$ VER=$(dpkg -s alsa-oss | grep -m1 '^Version: ' | sed -e 's/^Version: //g')
$ cat > Dockerfile <<EOF
FROM ubuntu:21.04
RUN apt-get update && apt-get install -y alsa-oss=$VER
EOF
$ cat Dockerfile
FROM ubuntu:21.04
RUN apt-get install alsa-oss=1.1.8-1
$ docker build -t testimg .
$ docker run --rm -it testimg dpkg -s alsa-oss | grep ^Version:
Version: 1.1.8-1
That's a complicated example. All you need to do is get a working system, specify the base image tag, run dpkg -l and write down all the versions, then pass them to apt-get install. It's super easy. It's much more complicated to do something like download a static Go app from a specific URL, import a GPG key, validate the key, verify the checksum, etc.
This would freeze all the packages on the system into a file for use in a Docker container:
If you just want to find out the dependencies for a package, use something like apt-cache rdepends alsa-oss and then get the versions and pin them. It's pretty trivial to just read the man pages for dpkg or apt and get what you want done.
You commit packages.txt and Dockerfile to a Git repo, and you push your built images to an artifact repository. Test it, validate it, ship it to production. It's all immutable so it doesn't need to be reproduced, you just roll back to the last artifact.
The use of a non-static tag is intentional to pick up security and bug fixes. It's like using a "stable" branch, where you expect to get any emergency fixes to the stable branch. Only in this case it's a release-specific stable branch. If you ran a system with some compliance mandate that not even security fixes could be automatically applied, then you'd pin to the hash.
I may be wrong, but I believe one caveat here is apt may not always have some version of packages available. I believe only the latest one in each `deb-src` is available.
This is not an issue with nix as nix has the ability to build the entire system from source forever in a single command.
This would freeze all the packages on the system into a file for use in a Docker container:
If you just want to find out the dependencies for a package, use something like apt-cache rdepends alsa-oss and then get the versions and pin them. It's pretty trivial to just read the man pages for dpkg or apt and get what you want done.You commit packages.txt and Dockerfile to a Git repo, and you push your built images to an artifact repository. Test it, validate it, ship it to production. It's all immutable so it doesn't need to be reproduced, you just roll back to the last artifact.