What is the current thinking about trying to get deterministic docker builds?

It seems all well and good until you need to do an apt-get update && apt-get install X, then what you get depends on when you run it

and if you don't do the apt-get update, you'll get 404s since the debian repos do not seem to keep old binaries that aren't referenced by any of the active streams/channels/whatever they call those

those are not a thing, docker does not solve for that

this is why you rebuild the image periodically

and promote that to release and promote that to latest tag (or whichever tag you replace), if it passes automated quality gates

so you have a canary in the coalmine in regards to something breaking bug-for-bug compatibility and you stay up to date on security updates