From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: roadmap item Date: Fri, 30 Sep 2016 14:48:30 +0000 Message-ID: <87k2dtv3y9.fsf@we.make.ritual.n0.is> References: <87bmz58ty7.fsf@we.make.ritual.n0.is> <20160930142618.GA5629@jocasta.intra> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49482) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bpz7e-0006Xr-RM for guix-devel@gnu.org; Fri, 30 Sep 2016 10:49:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bpz7a-00058o-JE for guix-devel@gnu.org; Fri, 30 Sep 2016 10:49:09 -0400 Received: from aibo.runbox.com ([91.220.196.211]:38319) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bpz7a-00056r-Bx for guix-devel@gnu.org; Fri, 30 Sep 2016 10:49:06 -0400 In-Reply-To: <20160930142618.GA5629@jocasta.intra> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: John Darrington Cc: guix-devel@gnu.org John Darrington writes: > [ Unknown signature status ] > On Fri, Sep 30, 2016 at 12:15:28PM +0000, ng0 wrote: > Hi, > > can we add something to the roadmap like this: > > - guix package --search should displays if the returned packages one > asked for are reproducible. > > Having a distinction between reproducible and not reproducible would > enable us (or at least help us) to display the progress towards a fully > reproducible system. > > > I don't see how anyone can say that package X is definitely reproducible. > Just because it built identically twice, doesn't mean that it'll happen > again the third time - especially if that attempt is on a different > machine, day-of-week etc > > Perhaps there could be a flag to indicate "this derivation has been demonstrated > NOT to be reproducible". That should be more like what I wanted to express with this, the NOT part. For more read below. > J' > > -- > Avoid eavesdropping. Send strong encrypted email. > PGP Public key ID: 1024D/2DE827B3 > fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 > See http://sks-keyservers.net or any PGP keyserver for public key. > There's something I have been discussing with other people, and there's a social component I want to add. It should be trivial at some point to establish a system based on the social graph (http://secushare.org/security) where people who build the software can certify that version Z of package X at point Y in time did build N times without changing results. Of course that's the future, and there's more than just an idea, but it's not documented anywhere public so far. We could of course try to establish something similar already, based on the results of different hydras already running and building 24/7, on different hardware, different systems and building different packages already on different times and days of the week. The progress of publishing these results should not be entirely automated.