12 February 2026 London, United Kingdom
Beyond Docker Builds: Declarative, Reproducible and Secure OCI Containers with Nix
Abstract
The Open Container Initiative (OCI) standardized the foundation of cloud-native infrastructure. However, most build systems lack determinism due to network access during builds, leading to non-reproducible artifacts and complicating software supply chain security (SSCS). While OCI supports layering for storage and cache efficiency, reflecting shared dependencies across artifacts remains complex.
Nix, as a package manager, enables declarative and reproducible builds in hermetic, network-isolated sandboxes, requiring all dependencies to be specified up front for long-term reproducibility.
Dependencies are treated as first-class citizens, making it easy to generate accurate Software Bill of Materials.
With dockerTools in the Nix standard library, these benefits reach the OCI ecosystem.
This talk highlights the advantages of fully declarative, reproducible OCI builds with Nix, offering deep insights and benefits to SSCS.
Let’s not just build containers, let’s declare them reproducibly!