diff --git a/Dockerfile b/Dockerfile
index 833334334b0b20cdab4351bacf1f2e840f705dc7..2b937f924d8c78c41199454492fdcc184aa7877b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,5 @@
 FROM debian:bullseye
 
-ARG IGNORE_EXPIRY=0
 ENV LANG=C.UTF-8
 ENV DEBIAN_FRONTEND=noninteractive
 
diff --git a/README.md b/README.md
index f9a2a6f4b878d30a7476580e8189d7a1735c0fce..e84476b61bdfc35d7086253163ac331dbe1c2903 100644
--- a/README.md
+++ b/README.md
@@ -55,13 +55,10 @@ Build our Docker image:
 
     docker build -t briar/go-reproducer go-reproducer
 
-Building the image might fail due to expired Debian packages.
-You can disable the expiry check by adding a build argument:
-
-    docker build --build-arg IGNORE_EXPIRY=1 -t briar/go-reproducer go-reproducer
-
-However, note that this might expose the build process to MITM attacks
-which inject outdated vulnerable packages.
+To ensure reproducibility we build the image from a fixed snapshot of Debian
+and ignore expiry warnings for Debian packages. This means the build process
+inside the Docker container may use outdated packages that could contain
+known vulnerabilities.
 
 ### Run the verification