[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why reproducibility is breaking by metadata?
|
From: |
Konrad Hinsen |
|
Subject: |
Re: Why reproducibility is breaking by metadata? |
|
Date: |
Wed, 03 Jul 2019 08:39:32 +0200 |
address@hidden writes:
> Hello, Guix Help! I am translating Guix manual and found that the
> author is entirely given to reproducibility. It leads to such phrases
> that metadata breaks reproducibility when he describes
> '--save-provenance' flag of 'guix pack' command here:
>
> 'This option is not enabled by default because, like timestamps,
> provenance information contributes nothing to the build process. In
> other words, there is an infinity of channel URLs and commit IDs that
> can lead to the same pack. Recording such “silent” metadata in the
> output thus potentially breaks the source-to-binary bitwise
> reproducibility property. '
>
> I did not expected such a categorical statement. I think, it does not
> actually break reproducibility but only complicates checks. If we have
> to talk about reproducibility to ignoramus, saying 'this option breaks
> reproducibility option' have to have remark 'simply put' or 'plainly'.
If you define reproducibility in a pragmatic way as something that can
be verified without deep knowledge of file formats, then the only
reasonable definition is bitwise identity. That's what anyone can check
with generic tools. If you want to check that two outputs of 'guix pack'
are equivalent, i.e. identical up to provenance data, then you need a
separate tool for each output format (and you have to write those tools
yourself because to the best of my knowledge they don't exist yet). In
short, I agree with the statements made in the text.
However, you are completely right that this paragraph is not written at
the right level for the typical user. Here is a proposition for
improving it:
--save-provenance
Save provenance information for the packages passed on the command
line. Provenance information includes the URL and commit of the
channels in use (see Channels), which permit the recipient to locate
the source code of the package definitions that were used.
Provenance information is saved in the /gnu/store/…-profile/manifest
file in the pack, along with the usual package metadata—the name and
version of each package, their propagated inputs, and so on.
Note that inclusion of provenance information makes the resulting
archive non-reproducible in the sense that two archives containing
identical binaries can be different if they were built using
different channels or different commits.
Does this look better to you?
Philosophical side note: the right way to store provenance information
is outside of the data they refer to. Unfortunately, with file-based
storage, there is no clean way to attach the provenance information
securely to the data without putting it into the same file.
Konrad.