From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id UDKABx21pWLmfwEAbAwnHQ (envelope-from ) for ; Sun, 12 Jun 2022 11:42:53 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id mCx/Bx21pWI+vwAA9RJhRA (envelope-from ) for ; Sun, 12 Jun 2022 11:42:53 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B7BA3C343 for ; Sun, 12 Jun 2022 11:42:52 +0200 (CEST) Received: from localhost ([::1]:33912 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o0K7P-0007eA-R6 for larch@yhetil.org; Sun, 12 Jun 2022 05:42:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51238) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o0K6q-0007dM-8Z for guix-devel@gnu.org; Sun, 12 Jun 2022 05:42:16 -0400 Received: from ns13.heimat.it ([46.4.214.66]:37712) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o0K6n-0003IF-RJ for guix-devel@gnu.org; Sun, 12 Jun 2022 05:42:16 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 5381330022E; Sun, 12 Jun 2022 09:42:10 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WTtENthMZPCA; Sun, 12 Jun 2022 09:42:08 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.171.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 5BBB830022D; Sun, 12 Jun 2022 09:42:08 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id D36C61B879B5; Sun, 12 Jun 2022 11:42:07 +0200 (CEST) Received: (nullmailer pid 20532 invoked by uid 1000); Sun, 12 Jun 2022 09:42:07 -0000 From: Giovanni Biscuolo To: Ricardo Wurmus , guix-devel@gnu.org Cc: Arun Isaac Subject: Re: On commit access, patch review, and remaining healthy In-Reply-To: <878rq22syb.fsf@elephly.net> Organization: Xelera.eu References: <878rq22syb.fsf@elephly.net> Date: Sun, 12 Jun 2022 11:42:06 +0200 Message-ID: <874k0qi5g1.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu; helo=ns13.heimat.it X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1655026972; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=vDaO4Hh/QKKRUzZiq79GgUWU4O5pEsu+OEfoX05hfnY=; b=B9oEfgsDMfnks1n/uexE9/Jgcyo0S9oFVSdUnISmLocuxElBKropLo1wwCKzJgnbdnViaS CV+ve1xVb8QJYSiubd8Ak3vQmFxfyqdiK8RLyzt+MPQhPMWd7cyKrGh0sqS9CD/IBeGjMh b7I/J201cAx39ja5COCQRt5/CqVD/vfDj5MwiQVoj5tBtZxa4qccWpGeXjzXj3WtrNcnZZ j4pZhYwlqVKvDzsgztlt/RYNkm5QhHWaor9Or5Umn9NzzCbXN8p2+G82RCV1/XXggD17RO S7TTia4AgN6oYFLiX7BROkBtaaW0Op+Ibv9p7j+zJhLdNWTNKosGVQhk7FtUeg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1655026972; a=rsa-sha256; cv=none; b=RQifUM5b8WeLWwm/D/3pDawYGOG7eF5sAWFbW12XdElg/mcrPlxfaoOF6DQr1XGJoCvC0g LfX5EBaDv9AwJgGUxN59jSGk9V6rgJS5kuzmE4E8kmv7J8JCFWWns5Tzh45XJDOEt4zkQQ nf2YgBt01lUi6w6Q/zFZwNKgdLmne42ShvMpJL/JShSyr2mhzQQsTmhcnMPkxHHtbf9jBl lWfMh9VfGY0Sw9wHm9qWIbWN1o/KSMByb7QCcID9mAex9IFzT+CBorLkERBpqT+o79A3Wz tziW2fevXdoN46koB+7GFU7W/Tv/HOyQznwQoACuSOiJOm5h1+CjPEQ8k8k92w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.89 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: B7BA3C343 X-Spam-Score: -4.89 X-Migadu-Scanner: scn1.migadu.com X-TUID: nHqAPaBr7BTB --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Ricardo and all, following this discussion, it came to my mind a great presentation made by Prot: https://protesilaos.com/codelog/2021-12-21-emacsconf2021-freedom/ =C2=ABHow Emacs made me appreciate software freedom=C2=BB especially the "You can't be an Emacs tourist" part; I think that similar arguments can be adapted to a "(Guix?) Software developer can't be a repro+bootstrapping tourist" (to fully unserstand my analogy please read or listen to Prot presentation) concerning this discussion, this is probably the most interesting part: =2D-8<---------------cut here---------------start------------->8--- Now you may wonder why do I mention those things? Shouldn't we make Emacs easier for everyone? Yes, we should make everything as simple as possible. Though that still does not refashion Emacs into something entirely different. We continue to have a potent tool at our disposal that we must treat with the requisite respect. Take, for instance, the various frameworks that set up Emacs in an opinionated way so that newcomers get everything set up for them out-of-the-box. There is nothing wrong with those frameworks. In fact, a large part of the community uses them to great effect. However, the point stands: even after every package has been set up for you, you still have to put in the work in making use of your newfound computing freedom. =2D-8<---------------cut here---------------end--------------->8--- Ricardo Wurmus writes: [...] >>> - We build strictly from source. >> >> This is also a requirement now adopted by many other distributions, at >> least all the ones in https://reproducible-builds.org/who/projects/ > > NixOS is on the list, but they don=E2=80=99t have this requirement. That= =E2=80=99s why > they have Java packages that are little more than the upstream jars, good point Ricardo, the very moment I started replying I had it in my mind but forgot to write it I guess that all experienced packagers or maintainers well understands what's needed in order to get a reproducible AND bootstrappable package: almost all of the "constraints" Guix "impose" to packagers and contributors depends from this... let's call them "golden rules of software security"? I just feel sometimes it's hard for newcomers to understand this, especially considering that unfortunately both some projects in that list (https://reproducible-builds.org/who/projects/) and some (some?) upstream developers do not care much about them the "tag line" of https://reproducible-builds.org/ is =2D-8<---------------cut here---------------start------------->8--- Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code. =2D-8<---------------cut here---------------end--------------->8--- honestly I did not study all the reproducible-builds.org documentation, but it's impossible to me to understand how a packaged upstream jar can be considered reproducible (and bootstrappable); maybe distros like NixOS are still slowly transitioning to a full reproducible build workflow? IMHO the simple fact that (some, one?) projects listed on reproducible-builds.org are still bundling binaries in their packages it's too confusing for newcomers > or have packages with bundled dependencies (e.g. vendored jars). bundling binaries it's (is it?) for sure against the definition of a reproducible build, but what about bundling (source) dependencies? AFAIU not to bundle (source) dependencies is an additional Guix requirement (and it is a Good Thing=E2=84=A2): do I miss something? Thanks! Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmKltO4MHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkS2rcQAKEUH7vMi9LEhLx0RdcsuOFvZW+N5NvLbjHpGH8b KfvgxTKC/tlwCME/HtFeyIwmuxeE5YT4fKNBxDTFRlfvIIGvdNtBDJUlPJ86Rnlq DZkUQDhzzJAUSmX8F2D019V70ZlvxTbMIajUJZk36Sf8BLBI0u1Q4oLPMLheZ4/p N8Ic0fJpDQdkwmTt7wdfBxS2ULpWUF1RPWFo3yE9RAcSdc9WLc5NeLU3h7Md2poX Ps40UvEBJAyaOIx7Frbtzs497IVPhBtjGZTOd3Aj9aGajYEjaHyM32KItARcDgnn JjuUKJw+aArTp7y4TuuoDK1uA7icXr4PwrLpnNw+TWonUenrobt/WGsNDx1T/Fdl 6eAYpmZ/m25OJkedZRwqopoHBsMA30Sq/DO+3GahGysmfZmfW8IeY1QwSKh+tigh wl6ZvkkyKWZ/moSLs9kqKogBNNivf7oZjA4AhV54dlFg4fOBLOobECYh77nE1vC+ PCRpoiKg8atmnifc3v/auWMT/iYSM2HG9qyYpki1zo2IE0DntbDC7HWPYGlcM1gK VrOsx/LBjHjziw2TbSKmF4YADCDPons+RyxhXE+Tm8p5Ylzb9fG4952I0WE+tAEG Y/Yoz5jzOFqs29UovN9hpzAuTr90LR+YMA5mVAIeUy7XywOT3h1D7/uuc+RwsCoE hcN4 =0Qx4 -----END PGP SIGNATURE----- --=-=-=--