[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Distributed verification of release tarballs using Guix? (was Re: Re
|
From: |
Rob Browning |
|
Subject: |
Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?) |
|
Date: |
Wed, 24 Jul 2019 23:15:31 -0500 |
Ludovic Courtès <address@hidden> writes:
> One issue is that “make dist” is non-deterministic because the archive
> contains timestamps; I’m sure there of other sources of non-determinism
> though, because “make dist” was not designed with that in mind.
>
> The non-source byproducts in release tarballs are: the pre-built .go
> files (which are optional), psyntax-pp.scm, and then Info files and all
> the autotools machinery. Are these those you had in mind?
If you haven't already seen it, I'd also suggest consulting
https://reproducible-builds.org. They've been doing a lot of relevant
heavy-lifting over the past few years (working on the relevant tools,
generating patches or workarounds, etc.). Their diffoscope tool might
also be of interest: https://reproducible-builds.org/tools/
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
- Re: Distributed verification of release tarballs using Guix? (was Re: Releasing 2.2.5?),
Rob Browning <=