Re: [Nix-dev] nix.buildCores and determinism

2016-10-14 Thread Guillaume Maudoux (Layus) 
And because the hash does not represent the content, but the intended
content, it is very important for the build to be reproducible.
This means that the build must be deterministic, and stripped from
information such as the host name, time of build and such.

Sadly, many parallel builds are not deterministic, and parallelism must
be disabled to achieve reproducible builds.
If the builds are not reproducible, then there is no way you can confirm
that the binary substitute is correct, and you must blindly trust the
binary cache and the hydra builds.

For more details, see https://reproducible-builds.org/.

Regards,
Guillaume, aka Layus.


Le 13/10/16 à 16:35, Peter Simons a écrit :
> Hi Zimbatm,
>
>  > I think there is a misunderstanding, the hash of the package
>  > derivation depends on the build output.
>
> the $out hash for a given package is computed over the build command
> that generates that store path. Build inputs required for the process
> play into that hash because the build script is going to mention their
> store paths somewhere (i.e. when setting up $PATH, etc.), but the
> *contents* of any of those store paths don't affect the hash.
>
> Unless, of course, when we're talking about fixed output derivations
> like 'fetchurl', but these are somewhat special and suitable mostly for
> downloading source code, not so much for building things.
>
> Best regards,
> Peter
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev

___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] nix.buildCores and determinism

2016-10-13 Thread Peter Simons 
Hi Zimbatm,

 > I think there is a misunderstanding, the hash of the package
 > derivation depends on the build output.

the $out hash for a given package is computed over the build command
that generates that store path. Build inputs required for the process
play into that hash because the build script is going to mention their
store paths somewhere (i.e. when setting up $PATH, etc.), but the
*contents* of any of those store paths don't affect the hash.

Unless, of course, when we're talking about fixed output derivations
like 'fetchurl', but these are somewhat special and suitable mostly for
downloading source code, not so much for building things.

Best regards,
Peter

___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] nix.buildCores and determinism

2016-10-13 Thread zimbatm 
I think there is a misunderstanding, the hash of the package derivation
depends on the build output. We assume it's always the same which allow us
to look it up based on the input hash but it's not always true. For example
if the build adds the current time to the build output it will not always
be the same.

On Tue, 11 Oct 2016, 02:48 Domen Kožar,  wrote:

> You're running the build system in parallel. For example Makefiles, they
> are not pure and thus builds can fail due to race conditions.
> We have quite a few disabled for that reason and also that's why you have
> to explicitly enable parallel building.
>
> On Tue, Oct 11, 2016 at 1:56 AM, Ruben Astudillo 
> wrote:
>
> On reading `nixos-option nix.buildCores`, it says that this option can
> affect the determinism of the build. I don't understand how is important
> as the hash of the package depends on the default.nix file, not the
> build process. What does it mean to be non-deterministic in this case?
>
> -- Ruben Astudillo
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] nix.buildCores and determinism

2016-10-10 Thread Domen Kožar 
You're running the build system in parallel. For example Makefiles, they
are not pure and thus builds can fail due to race conditions.
We have quite a few disabled for that reason and also that's why you have
to explicitly enable parallel building.

On Tue, Oct 11, 2016 at 1:56 AM, Ruben Astudillo 
wrote:

> On reading `nixos-option nix.buildCores`, it says that this option can
> affect the determinism of the build. I don't understand how is important
> as the hash of the package depends on the default.nix file, not the
> build process. What does it mean to be non-deterministic in this case?
>
> -- Ruben Astudillo
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] nix.buildCores and determinism

2016-10-10 Thread Ruben Astudillo 

On reading `nixos-option nix.buildCores`, it says that this option can
affect the determinism of the build. I don't understand how is important
as the hash of the package depends on the default.nix file, not the
build process. What does it mean to be non-deterministic in this case?

-- Ruben Astudillo
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev