Hi pelzflorian,
"pelzflorian (Florian Pelz)" <[email protected]> writes: > So I run > > make guix-binary.x86_64-linux.tar.xz > > and the resulting tarball has minor differences. diffoscope shows that > its contained disarchive, guile-git and guile-lib packages have few > differences in a few compiled .go files. > > So these packages are not reproducible, but otherwise Guix is the same. > > I do use substitutes, so it is not a proper, clean test. > > The source code, > >> • Sources >> >> https://files.ditigal.xyz/guix-release-1.5.0rc1-ruther/guix-1.5.0rc1.tar.gz > > is the same as `make dist-with-updated-version` except for the folder > name inside the archive is guix-1.5.0rc1.1-d33978. > > Overall, I am happy with janneke’s reproducibility work. Putting him in > Cc. All is good, I think. > > But maybe janneke, Rutherther, Noé Lopez or release team members know > better reproducibility instructions than those I found which maybe can > go with the release communications. I was considering including the instructions, but didn't want to make the e-mail much longer. You're right that they might not be reproducible, even if the packages were reproducible, still, the .tar.xz (or iso, qcow2) itself will probably not be bit-by-bit reproducible. As part of the release, we've moved to generating the artifacts through Guile rather than couple of shell lines, so that they can be built more easily by CI. Specifically, let's say you're in a checkout of Guix at version-1.5.0, you would do SUPORTED_SYSTEMS=x86_64-linux guix time-machine -q --branch=version-1.5.0 -- guix build -m \ ./etc/teams/release/artifacts-manifest.scm --no-grafts (or you might use ./pre-inst-env if that's better for you) Since the artifacts are built and substituted by CI, you might want to do --check after you subustitute them to try to build them yourself. to obtain the artifacts for x86_64-linux, currently it will build all of the artifacts, not just tar.xz. Support for that is considered for later. If you want to get just one of the artifacts, you would add --derivations and pick up only what you want to build. But in the end, the resulting tarball should be pretty much the same as if you did make like you've tried to do. The derivation will differ, though, at least due to the different name, but other than that it is generated the same way. So still, as you're saying, the guile-git and guile-lib will differ. Since you're saying you use substitutes, presumably you downloaded these from bordeaux and the builds differ from CI. When trying reproduciblity with substitutes, it might be better to use --substitute-urls=https://bordeuax.guix.gnu.org in the first place. That is because CI is the one that built the artifacts, so if you substitute all from it, it might end up the same result, even though it's not reproducible. Rutherther > > Regards, > Florian
