guile-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributed verification of release tarballs using Guix? (was Re: Re


From: Rob Browning
Subject: Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?)
Date: Wed, 24 Jul 2019 23:15:31 -0500

Ludovic Courtès <address@hidden> writes:

> One issue is that “make dist” is non-deterministic because the archive
> contains timestamps; I’m sure there of other sources of non-determinism
> though, because “make dist” was not designed with that in mind.
>
> The non-source byproducts in release tarballs are: the pre-built .go
> files (which are optional), psyntax-pp.scm, and then Info files and all
> the autotools machinery.  Are these those you had in mind?

If you haven't already seen it, I'd also suggest consulting
https://reproducible-builds.org.  They've been doing a lot of relevant
heavy-lifting over the past few years (working on the relevant tools,
generating patches or workarounds, etc.).  Their diffoscope tool might
also be of interest: https://reproducible-builds.org/tools/

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4



reply via email to

[Prev in Thread] Current Thread [Next in Thread]