|
From: | Bob Friesenhahn |
Subject: | Re: [gnu-prog-discuss] Automake dist reproducibility |
Date: | Tue, 22 Dec 2015 15:51:38 -0600 (CST) |
User-agent: | Alpine 2.01 (GSO 1266 2009-07-14) |
On Tue, 22 Dec 2015, Pádraig Brady wrote:
On 22/12/15 17:00, Mike Gerwitz wrote:There is ongoing discussion about reproducible builds within GNU. I'm having trouble figuring out the best approach for deterministic distribution archives using Automake.I've not thought much about this, but I'm wondering about how useful deterministic tarballs are? The main thrust of reproducible builds is to verify what's running on the system, and there are so many variables between the tarball and build, that I'm not sure it's worth worrying about non determinism in the intermediate steps? Perhaps the main focus for tarballs should just to ensure they're properly signed.
I would agree that it is the extracted binary contents of the tarballs (ignoring artifacts like file timestamps and user ids) which counts. Attempting to get archiving tools to produce the same results at different times on different machines is close to impossible.
Bob -- Bob Friesenhahn address@hidden, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
[Prev in Thread] | Current Thread | [Next in Thread] |