From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id oPtgIbTs2F6mOwAA0tVLHw (envelope-from ) for ; Thu, 04 Jun 2020 12:44:36 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 0EQtHbTs2F76YAAAbx9fmQ (envelope-from ) for ; Thu, 04 Jun 2020 12:44:36 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E4475940276 for ; Thu, 4 Jun 2020 12:44:35 +0000 (UTC) Received: from localhost ([::1]:48984 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jgpEY-0006oZ-M9 for larch@yhetil.org; Thu, 04 Jun 2020 08:44:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53652) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jgpEQ-0006nA-Qd for guix-devel@gnu.org; Thu, 04 Jun 2020 08:44:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60050) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jgpEQ-0002s5-6z; Thu, 04 Jun 2020 08:44:26 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=45604 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jgpEP-0005nE-P9; Thu, 04 Jun 2020 08:44:26 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Christopher Baines Subject: Re: Build reproducibility metrics References: <87lfl351gk.fsf@cbaines.net> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 17 Prairial an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 04 Jun 2020 14:44:23 +0200 In-Reply-To: <87lfl351gk.fsf@cbaines.net> (Christopher Baines's message of "Wed, 03 Jun 2020 21:38:51 +0100") Message-ID: <87k10n9f14.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: vTIqcreiUrDM Hello! Christopher Baines skribis: > I've also been writing and trying to use the Guix Build Coordinator [1] > to build Guix packages and provide substitutes. That has got to the > point where it's not getting stuck every day at least, and there's more > than 80% of packages are available. > > 1: https://git.cbaines.net/guix/build-coordinator/about/ Well done! > Combining that with the substitute server operated by Tobias, which has > a pretty awesome substitute availability of over 90% for recent > revisions, not only is there data from 4 different substitute servers to > use in the comparison, but the proportion of packages where there isn't > sufficient data is pretty low, below 10%. > > I'm currently using the data.guix-patches.cbaines.net instance of the > Guix Data Service, you can see the package substitute availability for > the latest revision using this URL [1], and the package reproducibility > at this URL [2]. > > 1: https://data.guix-patches.cbaines.net/repository/2/branch/master/lates= t-processed-revision/package-substitute-availability > 2: https://data.guix-patches.cbaines.net/repository/2/branch/master/lates= t-processed-revision/package-reproducibility That=E2=80=99s really good! It=E2=80=99s the first time we have this good = an overview of the package reproducibility status. > Some caution is needed when interpreting this data. It's most probably > less up to date than what you'd get through running the guix weather or > guix challenge commands, as it takes the Guix Data Service time to query > the data, that querying process isn't very reliable at the moment > either. Additionally, the "matching" percentage could easily go down if > that output is built with a different hash in the future. > > While the number itself maybe isn't the most useful thing, I like that > clicking through to the "Not matching" outputs will show a list of > outputs which didn't build reproducibly, which is something that could > help identify reproducibility issues to investigate and fix. Yes, definitely. There=E2=80=99s also always the option of running =E2=80= =98guix challenge=E2=80=99 locally. > I think things are coming together on the substitute server side. The > goal I have in mind for this is for users of Guix to be able to have > greater trust in the substitutes they use, through trusting substitutes > only if it's been built reproducibly on multiple substitute servers. It > would be great to see work start soon on how guix as a client to > substitute servers might be enhanced to check for reproducibility when > fetching substitutes. Agreed! I think between that, the reduced bootstrap seeds, and authenticated checkouts, we=E2=80=99re starting to have a good security story. Thank you! Ludo=E2=80=99.