On Fri, Apr 26, 2013 at 11:14 PM, Jacob Appelbaum <ja...@appelbaum.net> wrote: > Thanks for working on Liberte Linux and helping people to build it from > source. Even if there are no changes, I find it very important to be > able to build the final product from source.
I agree completely, that's why I see using Gentoo as something so critical to the project. Without actually building binaries from source, one does not really take advantage of open source. Besides the obvious benefits, you get e.g., the ability to use hardened toolchain, apply functionality or security-extending patches, etc. > I wonder - have you thought about doing gitian builds? It seems like an > insanely complicated task for some programs (eg: Firefox) but other > programs could be straight forward... I didn't know about Gitian actually, but looking at it right now, it seems that using it for a distribution like Liberté would require at least implementing support for “frozen” builds — i.e., working with specific Gentoo stage3 and portage snapshots instead of the latest ones. I considered this in the past, but didn't find it very useful for development, although it would be useful for people who want to build an image identical to a given release. After asking around, it seemed to me that most people want to have the latest updates as well (in Liberté or in portage packages). Anyway, in addition to “frozen” builds, you would probably need to disable parallel make completely, and somehow make sure that file timestamps do not creep into binaries. No idea how difficult the latter is, although it's probably not that difficult for Liberté, since there is already a process at hand that prevents e.g. using hostname and other details during emerge (“uname” substitution), or current timestamp during kernel build, etc. Some packages (like Perl) insist on creating text configuration files with gathered host information, but those packages are currently not included in Liberté (previously I had to include cleanup for such files into the build process). So, in summary, deterministic builds are probably possible, but the devil is in the details, especially for a distribution image that contains many packages inside. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech