Skip to content

Alpine repo drops packages. This prevents package version pinning, and makes apk non-deterministic.

Alpine Linux has gained popularity as a Linux distribution that is especially good for Docker images.

What’s one of the biggest benefits of Docker? Reproducibility, including deterministic, reproducible Dockerfile builds. You should be able to make a Dockerfile deterministic by pinning package version numbers, so that your image is not dependent on the point in time when it was built.

Unfortunately, the Alpine package repo drops packages, even packages on "stable" branches.

Example: on 2020 March 10th, I found gcc 9.2.0-r3 on the Alpine package repository (web UI) under branch 3.11. On 2020 March 23rd, just 13 days later, my Dockerfile failed to run because the package gcc 9.2.0-r3 had been revoked from the branch 3.11 of the package repository, and was replaced with gcc 9.2.0-r4.

This makes Alpine Linux unsuitable for use in Docker images. Either your Dockerfile with pinning will "expire", or you are forced to avoid pinning package versions, which may cause unexpected behavior. When package maintainers decide to release a new version, this unexpected version will be automatically installed as soon as you rebuild your image the next time.

Compare this to PyPI or npm: No version is dropped, so version pinning works perfectly fine, no matter when you build or use your stuff.

There is a similar thread, apk-tools#10661 (closed) , which Timo Teräs (@fabled) closed, based on the unconfirmed assumption that the OP was mixing an Alpine image with Alpine packages from 2 different branches.

However, in my example, both the Alpine version and the package version were on the 3.11 branch. There is no mixing.

EDIT:

It seems that the official recommendation for how to ensure your Dockerfile is deterministic is to keep your own mirror / repository with all the specific packages and their versions that you need to keep indefinitely.

Alternatively, you can push/pull your Docker images to/from a binary repo, such as Artifactory. Then, the only time you ever have to run your Dockerfile is when the Dockerfile and Docker image are being modified anyway, which makes a deterministic Dockerfile moot.

Edited by P. Cowlinator