guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: roadmap item


From: ng0
Subject: Re: roadmap item
Date: Fri, 30 Sep 2016 14:48:30 +0000

John Darrington <address@hidden> writes:

> [ Unknown signature status ]
> On Fri, Sep 30, 2016 at 12:15:28PM +0000, ng0 wrote:
>      Hi,
>      
>      can we add something to the roadmap like this:
>      
>      - guix package --search should displays if the returned packages one
>        asked for are reproducible.
>      
>      Having a distinction between reproducible and not reproducible would
>      enable us (or at least help us) to display the progress towards a fully
>      reproducible system.
>
>
> I don't see how anyone can say that package X is definitely reproducible.
> Just because it built identically twice, doesn't mean that it'll happen
> again the third time - especially if that attempt is on a different 
> machine, day-of-week etc
>
> Perhaps there could be a flag to indicate "this derivation has been 
> demonstrated
> NOT to be reproducible".

That should be more like what I wanted to express with this, the NOT
part. For more read below.

> J'
>
> -- 
> Avoid eavesdropping.  Send strong encrypted email.
> PGP Public key ID: 1024D/2DE827B3 
> fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
> See http://sks-keyservers.net or any PGP keyserver for public key.
>

There's something I have been discussing with other people, and there's
a social component I want to add. It should be trivial at some point to
establish a system based on the social graph
(http://secushare.org/security) where people who build the software can
certify that version Z of package X at point Y in time did build N times
without changing results. Of course that's the future, and there's more
than just an idea, but it's not documented anywhere public so far.

We could of course try to establish something similar already, based on
the results of different hydras already running and building 24/7, on
different hardware, different systems and building different packages
already on different times and days of the week. The progress of
publishing these results should not be entirely automated.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]