[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sat, 05 Dec 2015 14:51:08 +0100
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
I had the pleasure to attend the first “Reproducible Build Summit” this
week, wonderfully well organized by Debian hackers Holger and Lunar,
along with other brilliant people, and with the support of the Linux
Foundation, the Open Tech Fund, and Google.
Reproducible builds are the technical means by which we can give users a
chance to make sure they get the Corresponding Source, as the GPL calls
it, for a given binary. If a package can be rebuilt by anyone, yielding
a bit-for-bit identical result, then users can make sure they get
genuine binaries. For more background, see:
Around 40 people were at the meeting, including contributors to a
variety of free operating systems and distros, and to privacy- or
autonomy-enhancing projects such as Tor and Coreboot. All the
participants had a lot of insight to share and a common will to provide
users with binaries they can trust.
I think GNU has a role to play: This is all about empowering users.
GNU Guix does its part by providing tools that maximize build
reproducibility and easily allow users to build by themselves, publish
binaries, and challenge third-party binaries:
A more detailed report of the summit for Guix is available at:
But beyond Guix, all the GNU packages can help. First and foremost,
packages that generate build outputs, such as compilers, must be able to
produce deterministic results. Examples of packages that are being
fixed include GCC (mainly for __DATE__ and __TIME__), help2man
(timestamps in the outputs), GNU groff (ditto), Libtool (old versions
used to not sort the output of ‘find’), Emacs autoload generation
(timestamps), and many more. “Leaf” GNU packages can also have problems
of their own.
The Debian non-reproducibility issue database, which is going to be
shared with other distros and interested parties, contains many
examples of these:
I invite you GNU hackers to look into it and see whether there’s
something you can do to improve your package. We’re happy to help with
Guix tools to determine whether build results are deterministic; please
email address@hidden if you’re interested in it.
I think GNU can also help by better supporting reproducible builds with
its infrastructure. Examples of discussions to have include whether/how
we can make ftp.gnu.org truly append-only, and adding recommendations to
the GNU Coding Standards.
There will be other meetings. I hope GNU can bring more good news there!
Description: PGP signature
|[Prev in Thread]
||[Next in Thread]|
- Reproducible GNU!,
Ludovic Courtès <=