> If you want explicitness and reproducibility please don't reach for Docker. Unless you take a lot of care, you will only get the most watered down version of reproducibility with Docker probably luring you into a false sense of security. E.g. pointing to mutable image tags without integrity hashes and invoking apt-get are things you'll find in most Dockerfiles out there and both leave open a huge surface area for things to go wrong and end up in slightly different states.
If this is frequently a problem you're doing something wrong, or using such a crappy external library/toolchain that breaks frequently on the same version.
Docker is a way to ensure that the software builds with "the most recent minor version" of some OS/toolchain/libraries.
The reason why you want the most recent version is because of security fixes and bugs.
I agree that you should check integrtiy hashes where appropriate, if you really want to fix versions.
If this is frequently a problem you're doing something wrong, or using such a crappy external library/toolchain that breaks frequently on the same version.
Docker is a way to ensure that the software builds with "the most recent minor version" of some OS/toolchain/libraries.
The reason why you want the most recent version is because of security fixes and bugs.
I agree that you should check integrtiy hashes where appropriate, if you really want to fix versions.