Somewhat confusing the the "debian" packages are on a "opensuse" repository 😅

Do we need to replace the use of apt-key add here @tianon ? (recalling I was in the middle of reviewing docker/docs#11990)

We don't immediately "need" to, but we will soon and definitely should.

If we don't actually care about the provenance, we can just download the file straight to /etc/apt/trusted.gpg.d/something.gpg.asc (probably criu.gpg.asc) and it will work in this instance (and be at least as secure as piping to apt-key add -...)

I gave it a quick try, and that works; tried to use ADD instead of curl (so that cache would be invalidated would the key change), but ran into a bug, LOL (opened moby/buildkit#2114)

ADD --chmod=0644 https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10/Release.key /etc/apt/trusted.gpg.d/criu.gpg.asc
# FIXME: workaround for https://github.com/moby/buildkit/issues/2114
RUN chmod 0644 /etc/apt/trusted.gpg.d/criu.gpg.asc
RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
    --mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \
        echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10/ /' > /etc/apt/sources.list.d/criu.list \
        && apt-get update \
        && apt-get install -y --no-install-recommends criu \
        && install -D /usr/sbin/criu /build/

Let me know what you think @tianon @kolyshkin

Actually, let me add install -D /usr/sbin/criu /build/ so that we can revert the change to the COPY --from as well

I guess apt-get install does not have a --prefix option (unless compiling form source) 😓 (would've been nice if we could keep the same paths)

We could do something cute like criu="$(which criu)"; ln "$criu" /build/ after the apt-get install

Given that we don't run the intermediate criu stage, and only use it to download the package, I took a different approach in https://github.com/moby/moby/pull/41739/files#r634478731

We can literally have images in ghcr or hub for all of these things we currently build in the Dockerfile..
Speed things up a lot.

But then we'd have to maintain (multi-arch) images for each of those stages?

Shouldn't be terribly difficult.
We only need to add the versions we pull in here.