[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reproducible bootstrapping
|
From: |
Leo Famulari |
|
Subject: |
Re: Reproducible bootstrapping |
|
Date: |
Tue, 5 Jul 2016 12:44:55 -0400 |
|
User-agent: |
Mutt/1.6.0 (2016-04-01) |
On Tue, Jul 05, 2016 at 09:34:30AM +0200, t3sserakt wrote:
> Am 04.07.16 um 18:46 schrieb Efraim Flashner:
>
> > On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote:
> >> Hi Ludo,
> >>
> >> thx for your quick reply, but no.
> >>
> >> I was talking about reproducible builds like it is mentioned here:
> >>
> >> https://lwn.net/Articles/663954/
> >>
> >> Cheers
> >>
> >> t3sserakt
> >>
> > based on my experience with the aarch64 bootstrap-tarballs,
> > guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but
> > binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz
> > are. After building them twice the later 3 had the same `guix hash'
> > value.
> >
> > From the given tarballs, all the packages should be reproducable, and
> > there's always the `guix challenge' command to check a local build
> > against the one built from the build-farm.
> That means, I can check the bootstrap binaries somehow. It is not that
> comfortable, but it is possible. Is there any place, where you collect
> statements from single developers, that they validated the hashes.
> Reproducible builds only make sense, if a lot of people do this checks,
> and their statement about this can be seen somewhere.
I think it could be a first step to send signed mail containing the
hashes to guix-devel. I'm sure many of us archive all our mail, so we
could always dig up the old messages if the online guix-devel archives
disappear.