From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id OHZnOg/GY2P+jwAAbAwnHQ (envelope-from ) for ; Thu, 03 Nov 2022 14:45:52 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id WOo3Og/GY2NIQwEAauVa8A (envelope-from ) for ; Thu, 03 Nov 2022 14:45:51 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 56BD043E05 for ; Thu, 3 Nov 2022 14:45:51 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oqaWq-0007en-6m; Thu, 03 Nov 2022 09:45:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oqaWg-0007RV-3t for guix-devel@gnu.org; Thu, 03 Nov 2022 09:44:58 -0400 Received: from mail-ed1-x52e.google.com ([2a00:1450:4864:20::52e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oqaWd-0002VW-Sb for guix-devel@gnu.org; Thu, 03 Nov 2022 09:44:57 -0400 Received: by mail-ed1-x52e.google.com with SMTP id v27so3103817eda.1 for ; Thu, 03 Nov 2022 06:44:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-disposition:mime-version:mail-followup-to:message-id :subject:to:from:date:sender:from:to:cc:subject:date:message-id :reply-to; bh=61/lRkt2yZ2MOuh4JMhB1aaYRhpWqWiAFdahSTALOWs=; b=WDljBhyPtkX9zSUSoDtjkYcpX4cya7n9ESOddD6mQNTr8gluJ7E5SZMOmFcBtrWvfv cTCP5msRznfUsJofLFQ5AOK1f1ML4aKaVeuipuMpwK+WMYjuA5+6AckEiQ6SrKEHbbxJ X/u4BfcDWYOqNBtuu4Wd8ZOAjW74xYxhWQFgJGqhVpiyYiqmjMTjbybguICDWRhVCqxH s7bVQ1Am+h6Nfnny2ggWh7lQz19LrUPlAvUKB/hsZSFsqqrWrywXZaO0XF/402Cn+TdJ QUU4JL+cTo2u8jJ2mPMN36sQPRwRGNVm35Q7/CSqKXTsRxpM+gyHB2XjxR+sMJ1uOvkb xitA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:mail-followup-to:message-id :subject:to:from:date:sender:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=61/lRkt2yZ2MOuh4JMhB1aaYRhpWqWiAFdahSTALOWs=; b=OGkA4OsYgtWAQV7gPLOzORXoGOoTJE6gE5HahyEwf/uf7DKspXJ+rC5KeryZzXQ/hg OIwg8DNF6nA/378p5wfgog2/yElsXepFUntrlPWHkskLeoFPmALWy68Z1kL7tS17BLA7 KlpOFcahe0N3nIkBGIAtCahM1vjzQkAZdJHgRUWA5dFvr0uur74DBNotZc9WYX7x9OdM DLEEtToz3O4CYZoS1nHQnDOUtJ6BKNwL1fPAW9F5Eg3oGG+0ax6bWaeYQ2H+sXzCIYzM zdBFjhhaDb2sxTCw8UKURcRQhiO191j8FzrgKZyyvvS+9d6xk8Lcrj0dJfqQmwwQYKDt abcw== X-Gm-Message-State: ACrzQf0yac7EOGjY2ZxNogxNdqUpyTanfI6UXTAKbju/VfoKqKM4IK/e enBuWCcE0MINBleZm1NPXFKIUje7KgbrM52yeQuYGA== X-Google-Smtp-Source: AMsMyM6fyAU7Lc9b1i4T11GTee+bOZ2ap9cc9l9LIBHcRgADsGZL7b0LUiFiUrbKzvTUGA5Hs+nqYg== X-Received: by 2002:a05:6402:1052:b0:459:2c49:1aed with SMTP id e18-20020a056402105200b004592c491aedmr29925734edu.212.1667483093446; Thu, 03 Nov 2022 06:44:53 -0700 (PDT) Received: from localhost (93-63-133-243.ip27.fastwebnet.it. [93.63.133.243]) by smtp.gmail.com with ESMTPSA id ec35-20020a0564020d6300b00458dc7e8ecasm533323edb.72.2022.11.03.06.44.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Nov 2022 06:44:52 -0700 (PDT) Date: Thu, 3 Nov 2022 15:44:49 +0200 From: Efraim Flashner To: guix-devel@gnu.org Subject: Reproducible Builds Summit 2022 Message-ID: Mail-Followup-To: guix-devel@gnu.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="8B5VnZ6EkbboJXaA" Content-Disposition: inline X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Received-SPF: pass client-ip=2a00:1450:4864:20::52e; envelope-from=efraim.flashner@gmail.com; helo=mail-ed1-x52e.google.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Guix-devel" Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1667483151; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=61/lRkt2yZ2MOuh4JMhB1aaYRhpWqWiAFdahSTALOWs=; b=CRDZEwAq4Kq1YO1qWoosmvleoZQ8PSvPHjftGAr+XoPnsJn5g5/QsMcQCsg/RAZlNHygdU 6CDtaghIWJJ7ZE58H0Z7UPwk9XlhpiA0r+XLawyjBgmQumfK868vsoWwQjtbzeYPtne/sL NyghR8l8BFXWMoTIG3LSG5RfbaYVdQ8FWNBN5P1qNDSKemuYhftnv7rkS5gYNXOFtOBJyR 0Oor0GFneZmxoLtetwgnje564FI9zMlV/bc8aD/Y5lXqfNyQegZCbWCR3jU4IJHhKKNNZP T35dfLtciGYuc9PBlBrIcsQ8fItTmlO70xMx9JyapuXcrkYgRTwg4timtIobAg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1667483151; a=rsa-sha256; cv=none; b=D9pYruCS8lFllLKmieE/bvLgk9tbtjFheSdMDoIQVCGOLeY3vQFFNEcyFV6q8lzqgbB+rZ +bdcSpPYt2SjEBtWscI7TkoESk0lUZHTNTBYT7dyKUwzp/fiUUIo/ovwGOc+EcwV2DEgYA DuA3xlfF+pCOJf89siEGDWFegUSgRvG9s4gmjWoHOkkVgaM3eLHHAIEmZ6B1hB6KLeP1xr BJorDGAHLrfnGPTnBHR2S8pNUq8vts1pmXaVDckHNUXWJQxB2T4jwMHttbw506SocwmOzO 3E/SQiV4QL5X/7oowWfnFi+wzLTkA5W5Y+rxfTw1YBDXYrPiBc3nOINgHXHxKw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=WDljBhyP; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -0.39 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=WDljBhyP; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 56BD043E05 X-Spam-Score: -0.39 X-Migadu-Scanner: scn1.migadu.com X-TUID: GBKEkNGwfL6r --8B5VnZ6EkbboJXaA Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Chris and I are here at the reproducible builds summit in Venice, we're winding down now but it's been a great time meeting everyone and planning out upcoming tasks. The good news is Guix is Great! We have our tightly controlled dependency chain which makes it really easy to know exactly which inputs were present during a build and how to rebuild a package to check for reproducibility. We have Guix challenge to easily challenge the build farms to see if locally available packages are reproducible against the ones built on the build farms. I'm going to link to Vagrant's email^1 from back in June where they talked about some of the unreproducibility issues in Guix. We know the issues are there, so it would be good for us to go ahead and fix them. They might not all be low hanging fruit, but we do want to make sure that our builds continue to be reproducible. Moving forward, it would be nice to test for reproducibility in qa.guix.gnu.org. It should be possible to build packages more than once and to compare the results of the two to check for reproducibility. qa.guix.gnu.org already shows which packages in patches build for each architecture, being able to check for reproducibility also would be a good next step. We should also continue working on implementing a change in the ACL to allow requiring a K of N agreement between different substitute servers that a build is correct^2. If someone is downloading substitutes I'm sure they would be happier to know that the two build farms (or more if you have access to more build farms!) agree to the hash of the packages. Other ideas moving forward is the ability to sign a narinfo with more than one key. Then in theory these multisigned narinfo files could be distributed and one could trust it without putting undue load on the substitute servers. This would also be helpful if there are network problems but we want to have that not affect the distribution of nars. ^1 https://lists.gnu.org/archive/html/guix-devel/2022-06/msg00191.html ^2 https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00179.html --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --8B5VnZ6EkbboJXaA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmNjxc4ACgkQQarn3Mo9 g1H8og/9FbZA6yGmvbSwbq3atBOIRvWIOoLYqZpOp4iVuZ/xi3k8nHFm9fgJ1vGo 4Tyh0PTtJTxcqLtMrDdvg98GDb62DlklPNYUc5W1U0AQCcurwSmd/+kZ0c69EnMi DYNT6BFiQNAQNaOxC7nqvJVhWr9L99kHVsPd3cvISbv1+EV0sN+NRRlTSz78STwz 43sSWgHTtsn62+DOvoPNzSwgFbv/Hqi10iXY228FrPEp/ciRLW9QKHVwzYH0Vyl1 IgDdpuvy8Vt/vwJNzLQyheSv7xIbL5qz17i8yPDL3T5X70i6jxRuPrPo1AzXUAqQ 2mEzQHuJI+PhWIag6+peN/1DOX0DKZcKaCkazuXunwOlE0oEdvpaBqiuYOqMlF7Z eFdv80Hwhh4NFQYKYM3sKWXK7XL78YBGSoOESrCtQff+NjS0wq72zbN1Fte+8B78 cAkIZS+CSKo/f+j8wNU6k66JRMNhLsLp+4IUur0jruS96pMiVy1eu6vX2hq4uC1b Eqa/Gr5qAuEtnywofhynskW7mA3kGSZgkmMKRYLkfXmQE/7qjXi57/RoRmXZ6J2Z b8oR5hPe1qYYIQAEq//zCGcF5IZrb9q0UbSlqHkjBpJh+0GFkcAHwolrSWJsSDHd pRcft86AvxUfAxk9mOmqHxV79O/eUxDchDBwHWLHu33PJ5y9r7U= =GAQZ -----END PGP SIGNATURE----- --8B5VnZ6EkbboJXaA--