Does Functional Package Management Enable Reproducible Builds at Scale? Yes.

[Ludovic Courtès]

Hi Julien,

Julien Malka <julien.malka at telecom-paris.fr> skribis:

> « Does Functional Package Management Enable Reproducible Builds at Scale? Yes. » [1]
>
> The article explores the proportion of bitwise reproducible packages in the Nix package repository and its evolution between 2017 and 2023.

Thanks for sharing this insightful piece of work!

Regarding historical data, fellow hacker Christopher Baines has been
developing and running the Guix Data Service, which collects all sorts
of data for each Guix commit (actually each commit that was pushed;
there are holes in between pushes), in particular build information from
the two project build farms, which are independent.

It can thus provide reproducibility info for each commit, for each
package that was successfully built on both build farms (the page below
loads quite slowly):

  https://data.guix.gnu.org/revision/20dbf225f332ccc707578263ed710dcf2a8fb78e/package-reproducibility

On this instance we see 5% of non-reproducible packages on x86_64-linux.

Regarding RQ0 (which packages can still be built), it would be
interesting to somehow weigh unbuildable packages by their number of
dependents.  For example, failing to build OpenSSL would in practice
mean (for example, if/when cache.nixos.org is pruned) that thousands of
packages become unavailable.  We worked a bit on countermeasures:

  https://guix.gnu.org/en/blog/2024/adventures-on-the-quest-for-long-term-reproducible-deployment/

I have yet to digest the entire paper; every plot provides new insight
into all this.  Thank you!

Ludo’.