From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Newsgroups: gmane.lisp.guile.devel Subject: Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?) Date: Mon, 17 Jun 2019 10:44:18 +0200 Message-ID: <87sgs838kd.fsf@gnu.org> References: <87d0jrp0g3.fsf@gnu.org> <87sgsa2co4.fsf@netris.org> <87a7eh6x8m.fsf@gnu.org> <87v9x5tbsl.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="238153"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) Cc: Andy Wingo , guile-devel To: Mark H Weaver Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Mon Jun 17 10:44:49 2019 Return-path: Envelope-to: guile-devel@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hcnFw-000zoO-1n for guile-devel@m.gmane.org; Mon, 17 Jun 2019 10:44:48 +0200 Original-Received: from localhost ([::1]:45198 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hcnFu-0007aq-LP for guile-devel@m.gmane.org; Mon, 17 Jun 2019 04:44:46 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:46588) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hcnFV-0007aj-Ms for guile-devel@gnu.org; Mon, 17 Jun 2019 04:44:22 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:43913) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hcnFU-0004g0-TF; Mon, 17 Jun 2019 04:44:20 -0400 Original-Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=55286 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1hcnFU-0004E3-Ff; Mon, 17 Jun 2019 04:44:20 -0400 X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 29 Prairial an 227 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu In-Reply-To: <87v9x5tbsl.fsf@netris.org> (Mark H. Weaver's message of "Sun, 16 Jun 2019 18:17:46 -0400") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Original-Sender: "guile-devel" Xref: news.gmane.org gmane.lisp.guile.devel:19973 Archived-At: Hi Mark, Mark H Weaver skribis: > Sure, I can take care of updating NEWS in the next day or two. Awesome, thank you! >>> Regrettably, Guile 2.2 has become too heavy to build on the only machine >>> in my possession that I have any trust in. I don't have a machine that >>> I consider sufficiently trustworthy to produce build outputs for wider >>> distribution. I'm not sure that any of us do. >> >> Note that =E2=80=9Cmake dist=E2=80=9D is rather inexpensive; > > I assume it builds the prebuilt .go files, no? That involves running > Guile's compiler, which is too heavy to run on my Yeeloong. I think it=E2=80=99s not that bad if you already have build tree with Guile= =E2=80=99s compiler. If you start from scratch, it=E2=80=99s definitely expensive. > If you'd like to produce the 2.2.5 release in the traditional way, > that's fine with me. I'm not comfortable doing it myself, though. OK, I can do this. >> One issue is that =E2=80=9Cmake dist=E2=80=9D is non-deterministic becau= se the archive >> contains timestamps; I=E2=80=99m sure there of other sources of non-dete= rminism >> though, because =E2=80=9Cmake dist=E2=80=9D was not designed with that i= n mind. > > Right. I suppose the right approach is to start a conversation with the > autotools developers. In the meantime, I wonder if we could implement > our own deterministic version of "make dist" using Guix, and use that > instead. Or perhaps it would be easier to use "make dist" and then > canonicalize the timestamps in the resulting tarball in a later step? > > Thoughts? I think you raise valid concerns, but they are to some extent beyond the scope of Guile. Regarding =E2=80=9Cmake dist=E2=80=9D, there=E2=80=99s the issue of tar tim= estamps, of version.texi, and probably others of that sort in the autotools-generated machinery. So yes, I think this should be discussed with the Automake/Autotools developers. Namely: how can we achieve reproducible =E2=80=9Cdist=E2=80=9D= builds? Which tools should honor SOURCE_DATE_EPOCH and how? etc. As a PoC and/or interim solution, we could also try to hack a reproducible =E2=80=9Cmake dist=E2=80=9D in Guix. For Guix, from a bootstrapping viewpoint, the alternative is to do away with tarballs produced by =E2=80=9Cmake dist=E2=80=9D and instead always run =E2=80=9Cautoreconf=E2=80=9D ourselves, like Debian does. That would solve= a large part of the problem. >> The non-source byproducts in release tarballs are: the pre-built .go >> files (which are optional), psyntax-pp.scm, and then Info files and all >> the autotools machinery. Are these those you had in mind? > > Yes, all of the above are potential security risks, except possibly for > the info files. I think psyntax-pp.scm is the main issue since all the others can be trivially rebuilt (the package in Guix deletes the pre-built .go files for instance.) With regards to bootstrapping in the context of Guile, I believe psyntax-pp.scm should be our primary concern. Thanks, Ludo=E2=80=99.