LWN: Comments on "The history, status, and plans for reproducible builds"

nixos again

gray_-_wolf — Sun, 25 Aug 2024 21:46:12 +0000

One of the original goals behind Guix is to make scientific research (or rather computations involved in it) reproducible. You somewhat need to be able to do reproducible packages to achieve that goal. There is built-in `guix challenge' command to build package locally and compare it against the build farms. Heck, there even is `guix time-machine' command that allows you to rewind whole distro to a specific point in time (commit). So yes, Guix takes reproducibility seriously.

nixos again

Heretic_Blacksheep — Sun, 25 Aug 2024 16:10:44 +0000

As someone coming to the subject somewhat cold: NixOS' reproducible builds page reads more aspirational and How-toish while Guix gives the impression that reproducibility is not only desired, but the project considers package builds not being reproducible as a bug for their build system to fix.

I realize the whole situation is actually aspirational in open source land, but it appears Guix is very much trying to make it less aspirational for its users, at least that's how it appears for someone that uses neither one currently. Were I to be looking for a reproducible distro (and I may be sometime in the future), I'd be giving Guix a much harder look than NixOS from the way the information is presented alone. It's great that NixOS is telling people what to do, but when the rubber meets the pavement, as an end user you want to manually intervene as little as possible.

nixos again

jake — Sun, 25 Aug 2024 16:02:18 +0000

> Extraordinary claims needs extraordinary proof, and it would be nice if LWN actually thought
> twice about such statements.

True enough, but in this case, this is a report of a talk that was given at DebConf. Perhaps I misunderstood Holger, but I am trying to report what he said in the talk.

jake

nixos again

Foxboron — Sun, 25 Aug 2024 11:40:48 +0000

> The text you quote links to an LWN article that in turn links to https://reproducible.nixos.org/, which currently claims that over the minimal install CD, its build dependencies, and the GNOME install CD are all over 99% reproducible, and the build dependencies of the GNOME install CD is over 95% reproducible. I don't see a particular reason to distrust this data, but maybe there is?

That data is based on an incredibly small fraction of packages, while the claim is a general one. the fact that nixos can reproduce a small portion of their packages doesn't give any credibility to a general claims to "designed to be reproducible, so they are close to fully reproducible". It's a claim nobody can verify *because* of the number of packages they have.

Note that it says "4621 out of 4855 (95.18%) *paths*", where paths doesn't only include packages, but things fetched through `fetchURL` which includes remote sources. Comparing if a patch pulled from github today and tomorrow is identical is not terribly interesting in the context of Reproducible Builds.

> Of course the install CDs are a subset of what is all packaged in the distro, but on the other hand, I think nixpkgs has far more packages than the average Linux distribution, so it doesn't seem particularly informative to count the long tail of stuff that's only in nixpkgs against NixOS.

NixOS is not designed to be reproducible, it's a distro built on top of nixpkgs that doesn't give any such guarantees. You could possibly make this claim for nix, their package manager, but as long as there is no rigor in the submitted packages you have the same guarantees as the other Linux distros.

> If you say that Guix has a small package base, doesn't that make it significantly easier for all of Guix to be reproducible?

I'm differentiating between Guix and NixOS. Guix have rigor in their package sets to ensure reproducible builds. This puts them apart from a lot of the other distros.

> Can you expand on what you mean by "no valid claims" and "extraordinary"? At this point, a Linux distro with a relatively normal set of packages that isn't doing something particularly daft in their package builder really should be mostly reproducible, because most of the patches produced by the Reproducible Builds project have been upstreamed, no? So it doesn't seem like an extraordinary claim to me.

This assumption is a false one. We are far away from making any such guarantees and the work reproducible builds has been doing see regression on compiler and toolchain releases often. We don't know how to make these guarantees and it requires the entire FOSS community to be rigorous in their support for Reproducible Builds. Even when we upstream most of the patches we write, we can't be confident something in the future wont break. This is not down too package managers "doing something daft" but to upstream releases not really checking for these things.

The Reproducible Builds is currently a reactive effort, not a proactive one.

nixos again

geofft — Sun, 25 Aug 2024 01:00:05 +0000

The text you quote links to an LWN article that in turn links to https://reproducible.nixos.org/, which currently claims that over the minimal install CD, its build dependencies, and the GNOME install CD are all over 99% reproducible, and the build dependencies of the GNOME install CD is over 95% reproducible. I don't see a particular reason to distrust this data, but maybe there is?

Of course the install CDs are a subset of what is all packaged in the distro, but on the other hand, I think nixpkgs has far more packages than the average Linux distribution, so it doesn't seem particularly informative to count the long tail of stuff that's only in nixpkgs against NixOS. If you say that Guix has a small package base, doesn't that make it significantly easier for all of Guix to be reproducible? In a practical sense, a user looking for reproducibility usually has some particular use case in mind, and that user is going to look for a distro that has the packages they want, and not care about the packages they don't want, so I don't think having fewer packages available really benefits a realistic use case. But maybe I'm missing something.

Can you expand on what you mean by "no valid claims" and "extraordinary"? At this point, a Linux distro with a relatively normal set of packages that isn't doing something particularly daft in their package builder really should be mostly reproducible, because most of the patches produced by the Reproducible Builds project have been upstreamed, no? So it doesn't seem like an extraordinary claim to me.

nixos again

Foxboron — Sat, 24 Aug 2024 20:12:51 +0000

> NixOS and Guix are designed to be reproducible, so they are close to fully reproducible.

This is not true and it's annoying that it gets repeated. GUIX *has* a pretty good track record by virtue of having a small package base, and by far *is* pretty close.

NixOS has no valid claims to this at all. Extraordinary claims needs extraordinary proof, and it would be nice if LWN actually thought twice about such statements.

Proud OSUOSL is providing hosting for Reproducible Builds project!

ramereth — Sat, 24 Aug 2024 16:46:43 +0000

The OSUOSL [1] been a long time supporter of the Reproducible Builds project and currently host five (5) physical machines to support their work. Happy to see they're doing well!

[1] https://osuosl.org

Yocto

rossburton — Sat, 24 Aug 2024 12:13:24 +0000

To elaborate on the point of Yocto having “basic support”: the core is fully reproducible by default, and our reproducible criteria are stricter: different host architectures, different build users, and different build paths should all produce the same target artifacts.

Docker Images

tianon — Sat, 24 Aug 2024 04:17:03 +0000

It didn't happen with much fanfare, but the Debian Docker images have been reproducible since 2017 (https://github.com/docker-library/official-images/pull/3031) 😇

GNU Guix

atai — Fri, 23 Aug 2024 22:55:34 +0000

GNu Guix, derivative from Nix, supports reproducible build such that bitcoin uses Guix for building binaries for its tools

https://github.com/bitcoin/bitcoin/pull/15277
https://bitcoinops.org/en/topics/reproducible-builds/
https://github.com/bitcoin/bitcoin/blob/master/contrib/gu...

NixOS designed to be reproducible

RaitoBezarius — Fri, 23 Aug 2024 13:58:36 +0000

To be fair (NixOS developer here), NixOS is designed to enable an easier time at reproducing the binaries, but we are definitely standing on the shoulders of giants of who introduced `SOURCE_DATE_EPOCH` and various knobs to purify the environment and increase drastically the chances to make a reproducible artifact.

The build environments of Nix only attempts to be very strict and encourage the author to purify as much as possible, but we do not impose, e.g. that `nix-build --check $package` passes, which would enforce bit-to-bit reproducibility.

Our results are usually that the minimal ISO and the graphical ISO have a good result in terms of bit-to-bit reproducibility, with some regressions that everyone gets also because upstream regresses (Python, etc., etc.).

The problem we have is that nixpkgs is enormous and tracking its reproducibility is not a simple task, crowdsourcing and sampling could be a solution to prove statistical bit-to-bit reproducibility, but those are open questions at the moment.