On 2023-05-29, David A. Wheeler wrote:
> On Sun, 28 May 2023 21:10:36 -0700, Vagrant Cascadian
> wrote:
>
>> Do such tools actually exist, or are we talking about something
>> theoretical here? I am nervous about investing too much energy in
>> something without a specific, precise, working
On 2023-05-29, Bernhard M. Wiedemann via rb-general wrote:
> On 29/05/2023 06.10, Vagrant Cascadian wrote:
>> Do such tools actually exist, or are we talking about something
>> theoretical here?
>
> https://github.com/openSUSE/build-compare/ is in use for 13 years.
>
> And strip-nondeterminism can
David A. Wheeler wrote:
> Please don't view the text above as opposing reproducible builds.
> I think reproducible builds are the gold standard for countering subverted
> builds, and I will continue to encourage them.
> But when you can't get them (e.g., because you don't have time to patch
> On May 29, 2023, at 12:41 PM, kpcyrd wrote:
>
> I think the pypi example and missing .gitignore file is more about "git and
> pypi are both a VCS, did the author commit the same source code". It's about
> "what's the canonical source code release" instead of a real build.
Huh? PyPI is
On 5/29/23 05:15, David A. Wheeler wrote:
Here's an example that might clarify the threat model.
It's possible that a
program could look for ".gitignore" and run it if present.
The source code repo might not have a .gitignore file,
but the malicious package added .gitignore and filled it with
a
On Sun, 28 May 2023 21:10:36 -0700, Vagrant Cascadian
wrote:
> Do such tools actually exist, or are we talking about something
> theoretical here? I am nervous about investing too much energy in
> something without a specific, precise, working proof of concept.
>
> In your earlier mention
* FC Stegerman [2023-05-29 13:14]:
[...]
> > I find it hard to believe it could so close that you can programatically
> > determine something is (probably!) mostly harmless and yet still have it
> > be implausible to go all the way to make a properly reproducible build.
> >
> > That flys in the
Vagrant Cascadian writes:
> On 2023-05-28, David A. Wheeler wrote:
>> On Sun, 28 May 2023 13:04:40 +0100, James Addison via rb-general
>> wrote:
>>> Thanks for sharing this.
>>>
>>> I think that the problem with this idea and name are:
>>>
>>> - That it does not allow two or more people to
* Vagrant Cascadian [2023-05-29 06:10]:
[...]
> I still expect it will be harder to actually do "semantically
> reproducible builds" than "fully reproducible builds".
>
> To be honest, it sounds like a lot of extra work to avoid fixing things
> properly...
+1
> I find it hard to believe it
On Mon, 29 May 2023, Bernhard M. Wiedemann via rb-general wrote:
> > I very much worry that the meaning of Reproducible Builds may gradually
> > get whittled down
>
> I share this concern, which is why I have been calling this
> semi-reproducible to distinguish it from bit-reproducible /
>
On 29/05/2023 06.10, Vagrant Cascadian wrote:
Do such tools actually exist, or are we talking about something
theoretical here?
https://github.com/openSUSE/build-compare/ is in use for 13 years.
And strip-nondeterminism can be used to build another such tool.
They will only ever be able to
On 29/05/2023 05.25, David A. Wheeler wrote:
If you have tips on common likely errors, please post, I think
that would be of interest to many.
https://github.com/openSUSE/build-compare/issues/53
https://github.com/openSUSE/build-compare/issues/33
On Sun, May 28, 2023 at 09:10:36PM -0700, Vagrant Cascadian wrote:
> To be honest, it sounds like a lot of extra work to avoid fixing things
> properly...
+1
Guessing whether some differences have any semantic effect does not
look to me like a generally solvable problem.
As others already
13 matches
Mail list logo