Chris and I are here at the reproducible builds summit in Venice, we're winding down now but it's been a great time meeting everyone and planning out upcoming tasks. The good news is Guix is Great! We have our tightly controlled dependency chain which makes it really easy to know exactly which inputs were present during a build and how to rebuild a package to check for reproducibility. We have Guix challenge to easily challenge the build farms to see if locally available packages are reproducible against the ones built on the build farms. I'm going to link to Vagrant's email^1 from back in June where they talked about some of the unreproducibility issues in Guix. We know the issues are there, so it would be good for us to go ahead and fix them. They might not all be low hanging fruit, but we do want to make sure that our builds continue to be reproducible. Moving forward, it would be nice to test for reproducibility in qa.guix.gnu.org. It should be possible to build packages more than once and to compare the results of the two to check for reproducibility. qa.guix.gnu.org already shows which packages in patches build for each architecture, being able to check for reproducibility also would be a good next step. We should also continue working on implementing a change in the ACL to allow requiring a K of N agreement between different substitute servers that a build is correct^2. If someone is downloading substitutes I'm sure they would be happier to know that the two build farms (or more if you have access to more build farms!) agree to the hash of the packages. Other ideas moving forward is the ability to sign a narinfo with more than one key. Then in theory these multisigned narinfo files could be distributed and one could trust it without putting undue load on the substitute servers. This would also be helpful if there are network problems but we want to have that not affect the distribution of nars. ^1 https://lists.gnu.org/archive/html/guix-devel/2022-06/msg00191.html ^2 https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00179.html -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted