* Are Guix-generated Docker images reproducible?
@ 2024-09-16 11:27 Konrad Hinsen
2024-09-16 11:43 ` Ignas Lapėnas
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Konrad Hinsen @ 2024-09-16 11:27 UTC (permalink / raw)
To: Guix Devel
Hi everyone,
Suppose you do
guix time-machine --channels=channels.scm -- \
pack --format=docker --manifest=manifest.scm
You keep a copy of channels.scm and manifest.scm, and run the same
command a few months (and "guix pull"s) later, can you expect to get the
exact same Docker image file, bit for bit? If not, why not?
Cheers,
Konrad.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Are Guix-generated Docker images reproducible?
2024-09-16 11:27 Are Guix-generated Docker images reproducible? Konrad Hinsen
@ 2024-09-16 11:43 ` Ignas Lapėnas
2024-09-16 13:21 ` Suhail Singh
2024-09-20 16:55 ` Simon Tournier
2 siblings, 0 replies; 6+ messages in thread
From: Ignas Lapėnas @ 2024-09-16 11:43 UTC (permalink / raw)
To: Konrad Hinsen; +Cc: Help Guix
Hi,
Most packages are reproducable, and should get you the exact same docker
image file.
https://qa.guix.gnu.org/reproducible-builds
As far as I know, it is possible, that source code is no longer
available and unreachable (There might be something already for long
term storage, but that I do not know), then the image might not
build. Or there might be tests that depend on time for some reason.
Hope that helps.
Konrad Hinsen <konrad.hinsen@fastmail.net> writes:
> Hi everyone,
>
> Suppose you do
>
> guix time-machine --channels=channels.scm -- \
> pack --format=docker --manifest=manifest.scm
>
> You keep a copy of channels.scm and manifest.scm, and run the same
> command a few months (and "guix pull"s) later, can you expect to get the
> exact same Docker image file, bit for bit? If not, why not?
>
> Cheers,
> Konrad.
--
Best Regards,
Ignas Lapėnas
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Are Guix-generated Docker images reproducible?
2024-09-16 11:27 Are Guix-generated Docker images reproducible? Konrad Hinsen
2024-09-16 11:43 ` Ignas Lapėnas
@ 2024-09-16 13:21 ` Suhail Singh
2024-09-16 14:49 ` Konrad Hinsen
2024-09-20 16:55 ` Simon Tournier
2 siblings, 1 reply; 6+ messages in thread
From: Suhail Singh @ 2024-09-16 13:21 UTC (permalink / raw)
To: Konrad Hinsen; +Cc: Guix Devel
Konrad Hinsen <konrad.hinsen@fastmail.net> writes:
> Suppose you do
>
> guix time-machine --channels=channels.scm -- \
> pack --format=docker --manifest=manifest.scm
>
> You keep a copy of channels.scm and manifest.scm, and run the same
> command a few months (and "guix pull"s) later, can you expect to get the
> exact same Docker image file, bit for bit? If not, why not?
Based on what I have observed, I know that you can get the same docker
image (as identified by the image ID hash) in some instances. A
necessary condition, I imagine, would have to be for the build results
to be deterministic (i.e., the derivations to be "reproducible").
--
Suhail
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Are Guix-generated Docker images reproducible?
2024-09-16 13:21 ` Suhail Singh
@ 2024-09-16 14:49 ` Konrad Hinsen
2024-09-16 17:37 ` Suhail Singh
0 siblings, 1 reply; 6+ messages in thread
From: Konrad Hinsen @ 2024-09-16 14:49 UTC (permalink / raw)
To: Suhail Singh; +Cc: Guix Devel
Hi Ignas and Suhail,
Thanks for your comments!
As you may have guessed, the reason for my question was that I
encountered a non-reproducible Docker image build. And as both of you
point out, the packages entering into the images must be
reproducible. That's something I had actually checked for my specific
case. I was looking for other possible causes.
In the meantime, I found the explanation for my case: the packages in my
image are reproducible, but the profile composed from them is not, due
to a non-deterministic step in profile generation.
For the details: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73295
Cheers,
Konrad.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Are Guix-generated Docker images reproducible?
2024-09-16 14:49 ` Konrad Hinsen
@ 2024-09-16 17:37 ` Suhail Singh
0 siblings, 0 replies; 6+ messages in thread
From: Suhail Singh @ 2024-09-16 17:37 UTC (permalink / raw)
To: Konrad Hinsen; +Cc: Suhail Singh, Guix Devel
Konrad Hinsen <konrad.hinsen@fastmail.net> writes:
> As you may have guessed, the reason for my question was that I
> encountered a non-reproducible Docker image build. And as both of you
> point out, the packages entering into the images must be
> reproducible.
Right, that's necessary, but as you observed, not sufficient.
> In the meantime, I found the explanation for my case: the packages in my
> image are reproducible, but the profile composed from them is not, due
> to a non-deterministic step in profile generation.
Good catch! It would be nice if profile generation preserved
reproducibility.
> For the details: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73295
Thanks for the reference.
--
Suhail
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Are Guix-generated Docker images reproducible?
2024-09-16 11:27 Are Guix-generated Docker images reproducible? Konrad Hinsen
2024-09-16 11:43 ` Ignas Lapėnas
2024-09-16 13:21 ` Suhail Singh
@ 2024-09-20 16:55 ` Simon Tournier
2 siblings, 0 replies; 6+ messages in thread
From: Simon Tournier @ 2024-09-20 16:55 UTC (permalink / raw)
To: Konrad Hinsen, Guix Devel
Hi Konrad,
On lun., 16 sept. 2024 at 13:27, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:
> Suppose you do
>
> guix time-machine --channels=channels.scm -- \
> pack --format=docker --manifest=manifest.scm
>
> You keep a copy of channels.scm and manifest.scm, and run the same
> command a few months (and "guix pull"s) later, can you expect to get the
> exact same Docker image file, bit for bit? If not, why not?
That’s the idea but as noticed in the thread, there is still some
roadblocks to have a bullet-proof machinery.
FWIW, we can go a bit further and ask: if the binary Docker image had
been produced by Guix, and that’s all we have, are we still able to know
exactly how it had been produced? And thus rebuild it bit-to-bit?
One step in this direction is explained in this post:
https://hpc.guix.info/blog/2021/10/when-docker-images-become-fixed-point/
And the other steps are the ones noticed. ;-)
Cheers,
simon
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-09-20 17:12 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-16 11:27 Are Guix-generated Docker images reproducible? Konrad Hinsen
2024-09-16 11:43 ` Ignas Lapėnas
2024-09-16 13:21 ` Suhail Singh
2024-09-16 14:49 ` Konrad Hinsen
2024-09-16 17:37 ` Suhail Singh
2024-09-20 16:55 ` Simon Tournier
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.