unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Alex Vong <alexvong1995@gmail.com>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: Reproducible builds: a means to an end
Date: Wed, 18 Nov 2015 02:01:45 +0800	[thread overview]
Message-ID: <CADrxHD8HrK+Hmzw0277ZyBgUthENodwgsOimVqhtwWZW1ckNow@mail.gmail.com> (raw)
In-Reply-To: <87wpti3qba.fsf@gnu.org>

Hi,

On 16/11/2015, Ludovic Courtès <ludo@gnu.org> wrote:
> Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis:
>
>> I wonder how we as a project could help the reproducible builds project
>> and/or directly benefit from their findings.
>
> I was invited to their first Reproducible World Summit in December,
> along with people from many different projects.  I guess the main focus
> will be on collaboration and knowledge sharing.  We’ll see!
>
>> Are there ready-made patches we could apply to our package recipes?
>> Or should we just wait for upstream projects to be fixed?
>
> Sometimes there are ready-made patches that can be found in Debian or
> other distros, sometimes not.  Often they’re hard to find though (for
> instance, patch-tracker.debian.org seems to be off-line.)
>
Yes, according to
<https://lists.debian.org/debian-devel/2014/05/msg00889.html>, the
maintainer of patch-tracker.debian.org has been missing in action
until now. I think the website will be off-line in the near future.

>> The utility of “guix challenge” is much reduced when for so many
>> packages we do not actually have reproducible builds.
>>
>> (Maybe we could have a page that lists packages that “guix challenge”
>> suggests as having non-reproducible builds.)
>
> “guix challenge” is a simple way to find out which packages are non
> deterministic.  That’s how I found about those that can be seen at
> <http://bugs.gnu.org/guix> for example.
>
Does that mean we should have a bug report for every non-reproducible
packages? Or should we only have bug reports for popular packages?

> We could also have a second build farm, probably x86_64-only,
> specifically for the purpose of doing independent builds.
>
> The ability to publish the hash of local builds in a peer-to-peer
> fashion would be even better.
>
> I also want to merge
> <https://github.com/NixOS/nix/commit/8fdd156a650f9b2ce9ae8cd74edcf16225478292>.
> There are some issues that this approach cannot catch, but it’s good
> enough for all the timestamp or randomness related issues.
>
>> Can we automate some fixes, such as disabling timestamps?  (I see, for
>> example, that the Python REPL tells me when it was built.)
>
> I fixed that one in ‘tk-update’.  This particular one could have been
> avoided by having GCC return zero for __DATE__ and __TIME__.
>
> However, most other timestamp issues (like Python, Emacs, and Groff
> adding timestamps in their byproducts) cannot be addressed
> automatically.  That’s why reproducible-build.org as a cross-distro
> project is so important.
>
> Ludo’.
>
>

Cheers,
Alex

  reply	other threads:[~2015-11-17 18:01 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-11 14:55 Reproducible builds: a means to an end Ludovic Courtès
2015-11-12 20:13 ` Jan Synáček
2015-11-16 14:44 ` Ricardo Wurmus
2015-11-16 15:40   ` Ludovic Courtès
2015-11-17 18:01     ` Alex Vong [this message]
2015-11-17 21:45       ` Ludovic Courtès
2015-11-18 13:57         ` Alex Vong
2015-11-18 18:20           ` Ludovic Courtès
2015-11-19  8:14             ` Efraim Flashner
2015-11-19 14:45             ` Alex Vong
2015-11-19 16:09               ` Ludovic Courtès
2015-11-20  6:22                 ` Alex Vong
2015-11-21 10:41                   ` Ludovic Courtès
2015-11-21 13:53                     ` Alex Vong
2015-11-21 15:50                       ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CADrxHD8HrK+Hmzw0277ZyBgUthENodwgsOimVqhtwWZW1ckNow@mail.gmail.com \
    --to=alexvong1995@gmail.com \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).