Removes pinning and tweaks cleanup in final container

[vpetersson]

• Removes pinning of packages (as this is likely to break in the future)
• Tweaks cleanup process in final container

[shawaj]

What's the purpose of not pinning?

It's more likely to break things if they aren't pinned than if they are...

[vpetersson]

We had a long discussion about this in the dev team. There are pros and cons, but generally speaking, pinning app packages (such as Python dependencies) is good, but pinning system pages creates more problems than it solves.

Packages within a given channel (such as Debian Buster) are generally very stable and backward compatible.

Only way in my experience to reliably pin system packages is if you run your own package mirror. If we pin without that, chances are that they will stop serving a given package and we won't be able to build.

[shawaj]

Failing to build with an untested package bump is better than sending untested package bumps to production IMO.

I don't think we should have unpinned packages it's just asking for trouble and unintended issues that we can't easily determine the root cause of

[vpetersson]

It's not untested. It's pinned at build. They'd go through the same TestNet -> MainNet process. Basically, in all my years of deploying software, we've never pinned OS packages once, and then we had to roll our own APT mirrors, which is a major PITA. @robputt seems to have echo'd the same opinion.

[shawaj]

Yeah and when there's an issue we will have no idea where it came from.... Because it could be one of many many updates to the packages that we have no idea about or control over.

Stupid idea and just asking for trouble

[shawaj]

The testnet -> mainnet process isn't sufficient for this IMO. Already several issues have made it into the mainnet due to insufficient / non existent testing.

This will just make things 20 times worse and harder to isolate any problems.