From mboxrd@z Thu Jan  1 00:00:00 1970
From: ng0 <ng0@n0.is>
Subject: Re: Reproducible installation images
Date: Mon, 11 Dec 2017 09:36:49 +0000
Message-ID: <20171211093649.rbka5xk6ojrcvhtf@abyayala>
References: <87r2s6btbc.fsf@gnu.org> <87a7yssv0a.fsf@netris.org>
	<87shch4nn1.fsf_-_@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="m42hi6jqynkwkrxd"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51965)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <ng0@n0.is>)
	id 1eOKWI-0007yd-Kk
	for guix-devel@gnu.org; Mon, 11 Dec 2017 04:37:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ng0@n0.is>) id 1eOKWH-0004R7-D4
	for guix-devel@gnu.org; Mon, 11 Dec 2017 04:37:06 -0500
Content-Disposition: inline
In-Reply-To: <87shch4nn1.fsf_-_@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org


--m42hi6jqynkwkrxd
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Ludovic Court=C3=A8s transcribed 2.6K bytes:
> Hi Mark,
>=20
> Mark H Weaver <mhw@netris.org> skribis:
>=20
> > ludo@gnu.org (Ludovic Court=C3=A8s) writes:
> >
> >>   Here are the bootable USB installation images and their signatures[*=
]:
> >>     https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.is=
o.xz
> >>     https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.is=
o.xz.sig
> >>     https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.=
iso.xz
> >>     https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.=
iso.xz.sig
> >>
> >>   Here is the QCOW2 virtual machine (VM) image and its signature:
> >>     https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux=
=2Exz
> >>     https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux=
=2Exz.sig
> >>
> >>   Here are the binary tarballs and their signatures[*]:
> >>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.xz
> >>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.x=
z.sig
> >>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar=
=2Exz
> >>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar=
=2Exz.sig
> >>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.=
xz
> >>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.=
xz.sig
> >>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.ta=
r.xz
> >>     https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.ta=
r.xz.sig
> >
> > To enable independent verification of these installer images, it would
> > be helpful to include the precise commands needed to reproduce these
> > images, and the git commit to run them on.
> >
> > What do you think?
>=20
> The manual already gives those commands:
>=20
>   https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.=
html (bottom)
>   https://www.gnu.org/software/guix/manual/html_node/Building-the-Install=
ation-Image.html
>=20
> Do you think we should show them more prominently?
>=20
> However, disk images are likely not bit-reproducible currently,
> primarily due to non-determinism in how file systems populate the disk.
>=20
> They might be reproducible if =E2=80=98guix system=E2=80=99 always create=
s files in the
> same order, which is something we could enforce (perhaps that=E2=80=99s a=
lready
> the case).  If it=E2=80=99s not sufficient, then we should look at what o=
thers
> in the reproducible-builds.org effort have been doing (Tails achieved
> reproducible ISO images, for instance, and I think OpenWrt people were
> looking at ext2 reproducibility.)
>=20
> There may also be lingering non-reproducibility issues in some of the
> packages included that need to be addressed.
>=20
> It would be good to investigate!

Definitely, I agree. Should we open a new bug ticket to track this effort?

> Ludo=E2=80=99.
>=20
>=20

--=20
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys
  WWW: https://n0.is

--m42hi6jqynkwkrxd
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlouUbEACgkQ4i+bv+40
hYhhuRAAiqkh35VsaInwBqBYPjdmlzWEoK+SAgxINMJ0u/aajZr0L+F2WvYt4lpz
XHurLNnS77KS7dOV+KFz4brjURLDys+W8qq3cQ8omhOiNUyqN1d2pvcpZQg/krtd
mLC5FQ/JaTnLOKjg4yJZsCrlofyD8Ep0kh2HsT+CSptGTbrZ88c1n1w/Ko05scYI
zH6Bx3Mj/FjHZ9Gj2f8er3RckcNf7WA9+yO/1iVx7stRlcagx/kJWoujFGzPNOvj
PV38Z24hINicadzOzNsNd58UQtEuEDH15FgUKwhG2R6q+0QcNyHqt34BlLCVmJ04
0uNsuEtinprCpH6L1N4QQTj8MP38l3VEKofSsJn47uRElP4+vVGfG4i0hK7Gesbj
idNL0Udn5tg2drbnJnGwYPpA8nw84gBaLH0q3oe2QbJWJ3D/y4GPaRlxCpl4cQqO
5cQpcwtOkRJpYE34bXyv5e4J+bjwTY26bLAiHZXaBv49+JfWK2VqAo5+JqfvKDkU
igMIDlRWNUnBiIF2RDJlk8y0ugKGc+Rp1rq7zoA9uiy7tZP5pi0FBuOIsoL8+qI6
cexxZL5NKtnvSJEd+ojxZnpIhIXQVUvBjuyANBFvpcJcf+DDUyMlNdhWw7FdMQHk
002fkEZ4/Eqvkfl8aOj78kTENSyizqmO0/yRABo/4JCtGt56tkg=
=yeBC
-----END PGP SIGNATURE-----

--m42hi6jqynkwkrxd--