[Nix-dev] Deterministic(bit-perfect) Builds

[phreedom at yandex.ru]

Hi Nixers,

This is what I have achieved so far:

Regular c(++) libs/apps mostly had impurities due to timestamps in static 
libraries and man pages. Both have been largerly eliminated if you override 
stdenv = deterministicStdenv for the specific package. Tested with ncurses and 
geoip.

Python packages had troubles with timestamps inside pyc files. I have patched 
python to put zero timestamps instead if DETERMINISTIC_BUILD env var is set. I 
have patched 2 pieces of code either of which can be used to compile pyc files.

Tested with argparse. I think I saw a package which has nevertheless managed 
to inject the timestamps, so maybe there's a 3rd way of compiling which also 
needs patching.

Ruby gems had these impurities:
  * documentation generators (rdoc and ri) left something like a log or cache 
file with timestamps, the files are now deleted.
  * the default documentation template contained an item for generation 
datetime which was removed.
  * building a gem with native bindings generated a log which is wiped if the 
build succeeds.
Probably should rework this to provide vanilla ruby functionality unless 
DETERMINISTIC_BUILD is set and maybe unset this var if NIX_DEBUG is set?

Perl doesn't seem to have any systematic source of impurities.

Ocaml seems to only have troubles due to timestamps in static libs so 
deterministicStdenv should solve it.

Haskell is hopeless: http://hackage.haskell.org/trac/ghc/ticket/4012
Although it's quite possible that we can still figure out the source of ghc 
entropy and deal with it.

Unstripped binaries: may be contaminated by "build-id". Can be avoided either 
by passing ld --build-id=none param or careful stripping. Needs testing. 
Luckily this is a very small subset of packages.

Next steps:
 * actually rebuild the whole system using deterministicStdenv
 * try to make nixos system tarball or minimal iso bit-perfect.