[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: unexpected reproducibility of reproducible blog post?
|
From: |
zimoun |
|
Subject: |
Re: unexpected reproducibility of reproducible blog post? |
|
Date: |
Mon, 4 May 2020 16:25:59 +0200 |
Hi Konrad,
(add Ludo for advice :-))
On Mon, 4 May 2020 at 15:50, Konrad Hinsen <address@hidden> wrote:
> > I will add something overthere for tracking reproduciblity infos in
> > the future.
>
> It would actually be nice to have some external Guix reproducibility
> surveillance. A few benchmark packages that will be rebuilt regularly,
> using frozen commits via time-machine, and checked for bit-by-bit
> identity explicitly, not relying on Guix' hash mechanism. Trust but
> verify.
>
> My example is perhaps not such a bad start. Building a Docker container
> containing gcc exercises a lot of code in Guix.
Does it make sense to:
add the file "tests/guix-reproducibility.sh"?
So that reproducibility issues are detected by "make check".
Or add another rule in the Makefile?
Or test reproducibility outside the Guix tree?
All the best,
simon
>
> I looked a bit at grafts. The documentation at
>
> https://guix.gnu.org/manual/en/html_node/Security-Updates.html
>
> isn't very explicit about the reproducibility of grafts. In particular,
> it doesn't say if a package containing patched binaries retains its
> original hash, or receives a new unique one. With a unique hash, grafts
> would just be a tweak in the build system, and no less reproducible than
> standard builds. It looks like I have to dive into the source code to
> find out!
>
> Cheers,
> Konrad