Hmm, that sounds tricky. However, my experience with Java/Maven is that it is
often possible to achieve reproducibility across operating systems: artifacts
built on MacOS can often be rebuilt on Linux and vice-versa, so perhaps the
same is also true for Windows?
Kind regards,
--
Arnout Engelen
Engelen Open Source
https://engelen.eu
KDOWN_LSM (https://github.com/NixOS/nixpkgs/pull/107625)
Kind regards,
--
Arnout Engelen
Engelen Open Source
https://engelen.eu
On Thu, Mar 2, 2023, at 02:09, John Gilmore wrote:
> I have been surprised at how much effort has gone into "diffoscope" as a
> total fraction of the Reproducible Builds effort.
How do you know?
> Perhaps it is a case
> akin to the drunk looking for his keys under the streetlight where he
> can s
On Sun, Nov 13, 2022, at 23:50, kpcyrd wrote:
> https://r13y.com/
This indeed does 'verification builds': it builds locally and compares against
the main binary cache (https://cache.nixos.org/)
Kind regards,
Arnout
On Mon, Nov 23, 2020 at 10:15 PM Holger Levsen wrote:
> I found some which could go to #reproducible-changes
> and then I realized those are only responsible for rather few notifications:
>
> - one per week for each of the BSDs and coreboot
> - 3 day for OpenWrt (there are 11 different targets and
On Thu, May 14, 2020 at 1:55 PM Morten Linderud
wrote:
> On Thu, May 14, 2020 at 01:39:57PM +0200, Arnout Engelen wrote:
> > I don't think the buildinfo of the initial build should be a required
> input
> > for a rebuilder.
> >
> > Now of course I know
On Wed, May 13, 2020 at 10:31 PM kpcyrd wrote:
> On Wed, May 13, 2020 at 09:39:40AM +0200, Arnout Engelen wrote:
> > This seems useful, though I think it is helpful to describe the
> > relationship between
> > the 'buildinfo' and such a 'rebuild result'.
On Tue, May 12, 2020 at 11:00 PM Paul Spooren wrote:
> The *rebuilders* try to recreate offered binaries following the
> upstream build process as close as necessary.
>
> To make the results accessible, store-able and create tools around them,
> they
> should all follow the same schema, hello *re
On Fri, Apr 3, 2020 at 1:06 PM Julien Lepiller wrote:
> something that could help guix is a relation groupid/artifactid -> source
This is indeed an interesting topic.
Artifacts published under a groupid/artifactid typically have a
pom.xml with an 'scm' section pointing to the sources (for exampl
On Mon, Dec 9, 2019 at 2:39 PM Bernhard M. Wiedemann
wrote:
> TLDR:
> The goal of reproducible builds is to reduce the likelyhood of running
> software that was corrupted (during build)
I agree this is the primary/ultimate goal.
As a software developer, I have a closely related but somewhat smal
On Wed, Jun 19, 2019 at 12:29 PM Lars Wirzenius wrote:
> On Sun, May 19, 2019 at 01:09:40PM +0300, Lars Wirzenius wrote:
> * One of the things I'm exploring is ways to have a "distributed CI",
> where CI build workers can be provided by anyone.
https://github.com/bazelbuild/remote-apis#remote-e
On Thu, Apr 18, 2019 at 1:20 PM Arnout Engelen wrote:
> I can successfully independently reproduce most of the artifacts built
> with Scala 2.13.0-M5
More good news: I just verified I could successfully reproduce all the
published artifacts built with Scala 2.12.8, the latest stable
Hi,
I just wanted to share some promising progress around Reproducible
Builds for Scala libraries (on the JVM).
Recently the first non-trivial Scala library was released with my
sbt-reproducible-builds plugin enabled during the build (Akka 2.5.22).
I can successfully independently reproduce most
On Thu, Apr 4, 2019 at 9:02 PM Vagrant Cascadian
wrote:
> I think merging the two might be appropriate in some way. The front page
> text addresses two points that I think still belong on the front page,
> notably "independently verifiable" as well as "software development
> practices".
>
> The of
On Mon, Jan 7, 2019 at 9:27 AM Hervé Boutemy wrote:
>
Agreed with basically everything above ;)
> > - What exactly gets PGP-signed? (The binary artifact? The buildinfo?
> > If the latter, how does one then establish trust in the binary
> > artifact?)
> good question:
> the rebuilders's bu
net:8000/net/bzzt/simple_2.12/0.1.0-SNAPSHOT
.
Kind regards,
Arnout
On Sun, Dec 23, 2018 at 3:08 PM Hervé Boutemy wrote:
> Le dimanche 23 décembre 2018, 14:01:47 CET Arnout Engelen a écrit :
> > I think it would make sense to upload your own uniquely-named
> > buildinfo and accomp
outemy a écrit :
> > Le dimanche 23 décembre 2018, 13:57:16 CET Arnout Engelen a écrit :
> > > On Sat, Dec 22, 2018 at 7:17 PM Hervé BOUTEMY
> > > wrote:
> > > > > I do think we should include the
> > > > > 'classifier' field, if a
On Sun, Dec 23, 2018 at 1:48 PM Hervé Boutemy wrote:
> now I get the same hash: good news
Great!!
> then I could publish somewhere that I was able to reproduce this sbt-
> reproducible-builds-0.19.jar file
>
> how?
I think the most sensible way to achieve this is to share (and sign)
your own bu
On Sat, Dec 22, 2018 at 7:17 PM Hervé BOUTEMY wrote:
> > I do think we should include the
> > 'classifier' field, if any, though.
>
> what do you call "classifier"?
The field as described at https://maven.apache.org/pom.html
> > I agree it would be useful to include those: they shouldn't affect
On Sat, Dec 22, 2018 at 6:37 PM Hervé Boutemy wrote:
> Le samedi 22 décembre 2018, 11:22:57 CET Arnout Engelen a écrit :
> > On Sat, Dec 22, 2018 at 6:46 AM Hervé Boutemy wrote:
> > > IMHO, a first step is to have us be able to rebuild packages from each
> > > other an
On Sat, Dec 22, 2018 at 7:23 AM Hervé Boutemy wrote:
> After Arnout's excellent PoC [1], I'd like to discuss the buildinfo content
> based on reviewing current example:
> > name=stamina-core
> > group_id=com.scalapenos
> > artifact_id=stamina-core_2.12
> > version=0.1.5-SNAPSHOT
> ok, same meanin
On Sat, Dec 22, 2018 at 6:46 AM Hervé Boutemy wrote:
> Le jeudi 20 décembre 2018, 19:13:48 CET Arnout Engelen a écrit :
> > https://oss.sonatype.org/content/repositories/snapshots/com/scalapenos/stam
> > ina-core_2.12/0.1.5-SNAPSHOT/
>
> There is only one key point that I
> > One can even construct a general proof:
> > Given a H where it is not possible to collide H(a) = H(b) with a ≠ b
I'm not sure what you mean by 'not possible to collide' here. Hashes
are typically smaller than the allowed inputs, which means there must
exist different input files that produce t
On Wed, Dec 19, 2018 at 10:15 AM Arnout Engelen wrote:
> On Tue, Nov 27, 2018 at 4:02 PM Hervé Boutemy wrote:
> > On the question "where to publish", I think we have no choice when artifacts
> > go to Maven Central: there is one "official" build that goe
nvironment was from the original "official" build info.
> Le mardi 27 novembre 2018, 12:26:33 CET Arnout Engelen a écrit :
> > On Tue, Nov 27, 2018 at 9:58 AM Hervé BOUTEMY wrote:
> > > Yes, the Buildinfo seems an interesting part to work together.
> > >
> &g
On Wed, Dec 5, 2018 at 2:59 PM Holger Levsen wrote:
> On Wed, Dec 05, 2018 at 02:49:24PM +0100, Arnout Engelen wrote:
> > I have no particular love
> > for XML, JSON or YAML, to be quite honest. What would you think
> > about a good old '.properties' file?
&g
fact, even for multi-jar builds - that
seems reasonable to me.
Arnout
> Le lundi 26 novembre 2018, 09:40:44 CET Arnout Engelen a écrit :
> > On Mon, Nov 26, 2018 at 9:08 AM Hervé Boutemy wrote:
> > > A few years ago, the work on this started and I created a Wiki page [1] a
things
in stone' just yet.
Kind regards,
Arnout
> Le lundi 26 novembre 2018, 09:40:44 CET Arnout Engelen a écrit :
> > On Mon, Nov 26, 2018 at 9:08 AM Hervé Boutemy wrote:
> > > A few years ago, the work on this started and I created a Wiki page [1] at
> > > Mav
On Mon, Nov 26, 2018 at 9:08 AM Hervé Boutemy wrote:
> A few years ago, the work on this started and I created a Wiki page [1] at
> Maven to try to consolidate efforts from many isolated people I met who were
> interested in the topic: this Wiki page did not attract many contributions nor
> even d
On Tue, Oct 30, 2018 at 8:27 AM Daniel Shahaf wrote:
> For a long time, over 93% of all source packages in the Debian archive
> (25561 out of 27427) have been known to be [reproducible in a laboratory
> environment][1]. Last week, Vagrant Cascadian [probed the package
> archives][2] and found tha
30 matches
Mail list logo
