On 01/22/2015 10:43 PM, Raahul Kumar wrote:
bit-identical builds. How far are we from that point? Is it the timestamps that most build tools add to their build that prevents it? What's the blocker?
We still don't even have fully reproducible stdenv, not even with all of https://github.com/NixOS/nixpkgs/pull/2281 . I have some further WIP on perl, but it ate many days of my time and still isn't fully deterministic. Timestamps are relatively easy to detect, as they always differ, but other things are more difficult: uname, build user name, etc.
I think in most cases it just needs some work on *each* package to track it down, although you don't know if it's difficult until you try. Some impurity sources are already blocked generally in all builds. AFAIK only Haskell needs nontrivial changes upstream https://ghc.haskell.org/trac/ghc/ticket/4012 , but there might be more such problems hidden.
(I even read about security research that introduces non-determinism into compiler output in a way that's supposed to make common exploits unusable on multiple outputs of the same compilation, so you supposedly wouldn't be able to attack many systems at once.)
Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
