diff --git a/2.0/Dockerfile b/2.0/Dockerfile
index cfdbe9e..399b3df 100644
--- a/2.0/Dockerfile
+++ b/2.0/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM debian:buster-slim
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +16,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -48,6 +54,8 @@ RUN set -eux; \
 		zlib1g-dev \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
@@ -93,6 +101,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.0/alpine/Dockerfile b/2.0/alpine/Dockerfile
index 2b487fc..ca7bb68 100644
--- a/2.0/alpine/Dockerfile
+++ b/2.0/alpine/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM alpine:3.16
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +17,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +39,7 @@ ENV HAPROXY_SHA256 95334c52ace9ae139e66d60240633be8bb4eed1babedfcc6cb947092e00c4
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -83,7 +87,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/2.2/Dockerfile b/2.2/Dockerfile
index 3854c00..a3121d9 100644
--- a/2.2/Dockerfile
+++ b/2.2/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM debian:bullseye-slim
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +16,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -48,6 +54,8 @@ RUN set -eux; \
 		zlib1g-dev \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
@@ -93,6 +101,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.2/alpine/Dockerfile b/2.2/alpine/Dockerfile
index 889a172..7cd1f28 100644
--- a/2.2/alpine/Dockerfile
+++ b/2.2/alpine/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM alpine:3.16
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +17,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +39,7 @@ ENV HAPROXY_SHA256 24f9eec04ee8d9e3652370be3db9852dec8aa650b3c8eeae969300c86b6fd
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -83,7 +87,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/2.4/Dockerfile b/2.4/Dockerfile
index 64fd842..1ed1989 100644
--- a/2.4/Dockerfile
+++ b/2.4/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM debian:bookworm-slim
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +16,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,6 +53,8 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
@@ -90,6 +98,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.4/alpine/Dockerfile b/2.4/alpine/Dockerfile
index a10a614..7cf4db1 100644
--- a/2.4/alpine/Dockerfile
+++ b/2.4/alpine/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM alpine:3.19
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +17,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +39,7 @@ ENV HAPROXY_SHA256 1cdcfbb3caff8864259e2981039f46f616ff15b6283ca601508325367ab55
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -80,7 +84,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/2.6/Dockerfile b/2.6/Dockerfile
index 64ed554..3477c2c 100644
--- a/2.6/Dockerfile
+++ b/2.6/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM debian:bookworm-slim
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +16,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,6 +53,8 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
@@ -90,6 +98,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.6/alpine/Dockerfile b/2.6/alpine/Dockerfile
index c6ca86b..3aa467c 100644
--- a/2.6/alpine/Dockerfile
+++ b/2.6/alpine/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM alpine:3.19
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +17,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +39,7 @@ ENV HAPROXY_SHA256 be48ee8ff9127c402b4c6cf1445cef7052f2c540ed1eff2dd04af677b8cd9
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -80,7 +84,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/2.8/Dockerfile b/2.8/Dockerfile
index 425524c..5105df0 100644
--- a/2.8/Dockerfile
+++ b/2.8/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM debian:bookworm-slim
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +16,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,6 +53,8 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
@@ -90,6 +98,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.8/alpine/Dockerfile b/2.8/alpine/Dockerfile
index 9445918..12d2292 100644
--- a/2.8/alpine/Dockerfile
+++ b/2.8/alpine/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM alpine:3.19
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +17,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +39,7 @@ ENV HAPROXY_SHA256 7a821478f36f847607f51a51e80f4f890c37af4811d60438e7f63783f6759
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -80,7 +84,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/2.9/Dockerfile b/2.9/Dockerfile
index d40703e..e783fbb 100644
--- a/2.9/Dockerfile
+++ b/2.9/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM debian:bookworm-slim
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +16,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,6 +53,8 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
@@ -90,6 +98,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/2.9/alpine/Dockerfile b/2.9/alpine/Dockerfile
index b2c52f7..3bacf86 100644
--- a/2.9/alpine/Dockerfile
+++ b/2.9/alpine/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM alpine:3.19
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +17,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +39,7 @@ ENV HAPROXY_SHA256 d1a0a56f008a8d2f007bc0c37df6b2952520d1f4dde33b8d3802710e5158c
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -80,7 +84,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/3.0/Dockerfile b/3.0/Dockerfile
index ff9e440..a7500c9 100644
--- a/3.0/Dockerfile
+++ b/3.0/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM debian:bookworm-slim
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -13,9 +16,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -47,6 +53,8 @@ RUN set -eux; \
 		wget \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
@@ -90,6 +98,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 	\
 # smoke test
 	haproxy -v
diff --git a/3.0/alpine/Dockerfile b/3.0/alpine/Dockerfile
index adae917..a2a25a8 100644
--- a/3.0/alpine/Dockerfile
+++ b/3.0/alpine/Dockerfile
@@ -6,6 +6,9 @@
 
 FROM alpine:3.19
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -14,6 +17,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -35,7 +39,7 @@ ENV HAPROXY_SHA256 5d9363667fd2486493165c947e62a701c4b82b261b7dff8ded5d3a1204a78
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -80,7 +84,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 # smoke test
diff --git a/Dockerfile.template b/Dockerfile.template
index 90939b3..991508b 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -1,6 +1,9 @@
 {{ if env.variant == "alpine" then ( -}}
 FROM alpine:{{ .alpine }}
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apk add --no-cache \
@@ -9,6 +12,7 @@ RUN set -eux; \
 	;
 
 # roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
+# On Alpine, useradd still does not recognize SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	addgroup --gid 99 --system haproxy; \
 	adduser \
@@ -25,6 +29,9 @@ RUN set -eux; \
 {{ ) else ( -}}
 FROM debian:{{ .debian }}
 
+# SOURCE_DATE_EPOCH is consumed by build scripts
+ARG SOURCE_DATE_EPOCH
+
 # runtime dependencies
 RUN set -eux; \
 	apt-get update; \
@@ -32,9 +39,12 @@ RUN set -eux; \
 # @system-ca: https://github.com/docker-library/haproxy/pull/216
 		ca-certificates \
 	; \
-	rm -rf /var/lib/apt/lists/*
+	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
+# On Debian, useradd recognizes SOURCE_DATE_EPOCH to reproduce the "lastchanged" field in /etc/shadow.
 RUN set -eux; \
 	groupadd --gid 99 --system haproxy; \
 	useradd \
@@ -70,7 +80,7 @@ ENV HAPROXY_SHA256 {{ .sha256 }}
 RUN set -eux; \
 	\
 {{ if env.variant == "alpine" then ( -}}
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		gcc \
 		libc-dev \
 		linux-headers \
@@ -100,6 +110,8 @@ RUN set -eux; \
 {{ ) else "" end -}}
 	; \
 	rm -rf /var/lib/apt/lists/*; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 {{ ) end -}}
 	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
@@ -162,7 +174,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .haproxy-rundeps $runDeps; \
+	apk add --no-network --virtual .haproxy-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 {{ ) else ( -}}
 	apt-mark auto '.*' > /dev/null; \
@@ -176,6 +188,8 @@ RUN set -eux; \
 		| xargs -r apt-mark manual \
 	; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+# clean up for reproducibility
+	rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\
 {{ ) end -}}
 	\
 # smoke test