On 30/Jun/2025 08:59, Simon Josefsson wrote: <...> > When (re-)building the Debian LiveCD the "source code" is mostly > previously built binary packages.
No, the source would be the source of every single binary, plus the ensemble and the steps to package it together at each level, like a matryoska. <...> > some set of instructions and a set of opaque "source inputs" files which > may include previously built binaries, without any requirement that > those previously built binaries can be rebuilt or is even free software. That can't possibly qualify as reproducible. > An example of 1) is the Debian Live CD situation, it is reproducibly > built mostly based on previous binaries, and some of those binaries we > don't have source code for and they are not freely licensed. So you're asking to bend common sense so you can include proprietary drivers and/or firmware and call it "reproducible". That literally opens the door to call anything "reproducible". Maybe just label that as "I want to believe" builds instead. <...> Anyway, lot of clarification is in order. > I don't think 2) necessarily requires recursive transitive closure of > the same requirement on all of the build inputs. There are at least two > terms covering that additional requirement: A) "bootstrappable build", > which recursively rebuild things bit-by-bit identical back to a small > seed using earlier versions of software, and B) "idempotent rebuild", > which recursively bit-by-bit identically rebuild things using the latest > version of all involved tools. Guix has proved A) is possible, but I'm > not aware of any proof that B) is possible with any modern non-trivial > OS. B would impose impractical implementation restrictions on the tools, but maybe a slightly weaker guarantee would be possible: keep track of a version of each involved package, check against that one, and if that works, create a derivative with the latest versions, which then automatically gets submitted somewhere for voting, if a threshold of agreement is reached, the new derivative can be automatically promoted as the new base for checking.
