And because the hash does not represent the content, but the intended
content, it is very important for the build to be reproducible.
This means that the build must be deterministic, and stripped from
information such as the host name, time of build and such.
Sadly, many parallel builds are not deterministic, and parallelism must
be disabled to achieve reproducible builds.
If the builds are not reproducible, then there is no way you can confirm
that the binary substitute is correct, and you must blindly trust the
binary cache and the hydra builds.
For more details, see https://reproducible-builds.org/.
Guillaume, aka Layus.
Le 13/10/16 à 16:35, Peter Simons a écrit :
> Hi Zimbatm,
> > I think there is a misunderstanding, the hash of the package
> > derivation depends on the build output.
> the $out hash for a given package is computed over the build command
> that generates that store path. Build inputs required for the process
> play into that hash because the build script is going to mention their
> store paths somewhere (i.e. when setting up $PATH, etc.), but the
> *contents* of any of those store paths don't affect the hash.
> Unless, of course, when we're talking about fixed output derivations
> like 'fetchurl', but these are somewhat special and suitable mostly for
> downloading source code, not so much for building things.
> Best regards,
> nix-dev mailing list
nix-dev mailing list