unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* Reproducible bootstrapping
@ 2016-07-04 14:00 t3sserakt
  2016-07-04 15:31 ` Ludovic Courtès
  0 siblings, 1 reply; 9+ messages in thread
From: t3sserakt @ 2016-07-04 14:00 UTC (permalink / raw)
  To: help-guix

Hi *,

are the bootstrap binaries reproducible?

Cheers

t3sserakt

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Reproducible bootstrapping
  2016-07-04 14:00 Reproducible bootstrapping t3sserakt
@ 2016-07-04 15:31 ` Ludovic Courtès
  2016-07-04 16:01   ` t3sserakt
  0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2016-07-04 15:31 UTC (permalink / raw)
  To: t3sserakt; +Cc: help-guix

Hi,

t3sserakt <t3ss@posteo.de> skribis:

> are the bootstrap binaries reproducible?

Yes, in the sense of
<https://www.gnu.org/software/guix/manual/html_node/Bootstrapping.html#Building-the-Build-Tools>.

Does that answer your question?

Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Reproducible bootstrapping
  2016-07-04 15:31 ` Ludovic Courtès
@ 2016-07-04 16:01   ` t3sserakt
  2016-07-04 16:46     ` Efraim Flashner
  2016-07-05  8:11     ` Ludovic Courtès
  0 siblings, 2 replies; 9+ messages in thread
From: t3sserakt @ 2016-07-04 16:01 UTC (permalink / raw)
  To: Ludovic Courtès, t3sserakt; +Cc: help-guix

Hi Ludo,

thx for your quick reply, but no.

I was talking about reproducible builds like it is mentioned here:

https://lwn.net/Articles/663954/

Cheers

t3sserakt

Am 04.07.16 um 17:31 schrieb Ludovic Courtès:
> Hi,
>
> t3sserakt <t3ss@posteo.de> skribis:
>
>> are the bootstrap binaries reproducible?
> Yes, in the sense of
> <https://www.gnu.org/software/guix/manual/html_node/Bootstrapping.html#Building-the-Build-Tools>.
>
> Does that answer your question?
>
> Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Reproducible bootstrapping
  2016-07-04 16:01   ` t3sserakt
@ 2016-07-04 16:46     ` Efraim Flashner
  2016-07-05  7:34       ` t3sserakt
  2016-07-05  8:11     ` Ludovic Courtès
  1 sibling, 1 reply; 9+ messages in thread
From: Efraim Flashner @ 2016-07-04 16:46 UTC (permalink / raw)
  To: t3sserakt; +Cc: help-guix, t3sserakt

[-- Attachment #1: Type: text/plain, Size: 941 bytes --]

On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote:
> Hi Ludo,
> 
> thx for your quick reply, but no.
> 
> I was talking about reproducible builds like it is mentioned here:
> 
> https://lwn.net/Articles/663954/
> 
> Cheers
> 
> t3sserakt
> 

based on my experience with the aarch64 bootstrap-tarballs,
guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but
binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz
are. After building them twice the later 3 had the same `guix hash'
value.

From the given tarballs, all the packages should be reproducable, and
there's always the `guix challenge' command to check a local build
against the one built from the build-farm.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Reproducible bootstrapping
  2016-07-04 16:46     ` Efraim Flashner
@ 2016-07-05  7:34       ` t3sserakt
  2016-07-05 16:44         ` Leo Famulari
  0 siblings, 1 reply; 9+ messages in thread
From: t3sserakt @ 2016-07-05  7:34 UTC (permalink / raw)
  To: Efraim Flashner; +Cc: help-guix

Am 04.07.16 um 18:46 schrieb Efraim Flashner:

> On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote:
>> Hi Ludo,
>>
>> thx for your quick reply, but no.
>>
>> I was talking about reproducible builds like it is mentioned here:
>>
>> https://lwn.net/Articles/663954/
>>
>> Cheers
>>
>> t3sserakt
>>
> based on my experience with the aarch64 bootstrap-tarballs,
> guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but
> binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz
> are. After building them twice the later 3 had the same `guix hash'
> value.
>
> From the given tarballs, all the packages should be reproducable, and
> there's always the `guix challenge' command to check a local build
> against the one built from the build-farm.
That means, I can check the bootstrap binaries somehow. It is not that
comfortable, but it is possible. Is there any place, where you collect
statements from single developers, that they validated the hashes.
Reproducible builds only make sense, if a lot of people do this checks,
and their statement about this can be seen somewhere.

t3sserakt

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Reproducible bootstrapping
  2016-07-04 16:01   ` t3sserakt
  2016-07-04 16:46     ` Efraim Flashner
@ 2016-07-05  8:11     ` Ludovic Courtès
  2016-07-05  8:35       ` t3sserakt
  1 sibling, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2016-07-05  8:11 UTC (permalink / raw)
  To: t3sserakt; +Cc: help-guix, t3sserakt

t3sserakt <t3sserakt@posteo.de> skribis:

> I was talking about reproducible builds like it is mentioned here:
>
> https://lwn.net/Articles/663954/

Currently a large fraction (no exact figure yet) of the packages are
bit-reproducible, but it’s not 100%.  For example, the .go files
produced by Guile are not bit-reproducible yet, due to
<http://bugs.gnu.org/20272>.

I haven’t checked recently whether the packages involved in
‘bootstrap-tarballs’ are bit-reproducible.  It would be useful.

However, note that the bootstrap binaries we currently use¹ were built
in 2013 for the most part.  To rebuild them, you would need to do that
from a Guix checkout of that time.

I hope this answers your question.

Ludo’.

¹ ftp://alpha.gnu.org:/gnu/guix/bootstrap

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Reproducible bootstrapping
  2016-07-05  8:11     ` Ludovic Courtès
@ 2016-07-05  8:35       ` t3sserakt
  0 siblings, 0 replies; 9+ messages in thread
From: t3sserakt @ 2016-07-05  8:35 UTC (permalink / raw)
  To: ludo; +Cc: help-guix

Am 05.07.2016 10:11 schrieb ludo@gnu.org:
> t3sserakt <t3sserakt@posteo.de> skribis:
> 
>> I was talking about reproducible builds like it is mentioned here:
>> 
>> https://lwn.net/Articles/663954/
> 
> Currently a large fraction (no exact figure yet) of the packages are
> bit-reproducible, but it’s not 100%.  For example, the .go files
> produced by Guile are not bit-reproducible yet, due to
> <http://bugs.gnu.org/20272>.
> 
> I haven’t checked recently whether the packages involved in
> ‘bootstrap-tarballs’ are bit-reproducible.  It would be useful.
> 
> However, note that the bootstrap binaries we currently use¹ were built
> in 2013 for the most part.  To rebuild them, you would need to do that
> from a Guix checkout of that time.
> 
> I hope this answers your question.

Yes. Thank you very much!

t3sserakt

> 
> Ludo’.
> 
> ¹ ftp://alpha.gnu.org:/gnu/guix/bootstrap

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Reproducible bootstrapping
  2016-07-05  7:34       ` t3sserakt
@ 2016-07-05 16:44         ` Leo Famulari
  2016-07-11 11:40           ` Ludovic Courtès
  0 siblings, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2016-07-05 16:44 UTC (permalink / raw)
  To: t3sserakt; +Cc: help-guix

On Tue, Jul 05, 2016 at 09:34:30AM +0200, t3sserakt wrote:
> Am 04.07.16 um 18:46 schrieb Efraim Flashner:
> 
> > On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote:
> >> Hi Ludo,
> >>
> >> thx for your quick reply, but no.
> >>
> >> I was talking about reproducible builds like it is mentioned here:
> >>
> >> https://lwn.net/Articles/663954/
> >>
> >> Cheers
> >>
> >> t3sserakt
> >>
> > based on my experience with the aarch64 bootstrap-tarballs,
> > guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but
> > binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz
> > are. After building them twice the later 3 had the same `guix hash'
> > value.
> >
> > From the given tarballs, all the packages should be reproducable, and
> > there's always the `guix challenge' command to check a local build
> > against the one built from the build-farm.
> That means, I can check the bootstrap binaries somehow. It is not that
> comfortable, but it is possible. Is there any place, where you collect
> statements from single developers, that they validated the hashes.
> Reproducible builds only make sense, if a lot of people do this checks,
> and their statement about this can be seen somewhere.

I think it could be a first step to send signed mail containing the
hashes to guix-devel. I'm sure many of us archive all our mail, so we
could always dig up the old messages if the online guix-devel archives
disappear.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Reproducible bootstrapping
  2016-07-05 16:44         ` Leo Famulari
@ 2016-07-11 11:40           ` Ludovic Courtès
  0 siblings, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2016-07-11 11:40 UTC (permalink / raw)
  To: Leo Famulari; +Cc: help-guix, t3sserakt

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Jul 05, 2016 at 09:34:30AM +0200, t3sserakt wrote:
>> Am 04.07.16 um 18:46 schrieb Efraim Flashner:
>> 
>> > On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote:
>> >> Hi Ludo,
>> >>
>> >> thx for your quick reply, but no.
>> >>
>> >> I was talking about reproducible builds like it is mentioned here:
>> >>
>> >> https://lwn.net/Articles/663954/
>> >>
>> >> Cheers
>> >>
>> >> t3sserakt
>> >>
>> > based on my experience with the aarch64 bootstrap-tarballs,
>> > guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but
>> > binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz
>> > are. After building them twice the later 3 had the same `guix hash'
>> > value.
>> >
>> > From the given tarballs, all the packages should be reproducable, and
>> > there's always the `guix challenge' command to check a local build
>> > against the one built from the build-farm.
>> That means, I can check the bootstrap binaries somehow. It is not that
>> comfortable, but it is possible. Is there any place, where you collect
>> statements from single developers, that they validated the hashes.
>> Reproducible builds only make sense, if a lot of people do this checks,
>> and their statement about this can be seen somewhere.
>
> I think it could be a first step to send signed mail containing the
> hashes to guix-devel. I'm sure many of us archive all our mail, so we
> could always dig up the old messages if the online guix-devel archives
> disappear.

An idea that has been floating around is that users or independent
organizations could publish substitutes, which are signed.  We could
then archive signatures for each substitutes.  For reproducible
packages, we’d have several independent signatures for a given
package/hash pair.

Ludo’.

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2016-07-11 11:40 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-04 14:00 Reproducible bootstrapping t3sserakt
2016-07-04 15:31 ` Ludovic Courtès
2016-07-04 16:01   ` t3sserakt
2016-07-04 16:46     ` Efraim Flashner
2016-07-05  7:34       ` t3sserakt
2016-07-05 16:44         ` Leo Famulari
2016-07-11 11:40           ` Ludovic Courtès
2016-07-05  8:11     ` Ludovic Courtès
2016-07-05  8:35       ` t3sserakt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).