Weekly edition	Kernel	Security	Distributions	Contact Us	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ	Sponsors

GNU Guix launches

Posted Nov 26, 2012 16:00 UTC (Mon) by welinder (guest, #4699)
In reply to: GNU Guix launches by oever
Parent article: GNU Guix launches

> Guaranteed repeatability of builds

That would require an audit of all packages' build system to ensure
they only depend on what they claim.

Anything using "date" to embed a timestamp anywhere will not be
repeatable. Anything using /dev/urandom is unlikely to be repeatable.
(I can see collision-hardened hashes do that and hash ordering would
change. You would get in the build phase if that runs anything built.)

(Log in to post comments)

GNU Guix launches

Posted Nov 26, 2012 18:54 UTC (Mon) by oever (subscriber, #987) [Link]

The only timestamps in the build should be ones that come from the inputs: the build tools and the source code. There should be no use of randomness in a build.

The value of knowing exactly where your code come from is huge. Currently there is no easy way to check that a binary packages correspond to source packages.

GNU Guix launches

Posted Nov 28, 2012 9:46 UTC (Wed) by oak (subscriber, #2786) [Link]

For example packages going to OBS (OpenSUSE Build Service) are patched to remove such things as it messes up their daily test re-builds. For example:
https://build.opensuse.org/package/view_file?file=inkscap...

Noticing date & time usage in package sources is easy in daily automated builds. Other differentiators taken from the environment are harder to find though, because build machines are pretty identical.