It's Not Just Timestamps: A Study on Docker Reproducibility

• Computer Science > Distributed, Parallel, and Cluster Computing [Submitted on 3 Feb 2026] Title:It’s Not Just Timestamps: A Study on Docker Reproducibility View PDF HTML (experimental)Abstract:Reproducible container builds promise a simple integrity check for software supply chains: rebuild an image from its Dockerfile and compare hashes. • We build a Docker measurement pipeline and apply it to a stratified sample of 2,000 GitHub repositories that contained a Dockerfile. • We found that only 56% produce any buildable image, and just 2.7% of those are bitwise reproducible without any infrastructure configurations. • After modifying infrastructure configurations, we raise bitwise reproducibility by 18.6%, but 78.7% of buildable Dockerfiles remain non-reproducible. • We analyze the root causes of the remaining differences, and find that beyond timestamps and metadata, developer-controlled choices such as uncleaned caches, logs, documentation, and floating versions are dominant causes of non-reproducibility. • We derive concrete Dockerfile guidelines from these patterns and discuss how they can inform future linters and Continuous Integration (CI) checks for reproducible containers.

Article Summaries:

• A recent study examined Docker reproducibility across 2,000 GitHub repositories. Only 56 % of Dockerfiles produced a buildable image, and just 2.7 % of those were bit‑wise identical to a rebuild without any infrastructure tweaks. Adjusting infrastructure settings raised reproducibility by 18.6 %, yet 78.7 % of buildable Dockerfiles still differed. The authors identified that, beyond timestamps and metadata, developer‑controlled factors-such as uncleaned caches, logs, documentation, and floating version pins-dominate the remaining discrepancies. From these patterns, the paper proposes concrete Dockerfile guidelines and discusses how they could inform future linters and CI checks for reproducible containers.
• A recent study examined Docker reproducibility across 2,000 GitHub repositories containing Dockerfiles. Only 56 % of the Dockerfiles produced a buildable image, and just 2.7 % of those were bit‑wise reproducible without any infrastructure adjustments. After modifying infrastructure configurations, reproducibility rose by 18.6 %, yet 78.7 % of buildable Dockerfiles still differed. The authors identified key causes beyond timestamps and metadata, including uncleaned caches, logs, documentation, and floating version specifications. From these patterns they propose concrete Dockerfile guidelines and discuss implications for future linters and CI checks aimed at ensuring reproducible containers.

Sources:

• https://arxiv.org/abs/2602.17678