I've been doing a lot of research lately into more deterministic dependency management and reproducible builds by leveraging hashes via git.
You might be interested in MDM[1], which is a general-purpose dependency manager for binary blobs.
Specifically for container images, you also might be interested in hroot[2] -- it separates the concept of the image and transport out from the containerization system.
I agree wholeheartedly that it's the image permanence that's the interesting part about containers right now. In the last 24 hours I actually had an experience where a docker setup full of apt-get's failed to reproduce an image (new deps were added upstream that broke the system). Fortunately with hroot, I had the exact filesystems I had previously produced in a permanent, transportable system, and all covered by a hash so my production system could fetch exactly the correct version. I could have done this all manually with tars, but that's a pain for nontrivial use cases, and I could have done it with a docker registry, but I'm too much of a security nut to use the public one, and I already have git infrastructure set up, so it's actually easier to use that than try to spin up a private docker registry and secure it, etc.
Why would you use apt-get with an upstream repository? Deployment 101 is to set up your own local repo mirror so that you control exactly what binary objects get deployed.
You might be interested in MDM[1], which is a general-purpose dependency manager for binary blobs.
Specifically for container images, you also might be interested in hroot[2] -- it separates the concept of the image and transport out from the containerization system.
I agree wholeheartedly that it's the image permanence that's the interesting part about containers right now. In the last 24 hours I actually had an experience where a docker setup full of apt-get's failed to reproduce an image (new deps were added upstream that broke the system). Fortunately with hroot, I had the exact filesystems I had previously produced in a permanent, transportable system, and all covered by a hash so my production system could fetch exactly the correct version. I could have done this all manually with tars, but that's a pain for nontrivial use cases, and I could have done it with a docker registry, but I'm too much of a security nut to use the public one, and I already have git infrastructure set up, so it's actually easier to use that than try to spin up a private docker registry and secure it, etc.
[1] http://github.com/polydawn/mdm [2] http://github.com/polydawn/hroot