That’s right. To take the example of a Motoko build the only relevant binaries are moc, ic-wasm and gzip. The Dockerfile installs those directly from pinned releases. I don’t care about pinning the rest of the system. That isn’t necessary and not a goal.
For Rust, you would have to do the same with cargo.
My Docker image is 75 MB and I once counted that at least 60 MB are binaries that I absolutely need (moc + ic-wasm + mops-cli). So at most 20% are not used.
I see two problems with using nix alone (no Docker):
-
Nix does not emulate a cpu architecture (unlike docker does with qemu). It does not solve the problem we have with dependency on cpu architecture. So it simply isn’t a replacement for docker.
-
If you rely on nix at the top-level, i.e. every verifier has to have nix installed, then you are cutting down the number of verifiers that are willing to do validation by 90% (my random guess). I would say people are 10 times more likely to run a Docker command than to run nix.
Maybe nix inside Docker is possible? I think docker has to be at the top-level.