From mboxrd@z Thu Jan 1 00:00:00 1970 From: Giovanni Biscuolo Subject: reproducibility and bootstrapping in mid 2019 (was Re: on cabal revisions) Date: Sat, 15 Jun 2019 11:02:53 +0200 Message-ID: <878su3b4qq.fsf@roquette.mug.biscuolo.net> References: <87v9xbmmid.fsf@ngyro.com> <87r27xa7f0.fsf@ngyro.com> <2CEDD93D-5200-4B3E-AA2E-BA1FE6168B40@vllmrt.net> <87d0jgnpqz.fsf@ngyro.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:57175) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hc4ao-0002Oi-Uu for guix-devel@gnu.org; Sat, 15 Jun 2019 05:03:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hc4an-0007YM-Bd for guix-devel@gnu.org; Sat, 15 Jun 2019 05:03:22 -0400 Received: from ns13.heimat.it ([46.4.214.66]:33192) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hc4am-0007Uu-LF for guix-devel@gnu.org; Sat, 15 Jun 2019 05:03:20 -0400 In-Reply-To: <87d0jgnpqz.fsf@ngyro.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Timothy Sample , Robert Vollmert Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Timothy and Robert, (a little OT re cabal import, but...) sorry if I repeat something already said on this list... and sorry for a *personal* rant :-) Timothy Sample writes: [...] > IIRC, Nix automatically imports all Haskell packages from Hackage (I=E2= =80=99m a > little fuzzy on the details, though). https://github.com/NixOS/nixpkgs/blob/release-19.03/pkgs/development/haskel= l-modules/hackage-packages.nix =2D-8<---------------cut here---------------start------------->8--- /* hackage-packages.nix is an auto-generated file -- DO NOT EDIT! */ =2D-8<---------------cut here---------------end--------------->8--- Please do not this in Guix. I don't have details about auto imported Haskell packages reproducibility in Nix, I just remember other *historical* approaces with Javascript packages in a fine 2015 analisys by Christopher Lemmer Webber https://web.archive.org/web/20180528141816/http:/dustycloud.org/blog/javasc= ript-packaging-dystopia/ =C2=ABUnfortunately, Nix just downloads the prebuilt binary and installs that=C2=BB Today Nix ships this jquery related packages: https://nixos.org/nixos/packages.html#jquery and AFAIU jquery (python37Packages.xstatic-jquery, haskellPackages.js-jquery) are still static prebuilt binaries Are they counted as reproducible by this kind of checks: https://r13y.com/ ? [...] > One of the main issues with automatic package maintenance in Guix is > that we have some unconventional, non-technical and semi-technical > requirements on our packages. We need to follow the FSDG (Free > Software Distribution Guidelines); we try and make sure that > everything has a useful synopsis and description; and we try to make > sure everything is bootstrappable and reproducible. I say > =E2=80=9Cunconventional=E2=80=9D above because there are often upstream i= ssues with > these things that need to be fixed manually. Re. reproducibility, unfortunately it's **not** a shared goal between _packaging systems_ developers, so for example we have a good pile of npm packaged code that is _still_ a *nightmare* from the reproducibility POV Hey developers: please come and work with Guix on a reproducible way to build and distribute software; Guix have all it's needed, please stop reinventing the *square* wheel. Citing Christopher article above: =C2=ABAnd let's face it, "fuck it, I'm out" seems to be the mantra of web application packaging these days. Our deployment and build setups have gotten so complicated that I doubt anyone really has a decent understanding of what is going on, really.=C2=BB AFAIU this is _still_ the sad situation today with web applications development, probably 99% of web developers/deployers in the world are "solving" this with Docker app bundles containing piles of misterious layers of mixed reproducible and static binaries downloaded _somewhere_, cryptominers included There are succesful projects out there that _proudly_ declare the *only* officially supported distribution method is their Docker bundle... World: **we have a problem** https://web.archive.org/web/20180528121826/https://www.vitavonni.de/blog/20= 1503/2015031201-the-sad-state-of-sysadmin-in-the-age-of-containers.html =C2=ABFeels like downloading Windows shareware in the 90s to me.=C2=BB I don't know the reproducibility situation with Stackage or Hackage defined packages (and web applications), I just hope it's better than this. Re. boostrapping, unfortunately we still have an unbootstrappable Haskell toolchain https://web.archive.org/web/20190615075205/http://www.joachim-breitner.de/b= log/748-Thoughts_on_bootstrapping_GHC https://elephly.net/posts/2017-01-09-bootstrapping-haskell-part-1.html ...but that's the same with some jvm languages http://bootstrappable.org/projects/jvm-languages.html Anyway at least "the plan" to work it out is in good shape... the world just needs to invest much more resurces on this serious infrastrutcure problems, but it's too... distracted :-D Last but not least: a huge pile of deep gratitude to all the people around the world working to solve this sad sad situation! Happy Guix! Gio'. [...] =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAl0EtD4ACgkQ030Op87M ORI0tQ/+P3+S1asqMZ/xmmea/TXIWHZDkDy9gYJlV7f6xrxosdzXLbNJ3kB4H4Fw rgD8NOY94W/7NHz/uP5O/6M29SNc3SruAizVDu1JP8WMol0OsKXlMZHyf4w0nmsl CgR06C5Oa17pTSx8jhx99O8tCCZLm8u6p+1P9Y+IGp2Vu4pYfd3j1ypw8CI+U4nk dxa79d3ouffYYsP9qWAN3iaziH9Y7RzWJrTdR7G/JHdW+P97/jEFM122cNlTDdck i+svirasZL6pEBNIk5rMfYtq4b4M+B0Z5ZC1J7emXqwR1XgeDsnlOVmlZ5TTF8Kq 7QRvtcKsFbnum9jguwvbLzg1YAOUOsdV2jUengqetbfpEnVw3TveRlH5v4B02kZk +EsI6u3VlMgXraH7OugZgwfDTNcSkiJi+yPHJcgouvuSNk9An8w8zrb318cWpuYT tdsITQ/rG+u88gwcxd7kQHokEc/GA3m5wlvYWMkyGJavR4hY15LT0qDBdZAfPamR MSSx9luhg4/jcn6YG3vp7F0sz2XBNiEOdMpClyRM6Yz4+L9MdOLPio8IbG4yNnpa q3AGqUX8/USpCsBgXCnq7DOcwxGW6j8IRkc3/IHgCOGV0XuRbLfMS8Mzs1kBJueK PpZt+9OX6xOjynG89zVSUJO373wKq2Pf1hbwXa3yRJZwj4rj/YI= =ecgk -----END PGP SIGNATURE----- --=-=-=--