[Distutils] Docker, development, buildout, virtualenv, local/global install

Jim Fulton jim at jimfulton.info
Wed Jun 15 08:12:43 EDT 2016

On Wed, Jun 15, 2016 at 7:57 AM, Donald Stufft <donald at stufft.io> wrote:
>> On Jun 15, 2016, at 7:53 AM, Jim Fulton <jim at jimfulton.info> wrote:
>> If you actually build programs as part of image building, then your
>> image contains build tools, leading to image bloat and potentially
>> security problems as the development tools provide a greater attack
>> surface.
> This isn’t strictly true, the layering in Docker works on a per RUN command basis, so if you compose a single command that installs the build tools, builds the thing, installs the thing, and uninstalls the build tools (and cleans up any cache), then that’s roughly equivalent to installing a single binary (except of course, in the time it takes).

OK, fair enough.  People would typically start from an image that had
the build tools installed already. But as you point out, you could
have a single step that installed the build tools, built and then
uninstalled the build tools.  You'd avoid the bloat, but have
extremely long build times.


Jim Fulton

More information about the Distutils-SIG mailing list