Deterministic/reproducible builds (Was: Clarity on current status of Scientific Linux build)

[Brett Viren]

Patrick J. LoPresti lopre...@gmail.com writes:

 See https://wiki.debian.org/ReproducibleBuilds or
 https://blog.torproject.org/category/tags/deterministic-builds or
 http://www.chromium.org/developers/testing/isolated-testing/deterministic-builds
 or just try a search of your own.

To add, if deterministic builds were not possible it would mean this
could not exist:

  http://nixos.org/nix/

Regards,
-Brett.


pgp5Omo83hFLU.pgp
Description: PGP signature

Re: Clarity on current status of Scientific Linux build

[Lamar Owen]

On 07/02/2014 12:18 AM, Patrick J. LoPresti wrote:

On Tue, Jul 1, 2014 at 5:09 PM, jdow j...@earthlink.net wrote:

On 2014-07-01 08:16, Patrick J. LoPresti wrote:


The *goal* of CentOS used to be binary compatibility, even if it was
never 100% achieved. ...

Pat, this is nominally impossible with modern compilers as I discovered a
long time ago.

Incorrect.



If it's so incorrect, then why is it mentioned in the gnu.org GPL FAQ?


No, traceability is the irrelevant side issue here.


In NTP terms, if I can have a stratum 1 source that's nice, but a 
stratum 2 may be enough for the job at hand.  If I truly need real 
stratum 1 then I need to pay for the proper number and types of 
refclocks to obtain real stratum 1 capability (I have this exact need 
here, and am building out the necessary number and types of refclocks to 
achieve that goal; for non-astronomical purposes stratum 4 or 5 is more 
than sufficient as long as those are traceable to stratum 1 sources, 
such as tick and tock and the various standards maintained by NIST). A 
single GPS-disciplined clock, such as an HP/Agilent/Symetricom Z3816A or 
Z3805 is just not enough by itself.



Once again, the only relevant question is whether and how Scientific
Linux can be a rebuild of Red Hat Enterprise *and not CentOS*,...


This remains to be seen.  It may not be possible.  But in order for the 
SL team to accomplish this, traceability to Red Hat of the sources will 
be required, since it is apparent that source RPMs on a public ftp 
server are not coming back any time soon, if ever.  If this traceability 
means that the SL team internally audits against upstream's source RPMS 
obtained via subscription, and they silently release SL7 without 
publicly revealing the results of that audit, will that meet your 
standards?  (My gut feel is that only a rebuild of subscription-obtained 
SRPMs publicly released would meet your standards, but that may not be 
something anyone is willing to do.)



I trust the Scientific Linux team. Obviously, I do not trust Red Hat
which includes CentOS. Time will tell how well my trust is placed.
If you don't trust Red Hat then why use their obviously different from 
upstream sources in the first place?  Any straight rebuild of Red Hat's 
sources cannot be more trustworthy than Red Hat's sources, unless every 
line of source code being rebuilt is completely security audited, which 
goes way beyond a typical rebuild.

Deterministic/reproducible builds (Was: Clarity on current status of Scientific Linux build)

[R P Herrold]

On Wed, 2 Jul 2014, Brett Viren wrote:

 To add, if deterministic builds were not possible it would mean this
 could not exist:
 
   http://nixos.org/nix/

or that this website makes assertions not accurate

There are timestamps and build IDs and more which, unless 
tinkered with, will mean that building ANY package at two 
different times will have (non-functional) differences that 
prevent an exact binary duplicate from ever existing.  
Similarly, with parallel threaded (-j N) build systems, a 
Makefile might comclude one time that sub-element FOO was done 
first, otehr times sub-element BAR, and so to traverse a build 
path in differing orders.  Not anything invidious, but not 
'identical' either

-- Russ herrold