| 17 May 2023 |
 @rnhmjoj:maxwell.ydns.eu | * but when NixOS briefly became 100% reproducible some time ago, was the kernel included? | 15:18:37 |
 raitobezarius | necessarily I believe | 15:19:04 |
| @rnhmjoj:maxwell.ydns.eu | so, the kernel devs messed up? | 15:20:51 |
 raboof | In reply to @rnhmjoj:maxwell.ydns.eu
but when NixOS briefly became 100% reproducible some time ago, was the kernel included? yes, the kernel has been reproducible for a while (I think since https://github.com/NixOS/nixpkgs/pull/107625), the nondeterminism introduced by BTF was a recent thing | 15:22:24 |
 delroth | "recent" | 15:22:55 |
| raitobezarius | enabled recently | 15:23:27 |
| raboof | In reply to @rnhmjoj:maxwell.ydns.eu
so, the kernel devs messed up? I guess so - I'm not sure they aim for 'reproducible by default', though 'possibly reproducible' does seem to be a goal (https://docs.kernel.org/kbuild/reproducible-builds.html) | 15:24:55 |
| delroth | and https://docs.kernel.org/kbuild/reproducible-builds.html#absolute-filenames does imply it's a bug on their side, since they don't forward these flags when building the VDSO ELF | 15:31:31 |
| delroth | from the build log on my system: "'/build/tmp.x93KqkyjEg/.config' -> '/nix/store/cviv21h0qwd1pd0a7mhin7hadhwk4r9x-linux-config-6.1.28'" so yeah, was unsandboxed... | 15:41:44 |
| delroth | oh actually maybe not, I don't know where that temp path comes from, might be in the derivation | 15:43:23 |
| delroth | "export buildRoot=$(mktemp -d)" in manual-config.nix -- if somehow the buildRoot leaks into the VDSO ELF (and not just the sourceRoot, which would be expected) then that would be a randomized path anyway even when sandboxed | 15:45:41 |
| delroth | and that would explain why I'm not seeing that build-id difference when diffing guix's NARs, they might not have that randomized out-of-tree build output path in their derivations | 15:46:49 |
| delroth | (I expect that sourceRoot is fixed for them as it is for Nix, but not completely sure of that) | 15:47:16 |
| delroth | https://github.com/NixOS/nixpkgs/commit/d75cff2ee3bb6d91c818d43d1ba7603bb6dacd59 | 16:09:14 |
| delroth | I'll send a PR to make it a fixed path, in the meantime I also remembered that my sandbox troubles only impacted uid mapping not chrooting, so I'm now fairly convinced that it's a regression from that commit adding randomness | 16:10:53 |
| delroth | If someone wants to test and/or snipe this feel free, won't be available for the next 6h | 16:11:23 |
| 19 May 2023 |
|  @jackleightcap:matrix.org joined the room. | 18:40:13 |
| 20 May 2023 |
| delroth | iso minimal (runtime) run on latest staging: https://delroth.net/report-iso_minimal/ | 03:18:24 |
| delroth | linux is finally fixed, down to just python | 03:18:31 |
 baloo | what's about the unchecked paths? | 05:10:18 |
| baloo | about python: https://github.com/python/cpython/issues/92132 | 05:12:20 |
| delroth | I'm not sure why that systemd path is marked as unchecked but I don't think I've seen any repro issues in the past with it, so probably just a random issue with my build | 05:33:56 |
| delroth | and yeah, I'm doing a build now with python 3.11 as default to confirm | 05:34:18 |
| delroth | only slightly related but I wonder if we really need Python in the minimal ISO... it's used by a few ZFS user scripts that are probably seldom used and definitely not needed for mounting/recovery (e.g. arc_summary), it's used by smb2-quota (similar story), and the rest seems to all be derivations that have Python bindings in their main output when it could be a separate output | 05:56:45 |
| delroth | minimal ISO built with Python 3.11: "521 out of 521 (100.00%) paths in the nixos.iso_minimal.x86_64-linux build closure are reproducible! 0 paths remained unchecked" | 07:15:46 |
|  raphi joined the room. | 09:29:35 |
| @rnhmjoj:maxwell.ydns.eu | In reply to @delroth:delroth.net
only slightly related but I wonder if we really need Python in the minimal ISO... it's used by a few ZFS user scripts that are probably seldom used and definitely not needed for mounting/recovery (e.g. arc_summary), it's used by smb2-quota (similar story), and the rest seems to all be derivations that have Python bindings in their main output when it could be a separate output python is needed for the systed-boot install script, so you're probably going to fetch it anyway | 10:23:33 |
| @rnhmjoj:maxwell.ydns.eu | * python is needed for the systemd-boot install script, so you're probably going to fetch it anyway | 16:53:59 |
| raitobezarius | but soon we can remove it | 17:02:11 |
| raitobezarius | once we refactor the bootloader installation story | 17:02:29 |
