Why is not everything reproducible yet?

Bernhard M. Wiedemann bernhardout at lsmod.de
Thu Feb 15 04:55:50 UTC 2024

On 14/02/2024 16.19, Santiago Torres-Arias wrote:
> 1. can we study the conflicting interestes (i.e., above) that stop
> 	reproducibility from happening.

Yes, that should be possible. The above summarized my experience from 
the 1000 patches and bug-reports I did and the interactions with various 
The links are public and recorded in the monthly reports
and earlier weekly posts

I can probably provide more input for such a study.

> 2. Are misunderstandings about reproducibility getting in the way from
> 	pushing to it (e.g., the notion that docker containers are
> 	inherrently reproducible). Is the perfect the enemy of the good?
> 	what notions of reproducibility exist and how can we build a
> 	roadmap from the weak to the strong?

There are some.
One is the confusion with what we started to call "repeatable builds" = 
the ability to be able to do a second build with the same explicit 
inputs. SBOMs help with repeatable builds, but if they become embedded 
in the build output, they can even hinder some side-benefits of 
reproducible builds, because every minor change in inputs now causes a 
change in output.

The other thing was
that gained some anti-r-b mindshare, even though it neglegted several 
important aspects. E.g. it mentions the risk of stealing source-code 
which obviously does not apply to FLOSS.

> 3. What other uses of r-b exist beyond the malicious toolchain example?
> 	can we use them as leverage to increase interest in the space?

On a past r-b summit we collected
e.g. in openSUSE we always pushed for some level of binary equivalence 
to do build-tree-pruning in our open-build-service to save build power, 
shorten rebuild time and save bandwidth for mirrors and users that do 
not need to update unchanged packages.
We also publish updates as delta-rpm-packages that probably were more 
compact with fewer random variations.

The page also lists the QA aspect. I did find a dozen corruption bugs 
that went unnoticed for years.

e.g. https://gitlab.gnome.org/GNOME/libxslt/-/issues/37 had this 
memorable quote from upstream:
> This was caused by an interesting bug in libxml2's streaming XPath engine. I'm still puzzled why it took so long to discover this issue. 

So for your study, you could find this link in _reports/2020-04.md

another corruption bug in
_reports/2023-10.md:    * 

One benefit not listed is that with r-b it is possible to say "version 
1.2.3 has hash abcdef" and you can provide a signature of the file, 
without uploading the file itself. With content-addressable storage such 
as IPFS, you can then also link to such an artifact and anyone else can 
provide the correct file.

e.g. in
if we had reproducible ISOs, I could build and sign them in a 
low-bandwidth place but build+upload from another.

Bernhard M.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240215/0909234b/attachment.sig>

More information about the rb-general mailing list