On Tue, 22 Dec 2015, Pádraig Brady wrote:
On 22/12/15 17:00, Mike Gerwitz wrote:
There is ongoing discussion about reproducible builds within GNU. I'm
having trouble figuring out the best approach for deterministic
distribution archives using Automake.
I've not thought much about this, but I'm
wondering about how useful deterministic tarballs are?
The main thrust of reproducible builds is to verify what's
running on the system, and there are so many variables
between the tarball and build, that I'm not sure it's
worth worrying about non determinism in the intermediate steps?
Perhaps the main focus for tarballs should just to
ensure they're properly signed.
I would agree that it is the extracted binary contents of the tarballs
(ignoring artifacts like file timestamps and user ids) which counts.
Attempting to get archiving tools to produce the same results at
different times on different machines is close to impossible.
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
