diff --git a/ci/Dockerfile b/ci/Dockerfile
index fc1072623..b6bf54e2e 100644
--- a/ci/Dockerfile
+++ b/ci/Dockerfile
@@ -59,11 +59,13 @@ RUN java -version && cargo --version && cargo ndk --version || true \
     && test -d "$ANDROID_SDK_ROOT/build-tools/36.0.0"
 
 # Publish tooling (appended last so the heavy toolchain layers stay cached):
-# docker CLI to talk to the runner's host socket for the fdroid steps, and
-# openssh-client to stream the signed repo to Rackham. The build steps don't
-# touch the socket; only the gated publish step does.
+# openssh-client only. The gated publish step hands the signed APK over SSH to a
+# rootless forced-command on the Lucy host, which verifies the signer and re-signs
+# the fdroid index on-host. No docker CLI / host socket is involved any more — the
+# old docker.io dependency was dropped once publish moved off the host docker
+# socket (#444 rootless hardening).
 RUN apt-get update && apt-get install -y --no-install-recommends \
-      docker.io openssh-client \
+      openssh-client \
     && rm -rf /var/lib/apt/lists/*
 
 # The signing keystore is NOT baked — it's injected per-build from the Forgejo