David Philipe Gil via Bug reports for GNU Guix writes: > Interesting -- ive never heard of guix challenge... > > I ran it and here is my result: > > ''' > > 8,427 store items were analyzed: >   - 3,480 (41.3%) were identical >   - 147 (1.7%) differed >   - 4,800 (57.0%) were inconclusive > > ''' > > So, does this mean that some of the binaries that are being hosted may > be malicious? It means that 147 out of 3627 items that could be found on the remote server were not reproducible. Or about 4%. There are some known offenders such as debug outputs: you can use 'guix challenge --diff=diffoscope' to get detailed information about the differences. 96% is close to Debian's number: . It would be good to file bugs about those 4% and bring the number closer to zero. :-) "inconclusive" just means that the remote did not have those store items available, so Guix was unable to challenge them. > I am only somewhat "techie" if i built my own binaries is it "easy" to > publish my binaries? Yes: simply running 'guix publish' starts a web server that can be used with --substitute-urls. You'll also need to generate a signing key and authorize it on all clients. There is a service available for 'guix publish', also on foreign distributions.