[bluGill]

Reproducible docker images are almost useless for the things you want reproducible for. Sure you can reproduce the image for all of the future, but that image is useless in a few years when the certificates expire. Those expired certificates mean you cannot use the image for whatever you wanted it for.

A variation of the above is reproducible builds are not that useful - sure you can prove the build is the same, but in the end you want the latest security fixes applies and so by the time you create the replacement build and verify it the build is obsolete.

Don't get me wrong, reproducible builds are important and do good things - but there are severe limits to what you can/should do with them and so while it is important to demand them, they are not important to use yourself.

[cduzz]

Wouldn't you want to have certificates and other crypto data as an input to a reproducible build harness?

  # build initial images
  # add semi-static inputs (mostly static config data, crypto data, signed inputs)
  # add final watermarks

So each step can be verified

[bluGill]

That final watermark is not verifiable and so you can inject something else.