How to talk to skeptics?
John Neffenger
john at status6.com
Wed Dec 14 22:22:22 UTC 2022
On 12/14/22 11:30 AM, Bernhard M. Wiedemann via rb-general wrote:
> He also once pointed me to
> https://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html
I also wonder how all this verification is going to work.
For example, I'll soon be providing reproducible builds of OpenJDK. How
will I recruit volunteers to verify my builds? Is it enough just for me
to verify them on a separate build machine and network? Should I instead
be matching Oracle's builds of OpenJDK? To do so, I would have to set
the "java.vendor" of my build to "Oracle Corporation", but that doesn't
seem right.
Lots of questions! :-)
> In the end, it would be useful to collect some well-worded /
> well-thought counter-arguments on r-b.o (if we don't have that already)
The link below is my latest attempt at persuasion:
Discussion: Reproducible builds
https://mail.openjdk.org/pipermail/openjfx-dev/2022-December/037412.html
I'd like to think that my arguments worked, now that my two-year-old
pull request is tentatively planned for the next release. In reality,
though, I find that most of the resistance to reproducible builds is not
technical, but rather due to time constraints and business plans.
It takes a lot of time to test reproducible builds. When I update my
pull request, I have to run about 30 builds covering three operating
systems and six hardware platforms, and reviewers have to do something
similar. That's a lot to ask of an active project with many competing
pull requests.
In the extreme, I see reproducible builds as the final step in the
commoditization of open-source software. When every package of a project
is bit-for-bit identical to every other, it doesn't matter where you get
it. That makes it more difficult for any particular vendor to sell the
"trust" in its brand.
John
More information about the rb-general
mailing list