guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reproducible Build Summit

From: Ludovic Courtès
Subject: Re: Reproducible Build Summit
Date: Wed, 09 Dec 2015 15:08:34 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) 
address@hidden (Ludovic Courtès) skribis:

>    Eelco, Manolis, and I sat together for the hacking sessions.  I
>    focused on shamelessly stealing the Nix daemon’s ability to rebuild a
>    derivation and error out if the result differs (commits 07e70f4 and
>    708d907.)

Commit a8d6564 adds the --check option for ‘guix build’:

  ‘--check’
       Rebuild PACKAGE-OR-DERIVATION, which are already available in the
       store, and raise an error if the build results are not bit-for-bit
       identical.

       This mechanism allows you to check whether previously-installed
       substitutes are genuine (*note Substitutes::), or whether a
       package’s build result is deterministic.  *Note Invoking guix
       challenge::, for more background information and tools.

and commit 5b74fe0 adds --rounds:

  ‘--rounds=N’
       Build each derivation N times in a row, and raise an error if
       consecutive build results are not bit-for-bit identical.

       This is a useful way to detect non-deterministic builds processes.
       Non-deterministic build processes are a problem because they make
       it practically impossible for users to _verify_ whether third-party
       binaries are genuine.  *Note Invoking guix challenge::, for more.

       Note that, currently, the differing build results are not kept
       around, so you will have to manually investigate in case of an
       error—e.g., by stashing one of the build results with ‘guix archive
       --export’, then rebuilding, and finally comparing the two results.

I encourage you to use the latter when adding new packages and to
investigate any reproducibility issues!

>    I also discussed with Eelco the fact that the daemon was leaking the
>    real name of the build directory, meaning that if a build machine
>    runs:
>
>      TMPDIR=/foo/bar guix-daemon
>
>    and the other runs:
>
>      TMPDIR=/tmp guix-daemon
>
>    then the first build process will see a directory called
>    /foo/bar/nix-build-xxx.  If it captures the build directory name,
>    then we get a discrepancy.  Eelco quickly changed that, such that the
>    build process always sees /tmp/nix-build-xxx:
>    
> <https://github.com/NixOS/nix/commit/8063fc497ab78fa72962b93874fe25dcca2b55ed>.
>    I’ll merge this commit soon.

Done in cb96010.

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]