20/05/2024 17:39, Stephen Hemminger: > On Mon, 20 May 2024 10:53:07 +0100 > Luca Boccassi <bl...@debian.org> wrote: > > > On Sun, 19 May 2024 at 22:11, Thomas Monjalon <tho...@monjalon.net> wrote: > > > > > > 19/05/2024 19:23, Luca Boccassi: > > > > On Sun, 19 May 2024 at 18:13, Thomas Monjalon <tho...@monjalon.net> > > > > wrote: > > > > > > > > > > 19/05/2024 18:36, Luca Boccassi: > > > > > > On Sun, 19 May 2024 at 15:01, Thomas Monjalon <tho...@monjalon.net> > > > > > > wrote: > > > > > > > 17/05/2024 13:29, Luca Boccassi: > > > > > > > > On Mon, 27 Nov 2023 at 17:04, Bruce Richardson > > > > > > > > <bruce.richard...@intel.com> wrote: > > > > > > > > > > > > > > > > > > On Mon, Nov 27, 2023 at 05:45:52PM +0100, Thomas Monjalon > > > > > > > > > wrote: > > > > > > > > > > I would prefer adding an option for reproducible build > > > > > > > > > > (which is not a common requirement). > > > > > > > > > > > > > > > > > > > Taking a slightly different tack, is it possible to sort the > > > > > > > > > searchindex.js > > > > > > > > > file post-build, so that even reproducible builds get the > > > > > > > > > benefits of > > > > > > > > > parallelism? > > > > > > > > > > > > > > > > Given the recent attacks with malicious sources being injected > > > > > > > > in open > > > > > > > > source projects, reproducible builds are more important than > > > > > > > > ever and > > > > > > > > should just be the default. > > > > > > > > > > > > > > Yes it should be the default when packaging. > > > > > > > Why should it be the default for normal builds? > > > > > > > > > > > > Build reproducibility is everyone's responsibility, not just Linux > > > > > > distributions. There should be no difference between a "normal > > > > > > build" > > > > > > and a "packaging build". As far as I know, it is still fully > > > > > > supported > > > > > > for DPDK consumers to take the git repository, build it and ship it > > > > > > themselves - those cases also need their builds to be reproducible. > > > > > > > > > > > > > > > > Sorry I really don't understand this point. > > > > > The goal of a reproducible build is to maintain a stable hash, right? > > > > > This hash needs to be stable only when it is published, isn't it? > > > > > So isn't it enough to give a build option for having a reproducible > > > > > build? > > > > > > > > The goal is that issues breaking reproducibility are bugs and treated > > > > as such. You wouldn't have a build option to allow buffer overflows or > > > > null pointer dereferences, and so on. "The program builds > > > > reproducibly" today and in the future has the same importance as "the > > > > program doesn't write beyond bounds" or "the program doesn't crash" - > > > > they are not optional qualities, they are table stakes, and > > > > regulations are only going to get stricter. > > > > > > I hear the technical reasons and want to address them, but > > > I don't understand how regulation comes in an open source project. > > > > Because they will start affecting the companies using DPDK in their > > products. There are some things in supply chain security that are > > purely the purview of companies shipping the final products, like > > providing SBOMs, but there are things that aren't, like for example > > having processes to handle security issues, or anything that requires > > code changes, like this issue. > > Reproducible must be the default. It should not be an option
OK I think I better understand, thanks.
