@p @sysrq @Aldis @Big_Diggity @Lance @gabriel @graf @parker @tyler @victor had nightmare about p talking docker. here we are.

work with containers daily they are fine if you have kontrol of full supply and build chain. most do not nor do they understand how it works. but even then no true reproducibility. work with this stuff daily and conduct sec ops for hyperscalar clusters (think 200+ node multi-regjon k8s and nomad clusters). all ov it horribly complex.

but yes they are mainly for feature factory shipit™ companies

mitch rolled a turd with vagrant. will not touch on that.

vms in general can be subject to same supply chain vectors unless you have a way of ensuring upstream + downstream chains are in your custody (not realistic) and you have cluepon.

this is why nixos is useful for me. makes controlling supply and build chains nicer, i can achieve reproducibility up to ~98% every time and everything can be audited end to end via cryptography. if i hand you a nix flake (builds manifest) to build a vm the sha and outputs will be identical on my machine as yours. but problem with nix is it invalidates all modern tooling for orchestration and configuration management. as well, it breaks convention of lsb-fhs but tradeoff is immutability and path isolation which had some benefits. but using in production environment likely will not be adopted due to cost of tearing down the abyss of shvt container systems.