| 27 May 2025 |
|  @irenes:matrix.org left the room. | 09:00:57 |
 raboof | https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756/11 🎉 | 17:11:25 |
|  misuzu joined the room. | 22:04:08 |
| 28 May 2025 |
 emily | (what's with the stuff about the 20.03 VirtualBox appliance?) | 01:41:08 |
| raboof | That's what I used as the starting point - new enough that it has the tools needed to build things, old enough that it's unlikely anything from the bootstrap would make it into the target image. It's somewhat arbitrary. | 01:46:06 |
| emily | ah, I see :) | 02:04:44 |
| emily | but you don't need to go back more than a few weeks for staging-next to mean no built packages before then would end up in the closure? | 02:05:16 |
| emily | (ignoring FODs) | 02:05:19 |
| emily | world rebuilds happen a lot more than every half-decade | 02:05:28 |
| raboof | emily: starting from an old image reduces the attack surface for supply chain attacks somewhat: an attacker would've had to infect either the 20.03 image or one of a narrower set of more recent packages. but I agree it's somewhat in the 'long tail' of concerns :) | 06:37:26 |
| emily | because even though it "adds" the risk of vulnerabilities in 20.03 producing incorrect results, one can presume that such an elaborate backdoor would have infected the bootstrap tarballs since then? fair enough | 11:16:47 |
| emily | actually I'm not sure that makes sense – because you're still not rebuilding the bootstrap tarball that's used to build the actual ISO? 🤔 | 11:17:17 |
| raboof | right, if the bootstrap tarball is infected we're toast anyway | 11:50:57 |
| emily | until minimal bootstrap at least :) | 12:00:27 |
| raboof | I could see building an 'evil 25.05 image' that'd insert malware when I'd build the ISO on it. It's much harder to see someone in 2020 building an 'evil 20.03 image' that inserts malware when I build the ISO on it in 2025 | 12:00:30 |
| raboof | not theoretically impossible, of course, which is why bootstrappable builds are still also important, but given the choice building on an 'old' image seems slightly safer than building on a recent image. | 12:02:51 |
| 29 May 2025 |
|  ch joined the room. | 17:26:44 |
| 30 May 2025 |
 fricklerhandwerk | Minimal bootstrap is one cross-compilation of gcc-i686 -> gcc-x86_64 away | 08:05:37 |
| fricklerhandwerk | Anyone up to the task? | 08:05:46 |
| 7 Jun 2025 |
|  Grimmauld (any/all) joined the room. | 11:25:17 |
|  matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) left the room. | 22:44:09 |
| matrixrooms.info mod bot (does NOT read/send messages and/or invites; used for checking reported rooms) joined the room. | 22:56:10 |
| 9 Jun 2025 |
| raboof | Is there an issue to read up on that somewhere? (not that I have time to start digging into that, but good to have the reference) | 10:00:38 |
| raboof | might make sense to explicitly make bootstrappable builds on-topic here as well, https://github.com/NixOS/reproducible.nixos.org/pull/8 | 10:01:30 |
| Grimmauld (any/all) | Btw currently taking a look at the lambda ordering issue in https://github.com/NixOS/nixpkgs/issues/230290, trying to repro and diff the generated c code instead of diffing the binary, in a minimal repro. | 10:09:43 |
| Grimmauld (any/all) | no guarantees, but i have time and this looks like "fun" | 10:10:31 |
| raboof | oh cool | 10:15:02 |
| raboof | that's the most long-standing issue for the graphical installer (https://github.com/orgs/NixOS/projects/30) and indeed looks like an interesting rabbithole :) | 10:16:00 |
| Grimmauld (any/all) | I just tested the naive way:
delegate void SumLambdaType (int a);
void main () {
SumLambdaType sum0 = (a) => { print("%d\n", a + 0); };
SumLambdaType sum1 = (a) => { print("%d\n", a + 1); };
SumLambdaType sum2 = (a) => { print("%d\n", a + 2); };
SumLambdaType sum3 = (a) => { print("%d\n", a + 3); };
SumLambdaType sum4 = (a) => { print("%d\n", a + 4); };
SumLambdaType sum5 = (a) => { print("%d\n", a + 5); };
SumLambdaType sum6 = (a) => { print("%d\n", a + 6); };
SumLambdaType sum7 = (a) => { print("%d\n", a + 7); };
SumLambdaType sum8 = (a) => { print("%d\n", a + 8); };
SumLambdaType sum9 = (a) => { print("%d\n", a + 9); };
sum0(42);
sum1(42);
sum2(42);
sum3(42);
sum4(42);
sum5(42);
sum6(42);
sum7(42);
sum8(42);
sum9(42);
}
Sadly that is still fully deterministic.... It might be because multiple files? not sure yet.
| 10:36:13 |
| Grimmauld (any/all) | it might also be because inline, so names are not clear thus sorting is unreliable? Not sure yet. | 10:40:45 |
