Arch Linux minimal container userland 100% reproducible - now what?
David A. Wheeler
dwheeler at dwheeler.com
Thu Apr 4 16:14:12 UTC 2024
> On Apr 2, 2024, at 1:11 PM, John Gilmore <gnu at toad.com> wrote:
>
> For me, the distinction is that the local storage is under the direct
> control of the person trying to rebuild, while the network and the
> servers elsewhere in the network are not. If local storage is
> unreliable, you can fix or replace it, and continue with your work.
There are obviously many advantages to local storage.
However, if you locally record cryptographic hashes, and re-download the
bits for (say) a compiler, you could still reproduce the results
*if* the information is still available where you're downloading it from
(or can find an alternative source). The key is that "if" condition.
The risk of not having local copies is the risk of loss of availability.
However, many sites are fairly reliable. I'd hate to tell someone they
can't verify reproducible builds just because they don't (currently)
have a local copy of everything. Indeed, you want multiple verifications
of reproducible builds, and they'll have to get their data from somewhere.
It's sometimes much easier to send the source including build instructions,
information on how to download the rest, and the cryptographic hashes for
what is not bundled.
--- David A. Wheeler
More information about the rb-general
mailing list