[Nix-dev] Funding Hydra Development
Vladimír Čunát
vcunat at gmail.com
Fri Jan 23 09:41:30 CET 2015
On 01/22/2015 10:43 PM, Raahul Kumar wrote:
> bit-identical builds. How far are we from that point? Is it the
> timestamps that most build tools add to their build that prevents it?
> What's the blocker?
We still don't even have fully reproducible stdenv, not even with all of
https://github.com/NixOS/nixpkgs/pull/2281 . I have some further WIP on
perl, but it ate many days of my time and still isn't fully
deterministic. Timestamps are relatively easy to detect, as they always
differ, but other things are more difficult: uname, build user name, etc.
I think in most cases it just needs some work on *each* package to track
it down, although you don't know if it's difficult until you try. Some
impurity sources are already blocked generally in all builds. AFAIK only
Haskell needs nontrivial changes upstream
https://ghc.haskell.org/trac/ghc/ticket/4012 , but there might be more
such problems hidden.
(I even read about security research that introduces non-determinism
into compiler output in a way that's supposed to make common exploits
unusable on multiple outputs of the same compilation, so you supposedly
wouldn't be able to attack many systems at once.)
Vladimir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3251 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150123/14cb29f3/attachment-0001.bin
More information about the nix-dev
mailing list