"Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch."
-
"Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch."
https://itsfoss.com/news/debian-makes-reproducible-builds-mandatory/
-
#nixos is somewhat of pioneer in the space of reproducible builds and is 20 years old
-
#nixos is somewhat of pioneer in the space of reproducible builds and is 20 years old
@gonzo_askold @orpach.neocities.org sure, but nix has still included packages that not in themselves were done reproducible I'm pretty sure.
-
"Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch."
https://itsfoss.com/news/debian-makes-reproducible-builds-mandatory/
@bagder it’s been 3 days and your post is still trending… what a great motto.”
-
@gonzo_askold @orpach.neocities.org sure, but nix has still included packages that not in themselves were done reproducible I'm pretty sure.
@bagder @gonzo_askold @orpach.neocities.org yes, https://reproducible-builds.org/ also apply to nix : https://reproducible.nixos.org/
there was 100% on minimal iso in december, but there is no hard constraint on the whole 100k+ package set from nixkpgs -
@gonzo_askold @orpach.neocities.org sure, but nix has still included packages that not in themselves were done reproducible I'm pretty sure.
I'm not that knowledgeable about inside workings, but in theory (in my head) hashing all inputs does equate to byte-to-byte reproducibility, even if previous steps in the build process weren't written specifically to be reproduced
-
#nixos is somewhat of pioneer in the space of reproducible builds and is 20 years old
@gonzo_askold @orpach.neocities.org @bagder About reprocductibility, net install was there before ...
-
@gonzo_askold @orpach.neocities.org @bagder About reprocductibility, net install was there before ...
@domdel maybe I want there at that time
quick search of "net install reproducible" yields only dotnet stuff
-
I'm not that knowledgeable about inside workings, but in theory (in my head) hashing all inputs does equate to byte-to-byte reproducibility, even if previous steps in the build process weren't written specifically to be reproduced
@gonzo_askold @bagder sadly, that is not the case.
There are many corner cases, but the simplest example is "yes all your dependencies are reproducible, but you decide to `cat /dev/random > $PREFIX/my-seed`" or whatever. -
I'm not that knowledgeable about inside workings, but in theory (in my head) hashing all inputs does equate to byte-to-byte reproducibility, even if previous steps in the build process weren't written specifically to be reproduced
@gonzo_askold I'm only pointing out the difference, I'm not suggesting nix did anything bad or wrong.
-
I'm not that knowledgeable about inside workings, but in theory (in my head) hashing all inputs does equate to byte-to-byte reproducibility, even if previous steps in the build process weren't written specifically to be reproduced
@gonzo_askold: this isn't true, as some builds embed things like the timestamp and build hostname in the artifacts. Nix sets some notion of the timestamp to epoch to account for this, but cannot fix every impurity everywhere (maven builds are notoriously finnicky, for instance).
Nix is great at this, but somewhat suffers from embracing the package without submitting the changes it makes to the package upstream. Because nix is so flexible (and doesn't always have the pull that Debian does with packagers), i believe nix has been less influential here than you would hope.
This change from Debian is awesome as we will all benefit from the fixes.
-
@gonzo_askold I'm only pointing out the difference, I'm not suggesting nix did anything bad or wrong.
@bagder idk what would be practical differences between these two systems and how one or the other would be more secure against supply chain attacks or other mitms
would be pretty interested in some reference materials
-
@domdel maybe I want there at that time
quick search of "net install reproducible" yields only dotnet stuff
@gonzo_askold In fact #Debian and others are reproductible too.
You can visit https://reproducible-builds.org/ to have an idea. When I worked in administration, we have a server with window NT to install via network on 200 same machines. -
"Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch."
https://itsfoss.com/news/debian-makes-reproducible-builds-mandatory/
@bagder this is also what fdroid does on Android i i think
-
"Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch."
https://itsfoss.com/news/debian-makes-reproducible-builds-mandatory/
Does this mean derivatives like Devuan automatically do this too?
-
"Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch."
https://itsfoss.com/news/debian-makes-reproducible-builds-mandatory/
@bagder Wow, that's awesome! Does anyone know if Ubuntu also will force reproducible builds considering that Ubuntu is based on Debian?
-
@gonzo_askold @orpach.neocities.org sure, but nix has still included packages that not in themselves were done reproducible I'm pretty sure.
@bagder @gonzo_askold @orpach.neocities.org Indeed, Nix greatly increases the chances of producing reproducible packages by controlling the build environment.
That said, it does not magically make the final artefact reproducible. There can still be sources of non-determinism, and we try to track them down as much as possible.
So far, things are going well!
-
@bagder @gonzo_askold @orpach.neocities.org Indeed, Nix greatly increases the chances of producing reproducible packages by controlling the build environment.
That said, it does not magically make the final artefact reproducible. There can still be sources of non-determinism, and we try to track them down as much as possible.
So far, things are going well!
@Pol @bagder @gonzo_askold @orpach.neocities.org indeed, "replayable" and "hermetic" are better terms for what Nix provides. Some of the bitwise reproducibility of nixpkgs comes from rigorously defining all build inputs, various patches we apply and default build settings we default to. But the brunt of the work is the massive and steller upstream work of https://reproducible-builds.org/, without which nixpkgs would not even be close to bitwise reproducible
-
J jwcph@helvede.net shared this topic
