Some questions I couldn't resolve from manuals and searches:
I haven't figured out if there is a way to know which packages
are reproducible. I would like to configure my guix to only
fetch binaries that a sufficient number of people agree on to
be deterministic - and for a start it doesn't even have to be
all digital signatures and stuff: would be enough if the
process is known to be deterministic, so the package definition
carries the checksums for the appropriate binary package with
it. I doubt an attacker would dare to mess with that, at least
I just checked git://git.debian.org/git/reproducible/notes.git
but there are only 118 packages saying "deterministic: True".
What happened to the plan of making that database multi-distro?
I also read about the "Reproducible Build Summit" and I am glad
Lunar is still on course.
I also saw https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883
about trustable "guix pull". Is it still the case that the
update of package definitions is happening over unsecured http?
Concerning git consistency, isn't it enough to run git fsck so
that a mitm intervention would sooner or later be detected?
And concluding, do you know if Nix is in any better or worse
condition regarding reproducibility and security of the tool-
chain than Guix? Does nix-pull have the same problem?
Best regards and keep up the good work!
P.S. I'm working with ng0, trying to make a trustworthy system
image for GNUnet/secushare installations. Guix is a top notch
candidate for dissemination. Even if I hate guile and emacs.
E-mail is public! Talk to me in private using encryption: