Re: Reproducible bootstrapping

[Ludovic Courtès]

Leo Famulari <address@hidden> skribis:

> On Tue, Jul 05, 2016 at 09:34:30AM +0200, t3sserakt wrote:
>> Am 04.07.16 um 18:46 schrieb Efraim Flashner:
>> 
>> > On Mon, Jul 04, 2016 at 06:01:51PM +0200, t3sserakt wrote:
>> >> Hi Ludo,
>> >>
>> >> thx for your quick reply, but no.
>> >>
>> >> I was talking about reproducible builds like it is mentioned here:
>> >>
>> >> https://lwn.net/Articles/663954/
>> >>
>> >> Cheers
>> >>
>> >> t3sserakt
>> >>
>> > based on my experience with the aarch64 bootstrap-tarballs,
>> > guile-2.0.11.tar.xz and gcc-4.9.3.tar.xz aren't reproducable, but
>> > binutils-2.25.1.tar.xz, glibc-2.23.tar.xz and the static-binaries.tar.xz
>> > are. After building them twice the later 3 had the same `guix hash'
>> > value.
>> >
>> > From the given tarballs, all the packages should be reproducable, and
>> > there's always the `guix challenge' command to check a local build
>> > against the one built from the build-farm.
>> That means, I can check the bootstrap binaries somehow. It is not that
>> comfortable, but it is possible. Is there any place, where you collect
>> statements from single developers, that they validated the hashes.
>> Reproducible builds only make sense, if a lot of people do this checks,
>> and their statement about this can be seen somewhere.
>
> I think it could be a first step to send signed mail containing the
> hashes to guix-devel. I'm sure many of us archive all our mail, so we
> could always dig up the old messages if the online guix-devel archives
> disappear.

An idea that has been floating around is that users or independent
organizations could publish substitutes, which are signed.  We could
then archive signatures for each substitutes.  For reproducible
packages, we’d have several independent signatures for a given
package/hash pair.

Ludo’.