[Nix-dev] Funding Hydra Development

Vladimír Čunát vcunat at gmail.com
Fri Jan 23 09:41:30 CET 2015


On 01/22/2015 10:43 PM, Raahul Kumar wrote:
> bit-identical builds. How far are we from that point? Is it the
> timestamps that most build tools add to their build that prevents it?
> What's the blocker?

We still don't even have fully reproducible stdenv, not even with all of 
https://github.com/NixOS/nixpkgs/pull/2281 . I have some further WIP on 
perl, but it ate many days of my time and still isn't fully 
deterministic. Timestamps are relatively easy to detect, as they always 
differ, but other things are more difficult: uname, build user name, etc.

I think in most cases it just needs some work on *each* package to track 
it down, although you don't know if it's difficult until you try. Some 
impurity sources are already blocked generally in all builds. AFAIK only 
Haskell needs nontrivial changes upstream 
https://ghc.haskell.org/trac/ghc/ticket/4012 , but there might be more 
such problems hidden.

(I even read about security research that introduces non-determinism 
into compiler output in a way that's supposed to make common exploits 
unusable on multiple outputs of the same compilation, so you supposedly 
wouldn't be able to attack many systems at once.)


Vladimir


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3251 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150123/14cb29f3/attachment-0001.bin 


More information about the nix-dev mailing list