Hi, Konrad Hinsen <konrad.hin...@fastmail.net> skribis:
> I looked a bit at grafts. The documentation at > > https://guix.gnu.org/manual/en/html_node/Security-Updates.html > > isn't very explicit about the reproducibility of grafts. In particular, > it doesn't say if a package containing patched binaries retains its > original hash, or receives a new unique one. With a unique hash, grafts > would just be a tweak in the build system, and no less reproducible than > standard builds. It looks like I have to dive into the source code to > find out! Grafts are normal derivations, and they’re deterministic: it’s just about replacing a set of strings by another set of strings. On the implementation, see also <https://guix.gnu.org/blog/2016/timely-delivery-of-security-updates/>. I’m also preparing a post of the recent (pre-1.1.0) changes in that area. Ludo’.