Hi Simon, > I will add something overthere for tracking reproduciblity infos in > the future.
It would actually be nice to have some external Guix reproducibility surveillance. A few benchmark packages that will be rebuilt regularly, using frozen commits via time-machine, and checked for bit-by-bit identity explicitly, not relying on Guix' hash mechanism. Trust but verify. My example is perhaps not such a bad start. Building a Docker container containing gcc exercises a lot of code in Guix. I looked a bit at grafts. The documentation at https://guix.gnu.org/manual/en/html_node/Security-Updates.html isn't very explicit about the reproducibility of grafts. In particular, it doesn't say if a package containing patched binaries retains its original hash, or receives a new unique one. With a unique hash, grafts would just be a tweak in the build system, and no less reproducible than standard builds. It looks like I have to dive into the source code to find out! Cheers, Konrad