You're right, but it depends on workflow. IMO they should be pulling the docker image itself and not building the container from the Dockerfile.

It depends on other external circumstances, but other benefits for nix would be: - they could pull less data (nix configuration is smaller than docker binary blob), - nix is entirely deterministic (docker depends on whenever that image was built), - nix implicitly its components for if there are many of these dev shells, and also with your main system. Yes, Dockerfiles can also be chained but if the later levels of these are rebuilt, the the earlier ones better have new enough versions installed (i.e it's a can of worms and the entire chain needs to be rebuilt anyway)

One can absolutely lock versions in their Dockerfile. I can see that the design principle of DevBox is to pin the versions. At the end of the day we all need to consider versioning (i.e., the image version) the versions (i.e., package versions) anyway.

Reproducible Docker is fighting an uphill battle, Nix and it's ecosystem tries to be reproducible by default.

Dockers ecosystem aims more for repeatable, not reproducible.

> At the end of the day we all need to consider versioning (i.e., the image version) the versions (i.e., package versions) anyway.

The granularity of pinned versions and feasibility of having a culture of everything being pinned versus needing to know a crazy amount of things that need pinned a big difference.

This is where version pinning comes in. Most base images use specific versions of packages.