From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: Reproducible installation images Date: Mon, 11 Dec 2017 19:12:45 -0500 Message-ID: <87374gkdmq.fsf@netris.org> References: <87r2s6btbc.fsf@gnu.org> <87a7yssv0a.fsf@netris.org> <87shch4nn1.fsf_-_@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33482) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eOYCH-00049y-5x for guix-devel@gnu.org; Mon, 11 Dec 2017 19:13:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eOYCE-0000lt-0s for guix-devel@gnu.org; Mon, 11 Dec 2017 19:13:21 -0500 In-Reply-To: <87shch4nn1.fsf_-_@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\?\= \=\?utf-8\?Q\?\=22's\?\= message of "Mon, 11 Dec 2017 10:30:58 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Mark H Weaver skribis: > >> ludo@gnu.org (Ludovic Court=C3=A8s) writes: >> >>> Here are the bootable USB installation images and their signatures[*]: >>> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.iso= .xz >>> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.i686-linux.iso= .xz.sig >>> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.i= so.xz >>> https://alpha.gnu.org/gnu/guix/guixsd-install-0.14.0.x86_64-linux.i= so.xz.sig >>> >>> Here is the QCOW2 virtual machine (VM) image and its signature: >>> https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux.= xz >>> https://alpha.gnu.org/gnu/guix/guixsd-vm-image-0.14.0.x86_64-linux.= xz.sig >>> >>> Here are the binary tarballs and their signatures[*]: >>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.xz >>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.i686-linux.tar.xz= .sig >>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.= xz >>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.x86_64-linux.tar.= xz.sig >>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.xz >>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.armhf-linux.tar.x= z.sig >>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.tar= .xz >>> https://alpha.gnu.org/gnu/guix/guix-binary-0.14.0.aarch64-linux.tar= .xz.sig >> >> To enable independent verification of these installer images, it would >> be helpful to include the precise commands needed to reproduce these >> images, and the git commit to run them on. >> >> What do you think? > > The manual already gives those commands: > > https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.= html (bottom) > https://www.gnu.org/software/guix/manual/html_node/Building-the-Install= ation-Image.html They give the commands, but they do not provide the git commit that you ran these commands on. > However, disk images are likely not bit-reproducible currently, > primarily due to non-determinism in how file systems populate the disk. That's true, but it would still allow us to independently create images as close as possible to the ones you created, and it would allow us to compare the images and see how they differ. Mark