This technical blog post explains BuildKit's modular architecture and demonstrates practical use cases for creating custom build frontends. While not directly addressing human rights, the content positively engages with freedom of expression through open knowledge-sharing, supports equitable access to technical education via free content, and contributes to the developer community's collective understanding of modern software development practices.
unfortunately, make is more well written software. I think ultimately Dockerfile was a failed iteration of Makefile. YAML & Dockerfile are poor interfaces for these types of applications.
The code first options are quite good these days, but you can get so far with make & other legacy tooling. Docker feels like a company looking to sell enterprise software first and foremost, not move the industry standard forward
I don't use buildkit for artifacts, but I do like to output images to an OCI Layout so that I can finish some local checks and updates before pushing the image to a registry.
But the real hidden power of buildkit is the ability to swap out the Dockerfile parser. If you want to see that in action, look at this Dockerfile (yes, that's yaml) used for one of their hardened images: https://github.com/docker-hardened-images/catalog/blob/main/...
BuildKit also comes with a lot of pain. Dagger (a set of great interfaces to BuildKit in many languages) is working to remove it. Even their BuildKit maintainers think it's a good idea.
BuildKit is very cool tech, but painful to run at volume
Fun gotchya in BuildKit direct versus Dockerfiles, is the map iteration you loaded those ENV vars into consistent? No, that's why your cache keeps getting busted. You can't do this in the linear Dockerfile
It sounds great in theory, but it JustDoesn'tWork(tm).
Its caching is plain broken, and the overhead of transmitting the entire build state to the remote computer every time is just busywork for most cases. I switched to Podman+buildah as a result, because it uses the previous dead simple Docker layered build system.
If you don't believe me, try to make caching work on Github with multi-stage images. Just have a base image and a couple of other images produced from it and try to use the GHA cache to minimize the amount of pulled data.
After building Depot [0] for the past three years, I can say I have a ton of scar tissue from running BuildKit to power our remote container builders for thousands of organizations.
It looks and sounds incredibly powerful on paper. But the reality is drastically different. It's a big glob of homegrown thoughts and ideas. Some of them are really slick, like build deduplication. Others are clever and hard to reason about, or in the worst case, terrifying to touch.
We had to fork BuildKit very early in our Depot journey. We've fixed a ton of things in it that we hit for our use case. Some of them we tried to upstream early on, but only for it to die on the vine for one reason or another.
Today, our container builders are our own version of BuildKit, so we maintain 100% compatibility with the ecosystem. But our implementation is greatly simplified. I hope someday we can open-source that implementation to give back and show what is possible with these ideas applied at scale.
The --mount=type=cache for package managers is genuinely transformative once you figure it out. Before that, every pip install or apt-get in a Dockerfile was either slow (no caching) or fragile (COPY requirements.txt early and pray the layer cache holds).
What nobody tells you is that the cache mount is local to the builder daemon. If you're running builds on ephemeral CI instances, those caches are gone every build and you're back to square one. The registry cache backend exists to solve this but it adds enough complexity that most teams give up and just eat the slow builds.
The other underrated BuildKit feature is the ssh mount. Being able to forward your SSH agent into a build step without baking keys into layers is the kind of thing that should have been in Docker from day one. The number of production images I've seen with SSH keys accidentally left in intermediate layers is genuinely concerning.
Are you on a phone? I loaded the article with both my phone and laptop. The ascii diagram was thoroughly distorted on my phone but it looked fine on my laptop.
Along similar lines, when I was reading the article I was thinking "this just sounds like a slightly worse version of nix". Nix has the whole content addressed build DAG with caching, the intermediate language, and the ability to produce arbitrary outputs, but it is functional (100% of the inputs must be accounted for in the hashes/lockfile, as opposed to Docker where you can run commands like `apk add firefox` which is pulling data from outside sources that can change from day to day, so two docker builds can end up with the same hash but different output, making it _not_ reproducible like the article falsely claims).
Edit: The claim about the hash being the same is incorrect, but an identical Dockerfile can produce different outputs on different machines/days whereas nix will always produce the same output for a given input.
Make is timestamp based. That is a thoroughly out-of-date approach only suitable for a single computer. You want distributed hash-based caching in the modern world.
The "This is the key insight -" or "x is where it gets practical -", are dead give aways too. If I wanted an LLMs explanation of how it works, I can ask an LLM. When I see articles like this I'm expecting an actual human expert
SRE here, I feel like both are just instructions how to get source code -> executable with docker/containers providing "deployable package" even if language does not compile into self-contained binary (Python, Ruby, JS, Java, .Net)
Also, there is nothing stopping you from creating a container that has make + tools required to compile your source code, writing a dockerfile that uses those tools to produce the output and leave it on the file system. Why that approach? Less friction for compiling since I find most make users have more pet build servers then cattle or making modifications can have a lot of friction due to conflicts.
I switched our entire container build setup to buildkit. No kaniko, no buildah, no dind. The great part is that you can split buildkitd and the buildctl.
Everything runs in its own docker runner. New buildkitd service for every job. Caching only via buildkit native cache export. Output format oci image compressed with zstd.
Works pretty great so far, same or faster builds and we now create multi arch images. All on rootless runners by the way
> It's a big glob of homegrown thoughts and ideas. Some of them are really slick, like build deduplication. Others are clever and hard to reason about, or in the worst case, terrifying to touch.
This is true of packaging and build systems in general. They are often the passion projects of one or a handful of people in an organization - by the time they have active outside development, those idiosyncratic concepts are already ossified.
It's really rare to see these sorts of projects decomposed into building blocks even just having code organization that helps a newcomer understand. Despite all the code being out in public, all the important reasoning about why certain things are the way they are is trapped inside a few dev's heads.
Post contributes detailed technical knowledge to developer and open-source communities, enabling broader participation in software development practices and advancing shared understanding of modern build systems.
FW Ratio: 60%
Observable Facts
Post contributes original technical knowledge about BuildKit architecture and design patterns to developer community.
Example code (apkbuild frontend) and patterns are reusable and adaptable by other community members.
Author references and builds upon existing community projects (Earthly, Dagger, Depot, Chainguard's melange).
Inferences
Sharing detailed technical knowledge about core software development infrastructure enables broader community participation in technical culture.
Contribution to collective understanding of modern build systems represents participation in scientific and cultural advancement of software development field.
Post openly expresses technical opinions and analysis about BuildKit architecture without restriction, demonstrating exercise of freedom of expression through technical discourse.
FW Ratio: 60%
Observable Facts
Blog post is published on the open web without registration requirements or access controls.
Technical content shared freely with no apparent licensing restrictions.
Post expresses author's analysis and opinions about BuildKit's design and capabilities.
Inferences
Publication of technical opinions on an unrestricted platform demonstrates active exercise of freedom of expression.
Absence of access barriers suggests author values open sharing of ideas with broader technical community.
Post demonstrates fulfillment of duties to community through sharing technical knowledge and expertise gained through experience, contributing to collective development capacity.
FW Ratio: 50%
Observable Facts
Author shares technical expertise and knowledge gained through practical BuildKit experience with broader community.
Post includes concrete, reusable code patterns (apkbuild example) and architectural insights for community adoption.
Inferences
Sharing technical knowledge and code examples represents fulfillment of duties to contribute expertise to community.
Making reusable patterns and examples available enables others to benefit from and build upon shared technical understanding.
Post discusses BuildKit as tool that improves developer efficiency through parallelization and automation, potentially facilitating better working conditions by reducing manual labor.
FW Ratio: 67%
Observable Facts
Post presents BuildKit's parallelization and caching capabilities as efficiency improvements.
Example demonstrates how custom frontends reduce manual, repetitive work for developers.
Inferences
Efficient tools that reduce repetitive manual work could contribute to improved working conditions and reduced time spent on mundane tasks.
Freely shared technical knowledge and code patterns can be adopted and adapted by community, facilitating collective participation in scientific and cultural advancement.
build 1ad9551+j7zs · deployed 2026-03-02 09:09 UTC · evaluated 2026-03-02 10:41:39 UTC
Support HN HRCB
Each evaluation uses real API credits. HN HRCB runs on donations — no ads, no paywalls.
If you find it useful, please consider helping keep it running.