| 6 Jun 2022 |
 @grahamc:nixos.org | at any rate, it is absolutely updated and many people will be seeing the updated one, but some will be seeing the old cached version stuck in some cloudfront nodes | 14:30:25 |
 tomberek | grahamc (he/him): ideal would be to have a few of us doing builds (different machines, archs, file-systems, kernels, etc), registering them, and presenting them in a unified way to catch more diffs | 14:35:07 |
| @grahamc:nixos.org | yeah | 14:35:58 |
| @grahamc:nixos.org | I'd specced that out as part of the design a while back but never got to it: https://github.com/grahamc/r13y.com/blob/master/src/messages.rs | 14:36:30 |
| @grahamc:nixos.org | another option would be leaning in to trustix and making a frontend on top of that | 14:36:59 |
|  kraem changed their profile picture. | 14:43:09 |
 davidak | grahamc (he/him): there is an unfinished dashboard in trustix
https://github.com/tweag/trustix/issues/47 | 14:46:06 |
| @grahamc:nixos.org | nice | 14:46:14 |
| @grahamc:nixos.org | really cool | 14:46:16 |
| davidak | here is a screenshot https://github.com/tweag/trustix/issues/42#issuecomment-1120505705 | 14:47:24 |
 j-k | I'd love if we lean into trustix, it's exactly what I want for a bunch of projects but needs a bit more polish here and there.
is that unfinished dashboard from #42 merged into trustix yet or no? | 15:23:52 |
| davidak | j-k: it's part of the project https://github.com/tweag/trustix/tree/master/packages/trustix-nix-reprod | 20:19:14 |
| davidak | adisbladis said in https://matrix.to/#/#trustix:trustix.dev that they want to work on the project again "soon". i see forward to that. would be great to get it in a usable state | 20:21:14 |
| 7 Jun 2022 |
 Sandro 🐧 | What does that even do? The readme is not really helpful on that | 07:47:44 |
| j-k | it sets up reporting across machines to track if something is reproducible. If you have a program that should be reproducible and you build it across X machines and one reports differently that might be something to look into | 07:56:11 |
| j-k | either you have a new reproducibility issue to resolve, or you could have had someone tamper with the build | 07:57:02 |
 @rnhmjoj:maxwell.ydns.eu | In reply to @j-k:matrix.org
it sets up reporting across machines to track if something is reproducible. If you have a program that should be reproducible and you build it across X machines and one reports differently that might be something to look into interesting: it sounds like an idea for a blockchain o BOINC project (i'm only half joking) | 09:00:35 |
 toonn | rnhmjoj: This blog post touches on why they don't consider a blockchain suitable for this, https://www.tweag.io/blog/2022-02-03-trustix-voting/#blockchains | 09:25:10 |
| j-k | sigstore has gone with an append only db and to get some of the ledger benefits it's intended for many people to take copies. so it's not as robust for sure but more light weight | 09:25:51 |
| j-k | https://github.com/sigstore/rekor/ | 09:26:14 |
| toonn | How are conflicts resolved? | 09:29:16 |
| toonn | Majority vote? | 09:29:26 |
| j-k | its a central db with copies, or do you mean trustix? | 09:29:49 |
| toonn | No, Sigstore. How are discrepancies across copies resolved? | 09:30:23 |
| toonn | Doesn't it run into the voting is basically free problem? | 09:30:40 |
 raboof | In reply to @toonn:matrix.org
rnhmjoj: This blog post touches on why they don't consider a blockchain suitable for this, https://www.tweag.io/blog/2022-02-03-trustix-voting/#blockchains also see https://www.tweag.io/blog/2022-01-14-trustix-trees/ - some people would, loosely speaking, call this Certificate Transparency-like approach a 'blockchain' as well (especially when looking for funding 😄), but it's a lot more reasonable for this use case | 09:31:58 |
| j-k | In reply to @toonn:matrix.org
No, Sigstore. How are discrepancies across copies resolved? IDK if they've done much on discrepancies across copies. I think it's a "when it happens we'll discuss it" type thing 🙃 | 10:05:38 |
| toonn | : s I've only seen the "leave the hard problems for later" approach work once and that was with Matrix e2ee. | 10:39:23 |
| raboof | in the reproducible builds context I'd say discrepancies across copies fundamentally need human intervention in any case, to judge whether it is accidental (and the indeterminism needs to be fixed) or a breach (in which case trust should be revoked from whoever was breached, until they fix things) | 10:44:24 |
| toonn | That's fair. | 10:45:27 |
