The base image runs a generic OS upgrade. Once that is complete, any application layer installing packages simply needs to run apt -y update to ensure that additional packages are latest versions.
This might create a race if the upstream source lists are updated during a build, however that scenario is quite unlikely, and will either result in some packages being newer than others, or possibly a transient package-not-found build failure.
In the first scenario, that can be detected, and in the second scenario, it serves as a warning and requires a manual kick.
The base image runs a generic OS upgrade. Once that is complete, any application layer installing packages simply needs to run apt -y update to ensure that additional packages are latest versions.
This might create a race if the upstream source lists are updated during a build, however that scenario is quite unlikely, and will either result in some packages being newer than others, or possibly a transient package-not-found build failure.
In the first scenario, that can be detected, and in the second scenario, it serves as a warning and requires a manual kick.
The possible occurrence of that first scenario is further reduced by implementing: https://github.com/hihg-um/docker-r/issues/36