reproducible builds #2057
Labels
No Label
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Reference: tahoe-lafs/trac-2024-07-25#2057
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
It would be good to have the official packages of Tahoe and all of its dependencies built using Gitian.
From http://gitian.org/:
XXX This description may be obsolete as this ticket evolves -- please read the comments and maybe we'll update this description if we converge on an idea of what the issue is.
Sounds good to me!
This LWN article contains some worthwhile links on the subject.
I love the idea of reproducible builds! It allows everyone to help everyone else in identifying bugs, backdoors, etc. With reproducible builds, the work that individuals, organizations, or companies put into verifying the software they use benefits all other users of that software.
Now, Tahoe-LAFS itself doesn't contain any native (C/C++) code that needs to be compiled. Do we even need to do anything to make this "deterministic build" idea happen? Or is it somebody else's problem?
Who downloads and installs Tahoe-LAFS, and how do they do that, and how can the make sure that they're getting the same thing that other users of Tahoe-LAFS get?
Well, here's an example, Debian:
http://packages.debian.org/search?keywords=tahoe+lafs&searchon=names&suite=all§ion=all
How can a Debian user test whether http://ftp.us.debian.org/debian/pool/main/t/tahoe-lafs/tahoe-lafs_1.9.2-1_all.deb matches the same "tahoe-lafs_1.9.2-1_all.deb" that would be built by someone else from the same source?
Here is Debian's wiki page on reproducible builds:
https://wiki.debian.org/ReproducibleBuilds
By the way, Tahoe-LAFS's dependencies could contain bugs, backdoors, surprising enhancements or regressions, etc. To help everyone think clearly about this, let's move all discussion of dependencies (including [*trac/zfec zfec] and [*trac/pycryptopp pycryptopp], of which we are also the maintainers) to separate tickets specific to the dependencies.
So, what's the next step on this? Maybe we could ask the Debian Reproducible Build team to make Tahoe-LAFS be a test case for their new process, and we could collaborate with them?
Are there other packagers who are trying to solve this problem with whom we could collaborate?
P.S. The original description and title said it would be good to have the official packages of Tahoe-LAFS and all of its dependencies built using gitian, but I have a few problems with that. First, there aren't official packages of Tahoe-LAFS. Second, I don't understand why gitian is either necessary or sufficient for the goal of reproducible build, and I don't like what little I understand of its approach, which is virtual-machine-based.
deterministic builds using gitianto reproducible buildsReplying to zooko:
+1