

I don't believe there has been any such pattern in GCP products.

(I work on GCP)