From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id ODnULY8tsF4NCAAA0tVLHw (envelope-from ) for ; Mon, 04 May 2020 14:58:23 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 2ERCAJotsF6TNQAA1q6Kng (envelope-from ) for ; Mon, 04 May 2020 14:58:34 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 54C0F945127 for ; Mon, 4 May 2020 14:27:18 +0000 (UTC) Received: from localhost ([::1]:40990 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jVc3y-0001Gd-OI for larch@yhetil.org; Mon, 04 May 2020 10:27:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46872) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jVc2w-0000Ph-9a for guix-devel@gnu.org; Mon, 04 May 2020 10:26:14 -0400 Received: from mail-qt1-x834.google.com ([2607:f8b0:4864:20::834]:33065) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jVc2u-0005CJ-Lj; Mon, 04 May 2020 10:26:13 -0400 Received: by mail-qt1-x834.google.com with SMTP id l18so3590212qtp.0; Mon, 04 May 2020 07:26:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0zY+2Rs1j79LM5k+w9NG3EK7iqnOjDzF0rIX+q+8IGI=; b=aE3a+b0Emd3/iLenOfxqAuWX4XWCjETgfKsbf599BzJpWfHhsD2cX/9Vu014I8TTPR lKXNCW04/0leQVgYexiiYvnV9CpCUU33QivYrjwpd6Kwx5vNi12vosZFgB03hJ+I10oZ 6uKGNaR56QWEvjTAVFl0CpvGDr4TGqicXY1dCvY+ZdFqRCLILDs05nroE/DUFUeTd1Zw HhTSoAsHbPYnDheGFagNgRsj+OkJVM67bhJRrgRz/Hj0xADQn0ZGdZ++PRjvFY+KRhbx By5npeOrYeJ7N27ltMwD3hl75dXMIyOdlKL6HceyjNE+1CaUC42PXoKwIRNOCzWi83w2 kxPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0zY+2Rs1j79LM5k+w9NG3EK7iqnOjDzF0rIX+q+8IGI=; b=Sj6+o3qx6Wf23rPh+s1+l1KfRGsGTnc7yoMMEMVm0GqkkdsR+ut2Z3hXpc82D78lE5 GQ3m7+uUrjTwAtr0FMF9sD+K+ku4DLGytOhotPwVSknyHwgUug0tbQBBbwCTEwAVxU3k n4i7x5t78whPvrS2QJoWdzac9yWinzlOnvhCX72fh2DhAdN4OYaAXfbmNF8Rcb3tvO1o QxFOJKLyiUygew71gXzX7ENPxWtzlGZ7Zxlm+A1UHqZQGQaCf2PunRVe0O/7AWUDNy2P 4ZLuEMk7KLhxQqAJOaECD0L0wKhZTSUek9bo1fqaeIeIfEhllH8YYEiX3+QHAHMmuD9x 7G8g== X-Gm-Message-State: AGi0PuYhlquqbN2zVDQ2iGtZ1bRv093R1TIyTPE92Tr7T5S3vXSE46Wq JH5qqsOMGhgxndy130yMOq+9mrqqOlPGl9ScFLs= X-Google-Smtp-Source: APiQypLD/AXLMGyWG6aiku5KY2gIEADXv6gtoivBZ9dDSM19KANRSM6IagxNdUs9lTf/2hFAkq2Xz4tYcHhaIo+Teq0= X-Received: by 2002:ac8:19fd:: with SMTP id s58mr17885844qtk.354.1588602370995; Mon, 04 May 2020 07:26:10 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: zimoun Date: Mon, 4 May 2020 16:25:59 +0200 Message-ID: Subject: Re: unexpected reproducibility of reproducible blog post? To: Konrad Hinsen , =?UTF-8?Q?Ludovic_Court=C3=A8s?= Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=2607:f8b0:4864:20::834; envelope-from=zimon.toutoune@gmail.com; helo=mail-qt1-x834.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 X-Spam-Score: -0.71 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=aE3a+b0E; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Scan-Result: default: False [-0.71 / 13.00]; GENERIC_REPUTATION(0.00)[-0.49479497120133]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail,gmail.com:server fail]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; FREEMAIL_FROM(0.00)[gmail.com]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.13), country: US(-0.00), ip: 2001:470:142::17(-0.49)]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.50)[cached: eggs.gnu.org]; MAILLIST(-0.20)[mailman]; FREEMAIL_TO(0.00)[fastmail.net,gnu.org]; RCVD_IN_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; SUBJECT_ENDS_QUESTION(1.00)[]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; URIBL_BLOCKED(0.00)[fastmail.net:email,gnu.org:url]; FROM_NEQ_ENVFROM(0.00)[zimontoutoune@gmail.com,guix-devel-bounces@gnu.org]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: 7p7nA0gUCcgl Hi Konrad, (add Ludo for advice :-)) On Mon, 4 May 2020 at 15:50, Konrad Hinsen wrote: > > I will add something overthere for tracking reproduciblity infos in > > the future. > > It would actually be nice to have some external Guix reproducibility > surveillance. A few benchmark packages that will be rebuilt regularly, > using frozen commits via time-machine, and checked for bit-by-bit > identity explicitly, not relying on Guix' hash mechanism. Trust but > verify. > > My example is perhaps not such a bad start. Building a Docker container > containing gcc exercises a lot of code in Guix. Does it make sense to: add the file "tests/guix-reproducibility.sh"? So that reproducibility issues are detected by "make check". Or add another rule in the Makefile? Or test reproducibility outside the Guix tree? All the best, simon > > I looked a bit at grafts. The documentation at > > https://guix.gnu.org/manual/en/html_node/Security-Updates.html > > isn't very explicit about the reproducibility of grafts. In particular, > it doesn't say if a package containing patched binaries retains its > original hash, or receives a new unique one. With a unique hash, grafts > would just be a tweak in the build system, and no less reproducible than > standard builds. It looks like I have to dive into the source code to > find out! > > Cheers, > Konrad