Jookia <166...@gmail.com> skribis: > On Sat, Feb 27, 2016 at 12:19:04AM +0100, Ludovic Courtès wrote: >> I prefer to change those binaries as rarely as possible. Intuitively >> (and unscientifically), it gives more confidence to keep using the same >> old binaries wrt. Ken Thompson attacks. > > I'm not sure about that, if we could establish the binaries could be > reproducibly built using the current bootstrap binaries it sounds like it > could > be fine. Having reproducible bootstrap binaries seems like something > incredibly > useful especially for packagers that for whatever reason want to verify that > the > binaries can be built with Guix before signing them.
We would have to update them every time we change GCC, Guile, Coreutils, etc. or one of their dependencies, which sounds impractical or even infeasible to me. Ludo’.
