OP: What are the technical limitations that stop builds from working inside a single Dockerfile? Just curious.
So comparing the performance of my nginx or PostgreSQL images with images built on the Phusion base wouldn't be fair, since the Phusion base is heavy by Docker standards. A better point of comparison would be the Orchard images (https://index.docker.io/u/orchardup/).
My nginx build uses about 600 KB less RAM per worker than the Ubuntu package (which is what Orchard uses), because mine is statically linked, and musl generally has less overhead per process than glibc. So nothing spectacular.
As for why my images can't be trusted builds, the problem is that a single Dockerfile can't produce multiple images, or specify that only a portion of the final filesystem should be kept. So I have to do the build in two steps: First I produce, say, an nginx-build image, which has all the build-time layers and dependencies, and installs the final run-time artifact in a subdirectory (/runtime). Then I take that subdirectory and add it to the muslbase-runtime or muslbase-static-runtime image (depending on whether the particular build needs shared libraries) to produce the final runtime image. I can't do all of that in one Dockerfile, so it can't be a trusted build.