[Nix-dev] Deterministic(bit-perfect) Builds
phreedom at yandex.ru
phreedom at yandex.ru
Tue Jun 25 14:40:35 CEST 2013
В письме от Вторник 25 июня 2013 14:28:14 пользователь Vladimír Čunát написал:
> On 06/25/2013 02:24 PM, phreedom at yandex.ru wrote:
> > Nothing of what is currently enabled causes
> > nondeterminism, or at
>
> Great. There's no need to sanitize nondet. sources that aren't used
> (e.g. there's gethostid).
>
> But the time is everywhere... many apps just "must" know how/where/when
> they were built (e.g. see uname -v).
In fact, sanitization is a very useful thing if you want to reliably cache
builds. If you intercept all syscalls, you can have a total list of build
inputs(not only files). Basically, the build system has no other option but to
produce the same output(and thus it can be safely cached), unless it performs
a benchmarking attack to get some entropy. The most popular such attack is
parallel builds :)
It's quite possible that there's a useful combination of letting some syscalls
pass(like reading files from nixos store), sanitizing others and patching the
build system to not touch weird stuff. Useful for caching most of cpu-intensive
stuff that is.
More information about the nix-dev
mailing list