* Reproducible bootstrapping @ 2016-07-04 14:00 t3sserakt 2016-07-04 15:31 ` Ludovic Courtès 0 siblings, 1 reply; 9+ messages in thread From: t3sserakt @ 2016-07-04 14:00 UTC (permalink / raw) To: help-guix Hi *, are the bootstrap binaries reproducible? Cheers t3sserakt ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Reproducible bootstrapping 2016-07-04 14:00 Reproducible bootstrapping t3sserakt @ 2016-07-04 15:31 ` Ludovic Courtès 2016-07-04 16:01 ` t3sserakt 0 siblings, 1 reply; 9+ messages in thread From: Ludovic Courtès @ 2016-07-04 15:31 UTC (permalink / raw) To: t3sserakt; +Cc: help-guix Hi, t3sserakt <t3ss@posteo.de> skribis: > are the bootstrap binaries reproducible? Yes, in the sense of <https://www.gnu.org/software/guix/manual/html_node/Bootstrapping.html#Building-the-Build-Tools>. Does that answer your question? Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Reproducible bootstrapping 2016-07-04 15:31 ` Ludovic Courtès @ 2016-07-04 16:01 ` t3sserakt 2016-07-04 16:46 ` Efraim Flashner 2016-07-05 8:11 ` Ludovic Courtès 0 siblings, 2 replies; 9+ messages in thread From: t3sserakt @ 2016-07-04 16:01 UTC (permalink / raw) To: Ludovic Courtès, t3sserakt; +Cc: help-guix Hi Ludo, thx for your quick reply, but no. I was talking about reproducible builds like it is mentioned here: https://lwn.net/Articles/663954/ Cheers t3sserakt Am 04.07.16 um 17:31 schrieb Ludovic Courtès: > Hi, > > t3sserakt <t3ss@posteo.de> skribis: > >> are the bootstrap binaries reproducible? > Yes, in the sense of > <https://www.gnu.org/software/guix/manual/html_node/Bootstrapping.html#Building-the-Build-Tools>. > > Does that answer your question? > > Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Reproducible bootstrapping 2016-07-04 16:01 ` t3sserakt @ 2016-07-04 16:46 ` Efraim Flashner 2016-07-05 7:34 ` t3sserakt 2016-07-05 8:11 ` Ludovic Courtès 1 sibling, 1 reply; 9+ messages in thread From: Efraim Flashner @ 2016-07-04 16:46 UTC (permalink / raw) To: t3sserakt; +Cc: help-guix, t3sserakt [-- Attachment #1: Type: text/plain, Size: 941 bytes --] On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote: > Hi Ludo, > > thx for your quick reply, but no. > > I was talking about reproducible builds like it is mentioned here: > > https://lwn.net/Articles/663954/ > > Cheers > > t3sserakt > based on my experience with the aarch64 bootstrap-tarballs, guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz are. After building them twice the later 3 had the same `guix hash' value. From the given tarballs, all the packages should be reproducable, and there's always the `guix challenge' command to check a local build against the one built from the build-farm. -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Reproducible bootstrapping 2016-07-04 16:46 ` Efraim Flashner @ 2016-07-05 7:34 ` t3sserakt 2016-07-05 16:44 ` Leo Famulari 0 siblings, 1 reply; 9+ messages in thread From: t3sserakt @ 2016-07-05 7:34 UTC (permalink / raw) To: Efraim Flashner; +Cc: help-guix Am 04.07.16 um 18:46 schrieb Efraim Flashner: > On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote: >> Hi Ludo, >> >> thx for your quick reply, but no. >> >> I was talking about reproducible builds like it is mentioned here: >> >> https://lwn.net/Articles/663954/ >> >> Cheers >> >> t3sserakt >> > based on my experience with the aarch64 bootstrap-tarballs, > guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but > binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz > are. After building them twice the later 3 had the same `guix hash' > value. > > From the given tarballs, all the packages should be reproducable, and > there's always the `guix challenge' command to check a local build > against the one built from the build-farm. That means, I can check the bootstrap binaries somehow. It is not that comfortable, but it is possible. Is there any place, where you collect statements from single developers, that they validated the hashes. Reproducible builds only make sense, if a lot of people do this checks, and their statement about this can be seen somewhere. t3sserakt ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Reproducible bootstrapping 2016-07-05 7:34 ` t3sserakt @ 2016-07-05 16:44 ` Leo Famulari 2016-07-11 11:40 ` Ludovic Courtès 0 siblings, 1 reply; 9+ messages in thread From: Leo Famulari @ 2016-07-05 16:44 UTC (permalink / raw) To: t3sserakt; +Cc: help-guix On Tue, Jul 05, 2016 at 09:34:30AM +0200, t3sserakt wrote: > Am 04.07.16 um 18:46 schrieb Efraim Flashner: > > > On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote: > >> Hi Ludo, > >> > >> thx for your quick reply, but no. > >> > >> I was talking about reproducible builds like it is mentioned here: > >> > >> https://lwn.net/Articles/663954/ > >> > >> Cheers > >> > >> t3sserakt > >> > > based on my experience with the aarch64 bootstrap-tarballs, > > guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but > > binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz > > are. After building them twice the later 3 had the same `guix hash' > > value. > > > > From the given tarballs, all the packages should be reproducable, and > > there's always the `guix challenge' command to check a local build > > against the one built from the build-farm. > That means, I can check the bootstrap binaries somehow. It is not that > comfortable, but it is possible. Is there any place, where you collect > statements from single developers, that they validated the hashes. > Reproducible builds only make sense, if a lot of people do this checks, > and their statement about this can be seen somewhere. I think it could be a first step to send signed mail containing the hashes to guix-devel. I'm sure many of us archive all our mail, so we could always dig up the old messages if the online guix-devel archives disappear. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Reproducible bootstrapping 2016-07-05 16:44 ` Leo Famulari @ 2016-07-11 11:40 ` Ludovic Courtès 0 siblings, 0 replies; 9+ messages in thread From: Ludovic Courtès @ 2016-07-11 11:40 UTC (permalink / raw) To: Leo Famulari; +Cc: help-guix, t3sserakt Leo Famulari <leo@famulari.name> skribis: > On Tue, Jul 05, 2016 at 09:34:30AM +0200, t3sserakt wrote: >> Am 04.07.16 um 18:46 schrieb Efraim Flashner: >> >> > On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote: >> >> Hi Ludo, >> >> >> >> thx for your quick reply, but no. >> >> >> >> I was talking about reproducible builds like it is mentioned here: >> >> >> >> https://lwn.net/Articles/663954/ >> >> >> >> Cheers >> >> >> >> t3sserakt >> >> >> > based on my experience with the aarch64 bootstrap-tarballs, >> > guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but >> > binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz >> > are. After building them twice the later 3 had the same `guix hash' >> > value. >> > >> > From the given tarballs, all the packages should be reproducable, and >> > there's always the `guix challenge' command to check a local build >> > against the one built from the build-farm. >> That means, I can check the bootstrap binaries somehow. It is not that >> comfortable, but it is possible. Is there any place, where you collect >> statements from single developers, that they validated the hashes. >> Reproducible builds only make sense, if a lot of people do this checks, >> and their statement about this can be seen somewhere. > > I think it could be a first step to send signed mail containing the > hashes to guix-devel. I'm sure many of us archive all our mail, so we > could always dig up the old messages if the online guix-devel archives > disappear. An idea that has been floating around is that users or independent organizations could publish substitutes, which are signed. We could then archive signatures for each substitutes. For reproducible packages, we’d have several independent signatures for a given package/hash pair. Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Reproducible bootstrapping 2016-07-04 16:01 ` t3sserakt 2016-07-04 16:46 ` Efraim Flashner @ 2016-07-05 8:11 ` Ludovic Courtès 2016-07-05 8:35 ` t3sserakt 1 sibling, 1 reply; 9+ messages in thread From: Ludovic Courtès @ 2016-07-05 8:11 UTC (permalink / raw) To: t3sserakt; +Cc: help-guix, t3sserakt t3sserakt <t3sserakt@posteo.de> skribis: > I was talking about reproducible builds like it is mentioned here: > > https://lwn.net/Articles/663954/ Currently a large fraction (no exact figure yet) of the packages are bit-reproducible, but it’s not 100%. For example, the .go files produced by Guile are not bit-reproducible yet, due to <http://bugs.gnu.org/20272>. I haven’t checked recently whether the packages involved in ‘bootstrap-tarballs’ are bit-reproducible. It would be useful. However, note that the bootstrap binaries we currently use¹ were built in 2013 for the most part. To rebuild them, you would need to do that from a Guix checkout of that time. I hope this answers your question. Ludo’. ¹ ftp://alpha.gnu.org:/gnu/guix/bootstrap ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Reproducible bootstrapping 2016-07-05 8:11 ` Ludovic Courtès @ 2016-07-05 8:35 ` t3sserakt 0 siblings, 0 replies; 9+ messages in thread From: t3sserakt @ 2016-07-05 8:35 UTC (permalink / raw) To: ludo; +Cc: help-guix Am 05.07.2016 10:11 schrieb ludo@gnu.org: > t3sserakt <t3sserakt@posteo.de> skribis: > >> I was talking about reproducible builds like it is mentioned here: >> >> https://lwn.net/Articles/663954/ > > Currently a large fraction (no exact figure yet) of the packages are > bit-reproducible, but it’s not 100%. For example, the .go files > produced by Guile are not bit-reproducible yet, due to > <http://bugs.gnu.org/20272>. > > I haven’t checked recently whether the packages involved in > ‘bootstrap-tarballs’ are bit-reproducible. It would be useful. > > However, note that the bootstrap binaries we currently use¹ were built > in 2013 for the most part. To rebuild them, you would need to do that > from a Guix checkout of that time. > > I hope this answers your question. Yes. Thank you very much! t3sserakt > > Ludo’. > > ¹ ftp://alpha.gnu.org:/gnu/guix/bootstrap ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-07-11 11:40 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-07-04 14:00 Reproducible bootstrapping t3sserakt 2016-07-04 15:31 ` Ludovic Courtès 2016-07-04 16:01 ` t3sserakt 2016-07-04 16:46 ` Efraim Flashner 2016-07-05 7:34 ` t3sserakt 2016-07-05 16:44 ` Leo Famulari 2016-07-11 11:40 ` Ludovic Courtès 2016-07-05 8:11 ` Ludovic Courtès 2016-07-05 8:35 ` t3sserakt
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).