Making reproducible builds & GitBOM work together in spite of low-level component variation

Andreas Enge andreas at enge.fr
Wed Jun 22 19:34:19 UTC 2022


Hello,

Am Wed, Jun 22, 2022 at 11:43:49AM -0700 schrieb Vagrant Cascadian:
> Presuming I am understanding GitBOM correctly, I would consider the
> GitBOM metadata about the build, and not the build artifact itself.

is the problem not solved by Guix? I wonder if GitBOM takes a good decision
by hashing outputs and propagating the hashes to the next stage when these
outputs become inputs.

Guix/Nix on the other hand only hashes the abstract description of the inputs;
then from a reproducibility perspective, this should lead to identical
outputs, and if it does not, there is a problem. Non-reproducibility of
intermediate steps will not be caught if the end result is the same;
at the same time, normally intermediate steps will also be checked for
reproducibility as they also correspond to software packages (libraries
and so on).

Otherwise said, Guix seems to follow more or less the approach suggested
by Vagrant.

Andreas



More information about the rb-general mailing list