Ludovic Courtès transcribed 2.6K bytes: > Hi Mark, > > Mark H Weaver skribis: > > > ludo@gnu.org (Ludovic Courtès) writes: > > > >> Here are the bootable USB installation images and their signatures[*]: > >> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.iso.xz > >> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.iso.xz.sig > >> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.iso.xz > >> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.iso.xz.sig > >> > >> Here is the QCOW2 virtual machine (VM) image and its signature: > >> https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux.xz > >> https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux.xz.sig > >> > >> Here are the binary tarballs and their signatures[*]: > >> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.xz > >> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.xz.sig > >> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz > >> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.xz.sig > >> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.xz > >> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.xz.sig > >> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.tar.xz > >> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.tar.xz.sig > > > > To enable independent verification of these installer images, it would > > be helpful to include the precise commands needed to reproduce these > > images, and the git commit to run them on. > > > > What do you think? > > The manual already gives those commands: > > https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html (bottom) > https://www.gnu.org/software/guix/manual/html_node/Building-the-Installation-Image.html > > Do you think we should show them more prominently? > > However, disk images are likely not bit-reproducible currently, > primarily due to non-determinism in how file systems populate the disk. > > They might be reproducible if ‘guix system’ always creates files in the > same order, which is something we could enforce (perhaps that’s already > the case). If it’s not sufficient, then we should look at what others > in the reproducible-builds.org effort have been doing (Tails achieved > reproducible ISO images, for instance, and I think OpenWrt people were > looking at ext2 reproducibility.) > > There may also be lingering non-reproducibility issues in some of the > packages included that need to be addressed. > > It would be good to investigate! Definitely, I agree. Should we open a new bug ticket to track this effort? > Ludo’. > > -- GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys WWW: https://n0.is