Arch Linux minimal container userland 100% reproducible - now what?
James Addison
jay at jp-hosting.net
Sun Mar 31 21:19:20 UTC 2024
Hi John,
On Fri, 29 Mar 2024 at 19:29, John Gilmore <gnu at toad.com> wrote:
>
> kpcyrd <kpcyrd at archlinux.org> wrote:
> > 1) There's currently no way to tell if a package can be built offline
> > (without trying yourself).
>
> Packages that can't be built offline are not reproducible, by
> definition. They depend on outside events and circumstances
> in order for a third party to reproduce them successfully.
>
> So, fixing that in each package would be a prerequisite to making a
> reproducible Arch distro (in my opinion).
This perspective is valuable because it is certainly true that unreliable
or unexpected responses from a network adapter could cause software builds to
fail, be delayed, or contain errors.
However I fail to see why any of those circumstances would not be
equally possible
in the case of equivalent responses from physically or locally attached I/O
devices.
A storage device could be considered a node on a local network that no other
host is able to communicate with directly; and to my knowledge it's rarely the
case that traffic to-and-from local storage devices is inspected for integrity
by hardware/software outside of the device that it is connected to (which
isn't necessarily the place that it makes sense to run those checks).
My guess is that we could get into near-unsolvable philosophical territory
along this path, but I think it's worth being skeptical of the notions that
local-storage is always trustworthy and that the network should always be
avoided.
Regards,
James
More information about the rb-general
mailing list