Hi Simon,

> I will add something overthere for tracking reproduciblity infos in
> the future.

It would actually be nice to have some external Guix reproducibility
surveillance. A few benchmark packages that will be rebuilt regularly,
using frozen commits via time-machine, and checked for bit-by-bit
identity explicitly, not relying on Guix' hash mechanism. Trust but
verify.

My example is perhaps not such a bad start. Building a Docker container
containing gcc exercises a lot of code in Guix.

I looked a bit at grafts. The documentation at

  https://guix.gnu.org/manual/en/html_node/Security-Updates.html

isn't very explicit about the reproducibility of grafts. In particular,
it doesn't say if a package containing patched binaries retains its
original hash, or receives a new unique one. With a unique hash, grafts
would just be a tweak in the build system, and no less reproducible than
standard builds. It looks like I have to dive into the source code to
find out!

Cheers,
  Konrad

Reply via email to