19/05/2024 19:23, Luca Boccassi: > On Sun, 19 May 2024 at 18:13, Thomas Monjalon <tho...@monjalon.net> wrote: > > > > 19/05/2024 18:36, Luca Boccassi: > > > On Sun, 19 May 2024 at 15:01, Thomas Monjalon <tho...@monjalon.net> wrote: > > > > 17/05/2024 13:29, Luca Boccassi: > > > > > On Mon, 27 Nov 2023 at 17:04, Bruce Richardson > > > > > <bruce.richard...@intel.com> wrote: > > > > > > > > > > > > On Mon, Nov 27, 2023 at 05:45:52PM +0100, Thomas Monjalon wrote: > > > > > > > I would prefer adding an option for reproducible build > > > > > > > (which is not a common requirement). > > > > > > > > > > > > > Taking a slightly different tack, is it possible to sort the > > > > > > searchindex.js > > > > > > file post-build, so that even reproducible builds get the benefits > > > > > > of > > > > > > parallelism? > > > > > > > > > > Given the recent attacks with malicious sources being injected in open > > > > > source projects, reproducible builds are more important than ever and > > > > > should just be the default. > > > > > > > > Yes it should be the default when packaging. > > > > Why should it be the default for normal builds? > > > > > > Build reproducibility is everyone's responsibility, not just Linux > > > distributions. There should be no difference between a "normal build" > > > and a "packaging build". As far as I know, it is still fully supported > > > for DPDK consumers to take the git repository, build it and ship it > > > themselves - those cases also need their builds to be reproducible. > > > > Sorry I really don't understand this point. > > The goal of a reproducible build is to maintain a stable hash, right? > > This hash needs to be stable only when it is published, isn't it? > > So isn't it enough to give a build option for having a reproducible build? > > The goal is that issues breaking reproducibility are bugs and treated > as such. You wouldn't have a build option to allow buffer overflows or > null pointer dereferences, and so on. "The program builds > reproducibly" today and in the future has the same importance as "the > program doesn't write beyond bounds" or "the program doesn't crash" - > they are not optional qualities, they are table stakes, and > regulations are only going to get stricter.
I hear the technical reasons and want to address them, but I don't understand how regulation comes in an open source project.
