Hi Konrad, (add Ludo for advice :-))
On Mon, 4 May 2020 at 15:50, Konrad Hinsen <konrad.hin...@fastmail.net> wrote: > > I will add something overthere for tracking reproduciblity infos in > > the future. > > It would actually be nice to have some external Guix reproducibility > surveillance. A few benchmark packages that will be rebuilt regularly, > using frozen commits via time-machine, and checked for bit-by-bit > identity explicitly, not relying on Guix' hash mechanism. Trust but > verify. > > My example is perhaps not such a bad start. Building a Docker container > containing gcc exercises a lot of code in Guix. Does it make sense to: add the file "tests/guix-reproducibility.sh"? So that reproducibility issues are detected by "make check". Or add another rule in the Makefile? Or test reproducibility outside the Guix tree? All the best, simon > > I looked a bit at grafts. The documentation at > > https://guix.gnu.org/manual/en/html_node/Security-Updates.html > > isn't very explicit about the reproducibility of grafts. In particular, > it doesn't say if a package containing patched binaries retains its > original hash, or receives a new unique one. With a unique hash, grafts > would just be a tweak in the build system, and no less reproducible than > standard builds. It looks like I have to dive into the source code to > find out! > > Cheers, > Konrad