* A real-life test of long-term reproducibility @ 2022-08-04 8:43 Konrad Hinsen 2022-08-04 15:35 ` blake 2022-08-07 20:53 ` Ludovic Courtès 0 siblings, 2 replies; 15+ messages in thread From: Konrad Hinsen @ 2022-08-04 8:43 UTC (permalink / raw) To: Guix Devel Hi everyone, One of our claims is that Guix can rebuild code identically as long as we have a machine with a Linux kernel and a POSIX filesystem. This week I had an occasion to put this to a real-life test. So far it's a failure. I can guess reasons for my failed attempts, but I don't think they were unreasonable to try. So I'd like to document something that works, to avoid others falling into the same traps. I just don't know yet what the Right Way To Do It is! The package I want to rebuild and use is "nmoldyn" from Guix commit f250a868d8c687df08559682fa68fb4ea2a1ea69. That's the commit referenced in my notes, obtained via "guix describe" in early 2018. I am pretty sure it worked fine back then. First attempt: $ guix time-machine --commit=f250a868d8c687df08559682fa68fb4ea2a1ea69 -- build nmoldyn Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'... Backtrace: In guix/store.scm: 672:3 19 (_) In ice-9/boot-9.scm: 1752:10 18 (with-exception-handler _ _ #:unwind? _ #:unwind-for-type _) In guix/store.scm: 659:37 17 (thunk) In guix/status.scm: 815:4 16 (call-with-status-report _ _) In guix/store.scm: 1298:8 15 (call-with-build-handler #<procedure 7ff03a85b960 at guix/ui.scm:1…> …) 2168:25 14 (run-with-store #<store-connection 256.99 7ff03b715c30> _ # _ # _ # _) In guix/inferior.scm: 903:8 13 (_ _) In guix/channels.scm: 944:2 12 (_ _) 891:2 11 (_ _) In ./guix/monads.scm: 487:9 10 (_ _) In guix/store.scm: 1996:8 9 (_ _) In guix/channels.scm: 642:36 8 (_ #<store-connection 256.99 7ff03b715c30>) 703:11 7 (_) In ice-9/eval.scm: 619:8 6 (_ #(#(#(#<directory (build-self) 7ff03a8678c0>) "/gnu/store/…" …) …)) 626:19 5 (_ #(#(#(#<directory (build-self) 7ff03a8678c0>) "/gnu/store/…" …) …)) 155:9 4 (_ #(#(#(#<directory (build-self) 7ff03a8678c0>) "/gnu/store/…" …) …)) 223:20 3 (proc #(#(#(#<directory (build-self) 7ff03a8678c0>) "/gnu/sto…" …) …)) In unknown file: 2 (%resolve-variable (7 . %guix-register-program) #<directory (build-…>) In ice-9/boot-9.scm: 1685:16 1 (raise-exception _ #:continuable? _) 1685:16 0 (raise-exception _ #:continuable? _) ice-9/boot-9.scm:1685:16: In procedure raise-exception: error: %guix-register-program: unbound variable I don't understand what is going wrong here, but it may be related to the fact that the commit I am trying to go back to is older than "guix time-machine". If that's the explanation, it would help if Guix showed some clear error message instead of crashing. Next I tried checking out the source code for commit f250a868d8c687df08559682fa68fb4ea2a1ea69, and building it from source. This is a bit tricky because 2018 Guix cannot be built in today's Guix build environment. For example, today we have Guile 3, but back then we had Guile 2.2. So I need to do "guix environment guix" in an older Guix, before the Guile 3 transition, but later than the introduction of time-machine. I picked one somewhat at random: $ guix time-machine --commit=e2293cbbe0cd20ddeb932e6f5616565ab468c087 -- environment –pure guix Then I did "bootstrap", "configure –localstatedir=/var", "make check". The latter shows 15 failures, some of which look important: FAIL: tests/builders.scm FAIL: tests/derivations.scm FAIL: tests/packages.scm FAIL: tests/guix-environment.sh FAIL: tests/guix-daemon.sh And indeed I cannot build much with my compiled guix: $ ./pre-inst-env guix build nmoldyn hangs after a while, running a binary called "test-lock" for hours. Given the time lapse, I suppose there have been incompatible changes in the build daemon, making the old Guix incompatible with the rather recent build daemon running on my machine. But is there a way around this, other than installing an old Guix in a fully isolated VM? And if installing the old Guix in a VM is the only solution, what would be the best way to do that? I can't think of much else than starting from another distribution (e.g. Debian) and following the installation instructions. That's already a lot of work, but it's made worse by the installation instructions being hidden inside the manual of that old commit, which I cannot easily consult. I'd be grateful for any suggestions! Cheers, Konrad ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-08-04 8:43 A real-life test of long-term reproducibility Konrad Hinsen @ 2022-08-04 15:35 ` blake 2022-08-19 9:34 ` zimoun 2022-08-07 20:53 ` Ludovic Courtès 1 sibling, 1 reply; 15+ messages in thread From: blake @ 2022-08-04 15:35 UTC (permalink / raw) To: Konrad Hinsen, Guix Devel Hi Konrad, Just one quick comment: August 4, 2022 8:43 AM, "Konrad Hinsen" <konrad.hinsen@fastmail.net> wrote: > Hi everyone, > > One of our claims is that Guix can rebuild code identically as long as > we have a machine with a Linux kernel and a POSIX filesystem. This actually isn't the claim. Reproducibility is only guaranteed on Guix systems. It's important that you reproduce the entire system, which means you will have needed to have saved the commit of your version of the Guix package manager in order to return to that system. See the section of the Guix manual "Replicating Guix" for more info. https://guix.gnu.org/en/manual/devel/en/html_node/Replicating-Guix.html Happy hacking! > This week > I had an occasion to put this to a real-life test. So far it's a > failure. I can guess reasons for my failed attempts, but I don't think > they were unreasonable to try. So I'd like to document something that > works, to avoid others falling into the same traps. I just don't know > yet what the Right Way To Do It is! > > The package I want to rebuild and use is "nmoldyn" from Guix commit > f250a868d8c687df08559682fa68fb4ea2a1ea69. That's the commit referenced > in my notes, obtained via "guix describe" in early 2018. I am pretty > sure it worked fine back then. > > First attempt: > > $ guix time-machine --commit=f250a868d8c687df08559682fa68fb4ea2a1ea69 -- build nmoldyn > Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'... > Backtrace: > In guix/store.scm: > 672:3 19 (_) > In ice-9/boot-9.scm: > 1752:10 18 (with-exception-handler _ _ #:unwind? _ #:unwind-for-type _) > In guix/store.scm: > 659:37 17 (thunk) > In guix/status.scm: > 815:4 16 (call-with-status-report _ _) > In guix/store.scm: > 1298:8 15 (call-with-build-handler #<procedure 7ff03a85b960 at guix/ui.scm:1…> …) > 2168:25 14 (run-with-store #<store-connection 256.99 7ff03b715c30> _ # _ # _ # _) > In guix/inferior.scm: > 903:8 13 (_ _) > In guix/channels.scm: > 944:2 12 (_ _) > 891:2 11 (_ _) > In ./guix/monads.scm: > 487:9 10 (_ _) > In guix/store.scm: > 1996:8 9 (_ _) > In guix/channels.scm: > 642:36 8 (_ #<store-connection 256.99 7ff03b715c30>) > 703:11 7 (_) > In ice-9/eval.scm: > 619:8 6 (_ #(#(#(#<directory (build-self) 7ff03a8678c0>) "/gnu/store/…" …) …)) > 626:19 5 (_ #(#(#(#<directory (build-self) 7ff03a8678c0>) "/gnu/store/…" …) …)) > 155:9 4 (_ #(#(#(#<directory (build-self) 7ff03a8678c0>) "/gnu/store/…" …) …)) > 223:20 3 (proc #(#(#(#<directory (build-self) 7ff03a8678c0>) "/gnu/sto…" …) …)) > In unknown file: > 2 (%resolve-variable (7 . %guix-register-program) #<directory (build-…>) > In ice-9/boot-9.scm: > 1685:16 1 (raise-exception _ #:continuable? _) > 1685:16 0 (raise-exception _ #:continuable? _) > > ice-9/boot-9.scm:1685:16: In procedure raise-exception: > error: %guix-register-program: unbound variable > > I don't understand what is going wrong here, but it may be related to > the fact that the commit I am trying to go back to is older than "guix > time-machine". If that's the explanation, it would help if Guix showed > some clear error message instead of crashing. > > Next I tried checking out the source code for commit > f250a868d8c687df08559682fa68fb4ea2a1ea69, and building it from > source. This is a bit tricky because 2018 Guix cannot be built in > today's Guix build environment. For example, today we have Guile 3, but > back then we had Guile 2.2. So I need to do "guix environment guix" in > an older Guix, before the Guile 3 transition, but later than the > introduction of time-machine. I picked one somewhat at random: > > $ guix time-machine --commit=e2293cbbe0cd20ddeb932e6f5616565ab468c087 > -- environment –pure guix > > Then I did "bootstrap", "configure –localstatedir=/var", "make > check". The latter shows 15 failures, some of which look important: > > FAIL: tests/builders.scm > FAIL: tests/derivations.scm > FAIL: tests/packages.scm > FAIL: tests/guix-environment.sh > FAIL: tests/guix-daemon.sh > > And indeed I cannot build much with my compiled guix: > > $ ./pre-inst-env guix build nmoldyn > > hangs after a while, running a binary called "test-lock" for hours. > > Given the time lapse, I suppose there have been incompatible changes in > the build daemon, making the old Guix incompatible with the rather > recent build daemon running on my machine. But is there a way around > this, other than installing an old Guix in a fully isolated VM? > > And if installing the old Guix in a VM is the only solution, what would > be the best way to do that? I can't think of much else than starting > from another distribution (e.g. Debian) and following the installation > instructions. That's already a lot of work, but it's made worse by the > installation instructions being hidden inside the manual of that old > commit, which I cannot easily consult. > > I'd be grateful for any suggestions! > > Cheers, > Konrad ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-08-04 15:35 ` blake @ 2022-08-19 9:34 ` zimoun 0 siblings, 0 replies; 15+ messages in thread From: zimoun @ 2022-08-19 9:34 UTC (permalink / raw) To: blake, Konrad Hinsen, Guix Devel Hi Blake, I am late to the party. :-) On jeu., 04 août 2022 at 15:35, blake@reproduciblemedia.com wrote: > August 4, 2022 8:43 AM, "Konrad Hinsen" <konrad.hinsen@fastmail.net> wrote: >> One of our claims is that Guix can rebuild code identically as long as >> we have a machine with a Linux kernel and a POSIX filesystem. This claim is correct, AFAIU. > This actually isn't the claim. Reproducibility is only guaranteed on > Guix systems. It's important that you reproduce the entire system, which > means you will have needed to have saved the commit of your version of > the Guix package manager in order to return to that system. It is possible to rebuild identically on any foreign GNU/Linux distro running the Guix package manager. The assumptions, between the 2 points in time, are: 1. compatibility of the Linux kernel 2. availability of all the source code 3. compatibility of the hardware AFAIK, #1 and #3 are satisfied. About #2, it depends and many corner cases are around. Running Guix System would allow to easily satisfy #1, but, AFAIK, no one reported an incompatibility of the Linux kernel defeating “guix time-machine -- build”, and thus, it appears to me still hypothetical (although possible on the paper) that, in this case, Guix System would still allow the travel back in time. > See the section of the Guix manual "Replicating Guix" for more info. > https://guix.gnu.org/en/manual/devel/en/html_node/Replicating-Guix.html Guix System is not mentioned, IIRC. :-) Cheers, simon ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-08-04 8:43 A real-life test of long-term reproducibility Konrad Hinsen 2022-08-04 15:35 ` blake @ 2022-08-07 20:53 ` Ludovic Courtès 2022-08-08 5:21 ` Timothy Sample ` (2 more replies) 1 sibling, 3 replies; 15+ messages in thread From: Ludovic Courtès @ 2022-08-07 20:53 UTC (permalink / raw) To: Konrad Hinsen; +Cc: Guix Devel Hi Konrad! Konrad Hinsen <konrad.hinsen@fastmail.net> skribis: > The package I want to rebuild and use is "nmoldyn" from Guix commit > f250a868d8c687df08559682fa68fb4ea2a1ea69. That's the commit referenced > in my notes, obtained via "guix describe" in early 2018. I am pretty > sure it worked fine back then. That’s a commit from January 2018, which is a few months before the release of 0.15.0, the first release with proper ‘guix pull’ support: https://guix.gnu.org/en/blog/2018/gnu-guix-and-guixsd-0.15.0-released/ In other words: warranty void. :-) We can go back to 1.0.0, and presumably to 0.15.0, but anything older than this is unknown territory. > First attempt: > > $ guix time-machine --commit=f250a868d8c687df08559682fa68fb4ea2a1ea69 -- build nmoldyn > Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'... [...] > ice-9/boot-9.scm:1685:16: In procedure raise-exception: > error: %guix-register-program: unbound variable It’s a variable that used to exist in (guix config) but was removed long ago (in ea0a06cee2ba05451f94714a4f913db02efbe92c, shortly before 0.15.0.) > I don't understand what is going wrong here, but it may be related to > the fact that the commit I am trying to go back to is older than "guix > time-machine". If that's the explanation, it would help if Guix showed > some clear error message instead of crashing. It could check whether the target commit is in the closure of the v0.15.0 commit, but then that would give special treatment to the existing commit history. Maybe that’s OK though? > Next I tried checking out the source code for commit > f250a868d8c687df08559682fa68fb4ea2a1ea69, and building it from > source. This is a bit tricky because 2018 Guix cannot be built in > today's Guix build environment. For example, today we have Guile 3, but > back then we had Guile 2.2. So I need to do "guix environment guix" in > an older Guix, before the Guile 3 transition, but later than the > introduction of time-machine. I picked one somewhat at random: > > $ guix time-machine --commit=e2293cbbe0cd20ddeb932e6f5616565ab468c087 > -- environment –pure guix > > Then I did "bootstrap", "configure –localstatedir=/var", "make > check". The latter shows 15 failures, some of which look important: > > FAIL: tests/builders.scm > FAIL: tests/derivations.scm > FAIL: tests/packages.scm > FAIL: tests/guix-environment.sh > FAIL: tests/guix-daemon.sh We’d have to check what’s in ‘test-suite.log’; it might as well be an environment issue more than a “real” problem. > And indeed I cannot build much with my compiled guix: > > $ ./pre-inst-env guix build nmoldyn > > hangs after a while, running a binary called "test-lock" for hours. IIRC that was a bug in a Gnulib test (bundled in several GNU packages) that would hang on machines with maybe more than 4 cores. (See commit acc2dab7f2f50c9169d6388007c770878eae4a9c for example.) There might be hints on how to work around it in the mailing list archive… > Given the time lapse, I suppose there have been incompatible changes in > the build daemon, making the old Guix incompatible with the rather > recent build daemon running on my machine. But is there a way around > this, other than installing an old Guix in a fully isolated VM? > > And if installing the old Guix in a VM is the only solution, what would > be the best way to do that? I can't think of much else than starting > from another distribution (e.g. Debian) and following the installation > instructions. That's already a lot of work, but it's made worse by the > installation instructions being hidden inside the manual of that old > commit, which I cannot easily consult. Again, none of this should be necessary as long as the target commit is after 0.15.0 (or 1.0.0). That said, it may be possible to build that Jan. 2018 Guix using an environment created from Guix 0.15.0 or 1.0.0; it’s likely to have the right versions of dependencies, and it should be reachable with time-machine. I’d be curious to hear how it goes! Besides, I recently added ‘etc/time-travel-manifest.scm’ and added a corresponding jobset at <https://ci.guix.gnu.org/jobset/time-travel> (the jobset is not working well, but that’s because there are several processes concurrently accessing the same cached checkout; we need a trick to work around that…). I’d like to consolidate this so we can make sure that traveling back in time (after 0.15.0 or 1.0.0) remains a possibility. Thanks, Ludo’. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-08-07 20:53 ` Ludovic Courtès @ 2022-08-08 5:21 ` Timothy Sample 2022-08-08 8:44 ` Konrad Hinsen 2022-08-08 8:49 ` Konrad Hinsen 2 siblings, 0 replies; 15+ messages in thread From: Timothy Sample @ 2022-08-08 5:21 UTC (permalink / raw) To: Konrad Hinsen; +Cc: Ludovic Courtès, Guix Devel [-- Attachment #1: Type: text/plain, Size: 5385 bytes --] Hi Konrad, Ludovic Courtès <ludo@gnu.org> writes: > Konrad Hinsen <konrad.hinsen@fastmail.net> skribis: > >> The package I want to rebuild and use is "nmoldyn" from Guix commit >> f250a868d8c687df08559682fa68fb4ea2a1ea69. That's the commit referenced >> in my notes, obtained via "guix describe" in early 2018. I am pretty >> sure it worked fine back then. > > That’s a commit from January 2018, which is a few months before the > release of 0.15.0, the first release with proper ‘guix pull’ support: > > https://guix.gnu.org/en/blog/2018/gnu-guix-and-guixsd-0.15.0-released/ > > In other words: warranty void. :-) Agreed. That’s probably too early in Guix’s history to get good results. Keep in mind that the Software Heritage crawlers only started indexing Guix packages in 2019. That being said, I was too curious to leave this alone, so I tried my hand at building that package from that commit. > [...] > Again, none of this should be necessary as long as the target commit is > after 0.15.0 (or 1.0.0). > > That said, it may be possible to build that Jan. 2018 Guix using an > environment created from Guix 0.15.0 or 1.0.0; it’s likely to have the > right versions of dependencies, and it should be reachable with > time-machine. > > I’d be curious to hear how it goes! It turns out it’s pretty easy, apart from having to boil the ocean. Here’s what I did. I decided to try the easiest thing first, which is checkout f250a86 and try to build it with an environment from modern Guix. We still have Guile 2.2 packages, after all. Here’s the environment that I used: $ guix shell --pure guile@2.2 guile2.2-gnutls guile2.2-gcrypt \ gcc-toolchain coreutils bash autoconf automake guile2.2-git \ sqlite bzip2 gettext libtool pkg-config grep sed patch \ diffutils m4 findutils tar xz gzip libgcrypt gawk make\ texinfo help2man From there, I was able to build Guix normally. Some of those packages were guesses, and some were added to placate “configure”, I’m not sure that all of them are necessary, but they are sufficient. After that, I tried $ ./pre-inst-env guix build nmoldyn It hummed along for a long time, and then my desktop crashed due to the kernel’s out-of-memory process killer. For whatever reason, and even with 16G of RAM and 16G of swap, the Python 3 build gets smitten by the OOM killer. It happens when running the test suite, so I disabled it. (From what I read, the test suite is used to generate profiles to train the optimizer, so this is probably a bad idea. I decided to forge ahead instead of worry about this too much.) Next, it couldn’t find the source code for ImageMagick 6.9.9-30. It took a minute, but I tracked it down hidden in the following RPM: http://mirror.speedpartner.de/remi-archive/SRPMS/ImageMagick6-6.9.9.30-1.remi.src.rpm After extracting the tarball and adding it to the store with “guix download”, the build continued. There was one other source code issue, which was Mesa 17.2.1. It was easy to solve, as they just moved it to the “older-versions” directory on their server. The only other two issues were test failures due to certificate expiry. It happened for Python 2 and NSS. I remember there was a discussion about this problem in general recently, but I couldn’t track it down. For Python 2, I disabled the offending tests, and for NSS, I just disabled the whole test suite. After that, I got: @ build-succeeded /gnu/store/40x598cvpp16m87z52sj98c62dfbmmka-nmoldyn-3.0.11.drv - /gnu/store/khf2pf29vfq6b3dcca9p9mvz387jvdl7-nmoldyn-3.0.11 I’m honestly shocked that it worked so well. I wish I had a better way to keep track of where the sources came from. For example, I’m curious how many came from the build farm or other fallback options. Overall, I give Guix two thumbs up! Other than the Python 3 optimizer bit (which might be solvable), nothing substantive had to be changed to make this happen. For best practices, I do have one suggestion. The Guix package collection is not uniformly reproducible or archived. The best thing you can do to ensure the long-term prospects of your projects is to actually check how much of the source code is archived and how many of the builds are reproducible. There is no turn-key solution for this (though maybe there should be), but you can check the source code against the Preservation of Guix database [1], and you can check reproducibility using the Guix Data Service or with “guix check”. Ideally everything would be archived and reproducible, but it’s a work in progress. By checking, you might be able to fix some of the issues now while it’s easy instead of in five or ten years when it’s impossible! Thanks Konrad for the interesting experiment. While testing this out, I came to really appreciate how hackable Guix is. Even if I couldn’t find Mesa 17.2.1, say, I could proceed with a similar version or try to build it with Git. It’s not ideal to have to make changes, but it’s nice to know that Guix fails gracefully. In case it’s useful, I’ve attached the changes I made. -- Tim [1] It’s at <https://ngyro.com/pog-reports/latest/>, and yes, I know I ought to update it! :) [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: patch.diff --] [-- Type: text/x-patch, Size: 2727 bytes --] diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm index c42b4a00cb..83629d30e4 100644 --- a/gnu/packages/gl.scm +++ b/gnu/packages/gl.scm @@ -223,7 +223,10 @@ also known as DXTn or DXTC) for Mesa.") (source (origin (method url-fetch) - (uri (list (string-append "https://mesa.freedesktop.org/archive/" + (uri (list (string-append "https://archive.mesa3d.org/" + "older-versions/17.x/" + "mesa-" version ".tar.xz") + (string-append "https://mesa.freedesktop.org/archive/" "mesa-" version ".tar.xz") (string-append "ftp://ftp.freedesktop.org/pub/mesa/" "mesa-" version ".tar.xz") diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index a31e93d499..da9317cb42 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -336,7 +336,8 @@ in the Mozilla clients.") (setenv "DOMSUF" "(none)") (setenv "USE_IP" "TRUE") (setenv "IP_ADDRESS" "127.0.0.1") - (zero? (system* "./nss/tests/all.sh")))) + ;;(zero? (system* "./nss/tests/all.sh")) + #t)) (replace 'install (lambda* (#:key outputs #:allow-other-keys) (let* ((out (assoc-ref outputs "out")) diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 29fa2809ab..f11f405331 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -162,7 +162,10 @@ "Lib/test/test_import.py" "Lib/test/test_shutil.py" "Lib/test/test_socket.py" - "Lib/test/test_subprocess.py")) + "Lib/test/test_subprocess.py" + "Lib/test/test_httplib.py" + "Lib/test/test_ssl.py" + "Lib/test/test_urllib2_localnet.py")) #t)))) (outputs '("out" "tk")) ;tkinter; adds 50 MiB to the closure @@ -355,7 +358,12 @@ data types.") "Lib/test/test_fcntl.py")) #t)))) (arguments (substitute-keyword-arguments (package-arguments python-2) - ((#:tests? _) #t))) + ((#:tests? _) #t) + ((#:phases phases) + `(modify-phases ,phases + (add-before 'build 'set-extratestopts + (lambda _ + (setenv "EXTRATESTOPTS" "--help"))))))) (native-search-paths (list (search-path-specification (variable "PYTHONPATH") ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-08-07 20:53 ` Ludovic Courtès 2022-08-08 5:21 ` Timothy Sample @ 2022-08-08 8:44 ` Konrad Hinsen 2022-08-19 10:25 ` zimoun 2022-08-08 8:49 ` Konrad Hinsen 2 siblings, 1 reply; 15+ messages in thread From: Konrad Hinsen @ 2022-08-08 8:44 UTC (permalink / raw) To: Ludovic Courtès, Timothy Sample; +Cc: Guix Devel Hi Ludo and Tim, Thanks for your comments and experiments! Ludovic Courtès <ludo@gnu.org> writes: > That’s a commit from January 2018, which is a few months before the > release of 0.15.0, the first release with proper ‘guix pull’ support: Ouch. I wasn't aware that even "guix pull" happened later! >> I don't understand what is going wrong here, but it may be related to >> the fact that the commit I am trying to go back to is older than "guix >> time-machine". If that's the explanation, it would help if Guix showed >> some clear error message instead of crashing. > > It could check whether the target commit is in the closure of the > v0.15.0 commit, but then that would give special treatment to the > existing commit history. Maybe that’s OK though? I'd say yes, because the only problem is the existing commit history. At least until we extend time-machine to actually change the past ;-) > IIRC that was a bug in a Gnulib test (bundled in several GNU packages) > that would hang on machines with maybe more than 4 cores. (See commit > acc2dab7f2f50c9169d6388007c770878eae4a9c for example.) There might be > hints on how to work around it in the mailing list archive… Hardware dependencies... > That said, it may be possible to build that Jan. 2018 Guix using an > environment created from Guix 0.15.0 or 1.0.0; it’s likely to have the > right versions of dependencies, and it should be reachable with > time-machine. I'll try with 1.0.0, that looks nicer than 0.15.0 ;-) > Besides, I recently added ‘etc/time-travel-manifest.scm’ and added a > corresponding jobset at <https://ci.guix.gnu.org/jobset/time-travel> Nice! Guix will be certified for time travel! Timothy Sample <samplet@ngyro.com> writes: > It turns out it’s pretty easy, apart from having to boil the ocean. > Here’s what I did. Very interesting, thanks! > I’m honestly shocked that it worked so well. I wish I had a better way > to keep track of where the sources came from. For example, I’m curious > how many came from the build farm or other fallback options. > > Overall, I give Guix two thumbs up! Other than the Python 3 optimizer > bit (which might be solvable), nothing substantive had to be changed to > make this happen. Indeed. And yet, from the point of view of a non-expert user, even the slightest fix required is a show stopper. > For best practices, I do have one suggestion. The Guix package > collection is not uniformly reproducible or archived. The best thing > you can do to ensure the long-term prospects of your projects is to > actually check how much of the source code is archived and how many of > the builds are reproducible. There is no turn-key solution for this Yes, that's a good idea, and I have done it for my most recent packages. Time will tell if this is enough. > Thanks Konrad for the interesting experiment. While testing this out, I > came to really appreciate how hackable Guix is. Even if I couldn’t find > Mesa 17.2.1, say, I could proceed with a similar version or try to build > it with Git. It’s not ideal to have to make changes, but it’s nice to > know that Guix fails gracefully. Definitely! Cheers, Konrad. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-08-08 8:44 ` Konrad Hinsen @ 2022-08-19 10:25 ` zimoun 2022-08-22 11:34 ` Konrad Hinsen 0 siblings, 1 reply; 15+ messages in thread From: zimoun @ 2022-08-19 10:25 UTC (permalink / raw) To: Konrad Hinsen, Ludovic Courtès, Timothy Sample; +Cc: Guix Devel Hi Konrad, On lun., 08 août 2022 at 10:44, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote: >> Besides, I recently added ‘etc/time-travel-manifest.scm’ and added a >> corresponding jobset at <https://ci.guix.gnu.org/jobset/time-travel> > > Nice! Guix will be certified for time travel! [...] >> For best practices, I do have one suggestion. The Guix package >> collection is not uniformly reproducible or archived. The best thing >> you can do to ensure the long-term prospects of your projects is to >> actually check how much of the source code is archived and how many of >> the builds are reproducible. There is no turn-key solution for this > > Yes, that's a good idea, and I have done it for my most recent packages. > Time will tell if this is enough. Now, Guix is checking that “guix time-machine” does not break; i.e, be able to rebuild a previous Guix using inferior. That’s cool! However, many things can be out of rail. This claim about reproducibility over the time assumes: 1. compatibility of the Linux kernel 2. availability of all the source code 3. compatibility of the hardware Well, until now, nothing had been reported about #1. But, we have examples of issues about #2 and #3. For instance, about #2, Timothy reported the loss of the source code of ImageMagick 6.9.9-30 – some time ago, I reported another issue with another ImageMagick version from 2020 (<https://yhetil.org/guix/87tuebwlrc.fsf@gmail.com>). Although the project is making many efforts to archive all the source, the coverage is not 100%: https://ngyro.com/pog-reports/latest/ and only one tiny loss of only one node in the graph of dependencies, then all the efforts are ruined. About #3, the new NVMe disks leads to an issue with bootstrapping; as reported by <https://issues.guix.gnu.org/41264>. It means that, if the binary substitutes are lost and I have only a machine with NVMe, then I cannot rebuild from scratch. All that said, Guix is the best and most advanced solution on the market for reproducible time-traveling. :-) For most of the cases, it is awesome to just type “guix time-machine” and rebuild a complete computational environment exactly as it was 2 or 3 years ago. On lun., 08 août 2022 at 10:49, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote: > Even 1.0.0 isn't obvious: > > $ guix time-machine --commit=version-1.0.0 -- environment guix > guix time-machine: error: Git error: unable to parse OID - contains invalid characters > > OK, so let's try the commit hash: > > $ guix time-machine --commit=48aa30ce73d45dc5f126f42f01e65f1be4a9b578 -- environment guix > Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'... > Authenticating channel 'guix', commits 9edb3f6 to 48aa30c (6 new commits)... > guix time-machine: error: commit > 48aa30ce73d45dc5f126f42f01e65f1be4a9b578 is not a descendant of > introductory commit 9edb3f66fd807b096b48283debdcddccfea34bad That’s because version-1.0.0 (48aa30ce73) is a branch and indeed not a descendant. --8<---------------cut here---------------start------------->8--- * 746ac457cc Merge branch 'version-1.0.0' |\ * | c457f109be gnu: php: Update to 7.3.5. [...] * | 1a8984536f gnu: Add sdl2-net. | | * 48aa30ce73 build: Add 'doc/build.scm' to build on-line copies of the manual. (origin/version-1.0.0) | | * adf577dcc4 doc: Update htmlxref.cnf. | | * 1a9fc8e228 doc: Warn about missing entries in htmlxref.cnf. | | * 2921b6a611 doc: Adjust cross-references for GNU triplets. | | * 3aa11dfbed doc: Provide the actual URL to the VM image. | | * 542e7fb57f doc: Add note about <https://bugs.gnu.org/35541>. | | / | |/ | * 3a3e9f2bb5 guix-install.sh: Update URL. | * 9c941364bf vm: Build ISOs and VM images in a UTF-8 environment. | * 17acc215bf gnu: guix: Update to 326dcbf. | * 326dcbf1b3 gnu: guix: Update to 1.0.0. | * 6298c3ffd9 Update NEWS. (tag: v1.0.0) --8<---------------cut here---------------end--------------->8--- What you want is tag v1.0.0 (6298c3ffd9). Otherwise, you need the option ’--disable-authentication’. Cheers, simon ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-08-19 10:25 ` zimoun @ 2022-08-22 11:34 ` Konrad Hinsen 0 siblings, 0 replies; 15+ messages in thread From: Konrad Hinsen @ 2022-08-22 11:34 UTC (permalink / raw) To: zimoun, Ludovic Courtès, Timothy Sample; +Cc: Guix Devel Hi Simon, > However, many things can be out of rail. This claim about > reproducibility over the time assumes: > > 1. compatibility of the Linux kernel > 2. availability of all the source code > 3. compatibility of the hardware > > Well, until now, nothing had been reported about #1. But, we have > examples of issues about #2 and #3. Thanks for pointing this out. I have had #3 issues myself, with a package (OpenBLAS or something related) failing to build on processors later than the software release date. But I guess #2 is the main issue for reviving old code. Software Heritage should settle that for the future. > All that said, Guix is the best and most advanced solution on the market > for reproducible time-traveling. :-) For most of the cases, it is > awesome to just type “guix time-machine” and rebuild a complete > computational environment exactly as it was 2 or 3 years ago. Indeed! > That’s because version-1.0.0 (48aa30ce73) is a branch and indeed not a > descendant. ... > What you want is tag v1.0.0 (6298c3ffd9). Otherwise, you need the > option ’--disable-authentication’. OK, thanks, I will try with that! Cheers, Konrad. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-08-07 20:53 ` Ludovic Courtès 2022-08-08 5:21 ` Timothy Sample 2022-08-08 8:44 ` Konrad Hinsen @ 2022-08-08 8:49 ` Konrad Hinsen 2022-09-02 13:17 ` Ludovic Courtès 2 siblings, 1 reply; 15+ messages in thread From: Konrad Hinsen @ 2022-08-08 8:49 UTC (permalink / raw) To: Ludovic Courtès; +Cc: Guix Devel Hi Ludo, > We can go back to 1.0.0, and presumably to 0.15.0, but anything older > than this is unknown territory. Even 1.0.0 isn't obvious: $ guix time-machine --commit=version-1.0.0 -- environment guix guix time-machine: error: Git error: unable to parse OID - contains invalid characters OK, so let's try the commit hash: $ guix time-machine --commit=48aa30ce73d45dc5f126f42f01e65f1be4a9b578 -- environment guix Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'... Authenticating channel 'guix', commits 9edb3f6 to 48aa30c (6 new commits)... guix time-machine: error: commit 48aa30ce73d45dc5f126f42f01e65f1be4a9b578 is not a descendant of introductory commit 9edb3f66fd807b096b48283debdcddccfea34bad Cheers, Konrad. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-08-08 8:49 ` Konrad Hinsen @ 2022-09-02 13:17 ` Ludovic Courtès 2022-09-02 14:18 ` zimoun 2022-09-05 9:51 ` Ludovic Courtès 0 siblings, 2 replies; 15+ messages in thread From: Ludovic Courtès @ 2022-09-02 13:17 UTC (permalink / raw) To: Konrad Hinsen; +Cc: Guix Devel Hi, Konrad Hinsen <konrad.hinsen@fastmail.net> skribis: > $ guix time-machine --commit=48aa30ce73d45dc5f126f42f01e65f1be4a9b578 -- environment guix > Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'... > Authenticating channel 'guix', commits 9edb3f6 to 48aa30c (6 new commits)... > guix time-machine: error: commit > 48aa30ce73d45dc5f126f42f01e65f1be4a9b578 is not a descendant of > introductory commit 9edb3f66fd807b096b48283debdcddccfea34bad Here you would need ‘--allow-downgrades’. Ludo’. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-09-02 13:17 ` Ludovic Courtès @ 2022-09-02 14:18 ` zimoun 2022-09-05 7:49 ` Konrad Hinsen 2022-09-05 9:51 ` Ludovic Courtès 1 sibling, 1 reply; 15+ messages in thread From: zimoun @ 2022-09-02 14:18 UTC (permalink / raw) To: Ludovic Courtès, Konrad Hinsen; +Cc: Guix Devel Hi Ludo, On Fri, 02 Sep 2022 at 15:17, Ludovic Courtès <ludo@gnu.org> wrote: > Here you would need ‘--allow-downgrades’. Maybe time-machine could advertise of this option? Well aside, it can be indeed confusing that the version-1.x branch does not match the tag v1.x; I understand why. --8<---------------cut here---------------start------------->8--- $ git log --graph --format="%h %s %d" v1.0.0^..origin/version-1.0.0 * 48aa30ce73 build: Add 'doc/build.scm' to build on-line copies of the manual. (origin/version-1.0.0) * adf577dcc4 doc: Update htmlxref.cnf. * 1a9fc8e228 doc: Warn about missing entries in htmlxref.cnf. * 2921b6a611 doc: Adjust cross-references for GNU triplets. * 3aa11dfbed doc: Provide the actual URL to the VM image. * 542e7fb57f doc: Add note about <https://bugs.gnu.org/35541>. * 3a3e9f2bb5 guix-install.sh: Update URL. * 9c941364bf vm: Build ISOs and VM images in a UTF-8 environment. * 17acc215bf gnu: guix: Update to 326dcbf. * 326dcbf1b3 gnu: guix: Update to 1.0.0. * 6298c3ffd9 Update NEWS. (tag: v1.0.0) --8<---------------cut here---------------end--------------->8--- Does it make sense to document it? And does it make sense to merge to master right after 326dcbf1b3? And not after some commits: --8<---------------cut here---------------start------------->8--- $ for i in $(seq 0 3); do \ git log --graph --format="%h %s %d" v1.$i.0^..origin/version-1.$i.0 \ | wc -l ;done 11 6 warning: refname 'v1.2.0' is ambiguous. 10 7 --8<---------------cut here---------------end--------------->8--- Cheers, simon ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-09-02 14:18 ` zimoun @ 2022-09-05 7:49 ` Konrad Hinsen 2022-09-05 9:32 ` zimoun 0 siblings, 1 reply; 15+ messages in thread From: Konrad Hinsen @ 2022-09-05 7:49 UTC (permalink / raw) To: zimoun, Ludovic Courtès; +Cc: Guix Devel Hi Ludo and Simon, > On Fri, 02 Sep 2022 at 15:17, Ludovic Courtès <ludo@gnu.org> wrote: > >> Here you would need ‘--allow-downgrades’. > > Maybe time-machine could advertise of this option? And explain what it's about. I don't consider myself an absolute beginner with Guix, but I don't understand what's going on here! > Well aside, it can be indeed confusing that the version-1.x branch does > not match the tag v1.x; I understand why. OK, now I do a well... but should users need to understand the developers' git workflow? Ultimately, the issue here is that guix works on the implementation level of git commit references, whereas the development process uses an abstraction layer on top of it. Maybe "guix pull" and "guix time-machine" should acquire some built-in intelligence when given a tag instead of a hash? Issue a warning when an inappropriate tag is given, and suggest a correction? Cheers, Konrad. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-09-05 7:49 ` Konrad Hinsen @ 2022-09-05 9:32 ` zimoun 0 siblings, 0 replies; 15+ messages in thread From: zimoun @ 2022-09-05 9:32 UTC (permalink / raw) To: Konrad Hinsen, Ludovic Courtès; +Cc: Guix Devel Hi Konrad, On lun., 05 sept. 2022 at 09:49, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote: > Hi Ludo and Simon, > >> On Fri, 02 Sep 2022 at 15:17, Ludovic Courtès <ludo@gnu.org> wrote: >> >>> Here you would need ‘--allow-downgrades’. >> >> Maybe time-machine could advertise of this option? > > And explain what it's about. I don't consider myself an absolute > beginner with Guix, but I don't understand what's going on here! Well, it is documented. ;-) The entry of ’time-machine’ [1] is the manual says: The general syntax is: guix time-machine options… -- command arg… where command and arg… are passed unmodified to the guix command of the specified revision. The options that define this revision are the same as for guix pull (see Invoking guix pull): then the entry of ’guix pull’ [2] explains the option: --allow-downgrades Allow pulling older or unrelated revisions of channels than those currently in use. By default, guix pull protects against so-called “downgrade attacks” whereby the Git repository of a channel would be reset to an earlier or unrelated revision of itself, potentially leading you to install older, known-vulnerable versions of software packages. Last, a blog post [3] provides some details. I agree it could be improved. Any suggestion? :-) 1: https://guix.gnu.org/manual/devel/en/guix.html#Invoking-guix-time_002dmachine 2: https://guix.gnu.org/manual/devel/en/guix.html#Invoking-guix-pull 3: https://guix.gnu.org/en/blog/2020/securing-updates/ > OK, now I do a well... but should users need to understand the > developers' git workflow? I agree. > Ultimately, the issue here is that guix works on the implementation > level of git commit references, whereas the development process uses an > abstraction layer on top of it. Maybe "guix pull" and "guix > time-machine" should acquire some built-in intelligence when given a tag > instead of a hash? Issue a warning when an inappropriate tag is given, > and suggest a correction? Well, the tags are there and usable. But, Guix relies on guile-git and uses string->oid; which supporting hash-commit and not string-tag. That’s a technical limitation which could be easily improved, I guess. Even, we could imagine local Git-tags using “guix git tag” and reuse them via the time-machine. Some code are around for “guix git log” (see branch wip-guix-log [4]). (However, although convenient, Git-tag is extrinsic (mutable) and thus it is not suitable for long-term, where intrinsic (immutable) seems preferred.) 4: https://git.savannah.gnu.org/cgit/guix.git/log/?h=wip-guix-log Cheers, simon ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-09-02 13:17 ` Ludovic Courtès 2022-09-02 14:18 ` zimoun @ 2022-09-05 9:51 ` Ludovic Courtès 2022-09-07 15:39 ` Konrad Hinsen 1 sibling, 1 reply; 15+ messages in thread From: Ludovic Courtès @ 2022-09-05 9:51 UTC (permalink / raw) To: Konrad Hinsen; +Cc: Guix Devel Hi, Ludovic Courtès <ludo@gnu.org> skribis: > Konrad Hinsen <konrad.hinsen@fastmail.net> skribis: > >> $ guix time-machine --commit=48aa30ce73d45dc5f126f42f01e65f1be4a9b578‘> -- environment guix >> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'... >> Authenticating channel 'guix', commits 9edb3f6 to 48aa30c (6 new commits)... >> guix time-machine: error: commit >> 48aa30ce73d45dc5f126f42f01e65f1be4a9b578 is not a descendant of >> introductory commit 9edb3f66fd807b096b48283debdcddccfea34bad > > Here you would need ‘--allow-downgrades’. Sorry I replied to quickly; it should have been ‘--disable-authentication’. Why? Because here you’re trying to travel to a commit that’s not part of the “authenticated history”—that is, it’s not a descendant of the “introductory commit”, which is the first commit in history starting from which the “authentication invariant” holds. Hopefully this is clearer; maybe? :-) Cheers, Ludo’. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: A real-life test of long-term reproducibility 2022-09-05 9:51 ` Ludovic Courtès @ 2022-09-07 15:39 ` Konrad Hinsen 0 siblings, 0 replies; 15+ messages in thread From: Konrad Hinsen @ 2022-09-07 15:39 UTC (permalink / raw) To: Ludovic Courtès; +Cc: Guix Devel Hi Ludo and Simon, > Sorry I replied to quickly; it should have been > ‘--disable-authentication’. > > Why? Because here you’re trying to travel to a commit that’s not part > of the “authenticated history”—that is, it’s not a descendant of the > “introductory commit”, which is the first commit in history starting > from which the “authentication invariant” holds. > > Hopefully this is clearer; maybe? :-) It's perfectly clear. I just wonder how I would find the solution starting from the error message. zimoun <zimon.toutoune@gmail.com> writes: >> And explain what it's about. I don't consider myself an absolute >> beginner with Guix, but I don't understand what's going on here! > > Well, it is documented. ;-) The entry of ’time-machine’ [1] is the > manual says: ... Same remark: How would I get to that section of the manual from the error message? > I agree it could be improved. Any suggestion? :-) My impression is that the error message I quoted is very specific to this situation, so it could actually say "Retry with --disable-authentication if you are sure that there is no security issue". Right? Cheers, Konrad. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2022-09-07 16:07 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-08-04 8:43 A real-life test of long-term reproducibility Konrad Hinsen 2022-08-04 15:35 ` blake 2022-08-19 9:34 ` zimoun 2022-08-07 20:53 ` Ludovic Courtès 2022-08-08 5:21 ` Timothy Sample 2022-08-08 8:44 ` Konrad Hinsen 2022-08-19 10:25 ` zimoun 2022-08-22 11:34 ` Konrad Hinsen 2022-08-08 8:49 ` Konrad Hinsen 2022-09-02 13:17 ` Ludovic Courtès 2022-09-02 14:18 ` zimoun 2022-09-05 7:49 ` Konrad Hinsen 2022-09-05 9:32 ` zimoun 2022-09-05 9:51 ` Ludovic Courtès 2022-09-07 15:39 ` Konrad Hinsen
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.