[ris]

> Linux and Docker! Yes, you’ll have the same deterministic and secure result

Nope, not at all. Dockerfiles are not deterministic. Most of the ways I see Dockerfiles written are highly non-deterministic. Docker also requires root access and to some degree exposes that root access to any user with Docker access on a host.

The "stacked filesystem" model also allows far less flexibility than Nix does when it comes to composing a system out of different components. The fundamental problem is the inability to combine features of Docker images with different bases. Compare this with OO languages lacking multiple inheritance.

However, in my eyes, the biggest sin of Docker is the conflation of the problem of software dependency management with isolation & security policy. The two are fundamentally different things, causing developers pain when doing local development and leading to security-slackening changes that make their way into production. NixOS does not make this mistake.

Last time I was running a project with NixOS I was able to git bisect my entire application & software stack to locate the source of a regression (a package maintainer had changed the location of a file) - what can you do?