> On Apr 2, 2024, at 1:11 PM, John Gilmore <g...@toad.com> wrote: > > For me, the distinction is that the local storage is under the direct > control of the person trying to rebuild, while the network and the > servers elsewhere in the network are not. If local storage is > unreliable, you can fix or replace it, and continue with your work. There are obviously many advantages to local storage. However, if you locally record cryptographic hashes, and re-download the bits for (say) a compiler, you could still reproduce the results *if* the information is still available where you're downloading it from (or can find an alternative source). The key is that "if" condition. The risk of not having local copies is the risk of loss of availability. However, many sites are fairly reliable. I'd hate to tell someone they can't verify reproducible builds just because they don't (currently) have a local copy of everything. Indeed, you want multiple verifications of reproducible builds, and they'll have to get their data from somewhere. It's sometimes much easier to send the source including build instructions, information on how to download the rest, and the cryptographic hashes for what is not bundled. --- David A. Wheeler
Re: Arch Linux minimal container userland 100% reproducible - now what?
David A. Wheeler via rb-general Thu, 04 Apr 2024 09:15:00 -0700
- Re: Arch Linux minimal container userland ... John Gilmore
- Re: Arch Linux minimal container user... Chris Lamb
- Re: Arch Linux minimal container user... kpcyrd
- Re: Arch Linux minimal container user... John Gilmore
- Re: Arch Linux minimal container ... kpcyrd
- Re: Arch Linux minimal contai... John Gilmore
- Re: Arch Linux minimal co... HW42
- Re: Arch Linux minimal co... James Addison via rb-general
- Re: Arch Linux minim... John Gilmore
- Re: Arch Linux m... Richard Purdie
- Re: Arch Linux m... David A. Wheeler via rb-general