From mboxrd@z Thu Jan 1 00:00:00 1970 From: carlo von lynX Subject: Install FAQ: Only build the non-deterministic packages? Date: Fri, 16 Sep 2016 19:11:00 +0200 Message-ID: <20160916171100.GA1210@lo.psyced.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60912) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bkwfM-0000qg-Nc for guix-devel@gnu.org; Fri, 16 Sep 2016 13:11:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bkwfF-0002Tg-TU for guix-devel@gnu.org; Fri, 16 Sep 2016 13:11:07 -0400 Received: from lost.in.psyced.org ([188.40.42.221]:46130 helo=lo.psyced.org) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bkwfF-0002N8-JW for guix-devel@gnu.org; Fri, 16 Sep 2016 13:11:01 -0400 Received: from lo.psyced.org (localhost [127.0.0.1]) by lo.psyced.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id u8GHB1os001346 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 16 Sep 2016 19:11:02 +0200 Received: (from lynx@localhost) by lo.psyced.org (8.14.3/8.14.3/Submit) id u8GHB0aB001345 for guix-devel@gnu.org; Fri, 16 Sep 2016 19:11:00 +0200 Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Hello everyone! Some questions I couldn't resolve from manuals and searches: I haven't figured out if there is a way to know which packages are reproducible. I would like to configure my guix to only fetch binaries that a sufficient number of people agree on to be deterministic - and for a start it doesn't even have to be all digital signatures and stuff: would be enough if the process is known to be deterministic, so the package definition carries the checksums for the appropriate binary package with it. I doubt an attacker would dare to mess with that, at least not now. I just checked git://git.debian.org/git/reproducible/notes.git but there are only 118 packages saying "deterministic: True". What happened to the plan of making that database multi-distro? I also read about the "Reproducible Build Summit" and I am glad Lunar is still on course. I also saw https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883 about trustable "guix pull". Is it still the case that the update of package definitions is happening over unsecured http? Concerning git consistency, isn't it enough to run git fsck so that a mitm intervention would sooner or later be detected? And concluding, do you know if Nix is in any better or worse condition regarding reproducibility and security of the tool- chain than Guix? Does nix-pull have the same problem? Best regards and keep up the good work! P.S. I'm working with ng0, trying to make a trustworthy system image for GNUnet/secushare installations. Guix is a top notch candidate for dissemination. Even if I hate guile and emacs. -- E-mail is public! Talk to me in private using encryption: http://loupsycedyglgamf.onion/LynX/ irc://loupsycedyglgamf.onion:67/lynX https://psyced.org:34443/LynX/