Garden / ○ seedling
What’s really in this image?
A container image is a stack of tarballs, and the thing telling you what’s
inside is mostly a tag you decided to trust. The SBOM, if there is one, usually
lives next to the artifact and isn’t forced to match it. Nix closures work the
other way: every dependency is pinned by hash, and a tool like sbomnix reads
the closure and reports what actually went in, rather than taking the package’s
word for it.
This is on my list, not something I’ve done yet. The plan is to take a
container I actually run, tear it apart on the playground lab
with REMnux and FLARE tooling, build the dockerTools.buildImage equivalent,
and compare what the image claims against what Nix can prove. The write-up only
counts once the lab has actually generated it, so this note is a placeholder
until then.
A seedling, barely more than a planted thought. Expect it to change shape.