!LemuOOvbWqRXodtSsw:nixos.org

NixOS Reproducible Builds

545 Members
Report: https://reproducible.nixos.org Project progress: https://github.com/orgs/NixOS/projects/30123 Servers

Load older messages

SenderMessageTime
18 Aug 2021
@baloo_:matrix.orgbalooAn error occurred (AccessDenied) when calling the CreateInvalidation operation: User: arn:aws:iam::223448837225:user/vault-token-r13y-publish-1629245456-7999 is not authorized to perform: cloudfront:CreateInvalidation on resource: arn:aws:cloudfront::223448837225:distribution/E2JKFLGW8FADQD03:58:14
@baloo_:matrix.orgbaloooh03:58:15
@baloo_:matrix.orgbaloohttps://buildkite.com/grahamc/r13y-dot-com/builds/855#54ff268f-62e5-4ec6-9f80-e8273655eeae/51-6003:58:38
@siraben:matrix.orgsiraben changed their display name from siraben to siraben (he/him).19:36:31
19 Aug 2021
@timdeh:matrix.orgnrdxp

I was trying to get a better understand on how nix manages the time for reproducible behavior, and it seems to me that time passes normally in a derivation sandbox and is then timestamped to the unix epoch after the build completes.

However, I was wondering if there might be a mechanism to freeze the time during a build and I came across datefudge, which takes a static flag -s which freezes the time to whatever you set, for example:

❯ n run datefudge -- -s "$(date)" ./foo.sh
Thu Aug 19 10:36:43 AM MDT 2021
Thu Aug 19 10:36:43 AM MDT 2021

where foo.sh is:

#!/usr/bin/env bash
date
sleep 10
date
16:49:22
@timdeh:matrix.orgnrdxpWould this add any meaningful improvement to reproducible behavior? Seems like it should be simply enough to replicate this behavior if we wanted. 16:50:14
@timdeh:matrix.orgnrdxp * Would this add any meaningful improvement to reproducible behavior? Seems like it should be simply enough to replicate if we wanted. 16:52:20
@timdeh:matrix.orgnrdxp * Would this add any meaningful improvement to reproducible behavior (seems like it would, naively)? It should be simply enough to replicate if we wanted. 16:54:38
@andi:kack.itandi-It would but it shouldn't. Packages should have a build system that doesn't care about specific times. There is already a somewhat standard env var to signal the time that should be used in e.g. binaries to display build time.16:59:14
@andi:kack.itandi-If we start changing the sandbox it is a quick win and it is nice to find impurities but really the builds need to be fixed.16:59:45
@timdeh:matrix.orgnrdxpMaybe we could use datefudge to help find impure builds then at least17:02:02
@b:chreekat.netchreekatY not both 🙂17:02:11
@timdeh:matrix.orgnrdxp I agree with you andi-, but I also feel like trying to change the world is always an uphill and losing battle. So if upstream builders won't do anything maybe we should take the initiative? 17:06:53
@andi:kack.itandi-Have we ever actually had an upstream that rejected non-nix specific reproducibility patches?17:14:18
@andi:kack.itandi-Given that Debian is leading this I don't see much of a battle17:14:33
@b:chreekat.netchreekatI mean, there are approximately 20 hojillion software packages present and future that are yet to be made reproducible17:18:14
@andi:kack.itandi-Isn't it mostly about the build system anyway?17:29:47
@timdeh:matrix.orgnrdxpIt's great to submit patches upstream, I certainly wouldn't argue against that. I just think it'd be nice behavior to have by default, since there will always be some build system somewhere that doesn't act the way we'd like. And even if we patched them all someday. Then a new one would come out shortly after and break everything again 😅17:42:49
@timdeh:matrix.orgnrdxp * It's great to submit patches upstream, I certainly wouldn't argue against that. I just think it'd be nice behavior to have by default, since there will always be some build system somewhere that doesn't act the way we'd like. And even if we patched them all someday, Then a new one would come out shortly after and break everything again 😅17:43:10
@timdeh:matrix.orgnrdxp * It's great to submit patches upstream, I certainly wouldn't argue against that. I just think it'd be nice behavior to have by default, since there will always be some build system somewhere that doesn't act the way we'd like. And even if we patched them all someday, then a new one would come out shortly after and break everything again 😅17:43:21
@timdeh:matrix.orgnrdxpIf I find some time, maybe I'll try to replicate the behavior in a small PR and see how it works17:44:22
@timdeh:matrix.orgnrdxp For the time being, we could probably automatically run datefudge -s against known non-reproducible derivations and see if it fixes any of them. Do we have a reproducible test suite? 17:54:18
@tomberek:matrix.orgtomberek nrdxp: you can run ./check.sh from https://github.com/grahamc/r13y.com#how-can-i-run-this 18:31:42
@tomberek:matrix.orgtomberekpoint it to a custom Nixpkgs with datefudge somewhere in mkDerivation and you can get a rough estimate of what is "fixed" by it18:32:31
@baloo_:matrix.orgbaloo
In reply to @andi:kack.it
Isn't it mostly about the build system anyway?
most of them, or mis-use of build system, for which contributions are always welcomed in my experience. 		18:33:15
@timdeh:matrix.orgnrdxp well there is also just nix build --rebuild flag, I just didn't know if we were already doing this en masse somewhere 18:33:31
@baloo_:matrix.orgbaloothe r13y builders kind of do that.18:33:57
@baloo_:matrix.orgbaloothey list the references of the iso_minimal recursively, and rebuilds each derivation and compare with what's made available on the mirrors/cache18:34:45
@baloo_:matrix.orgbaloohttps://github.com/grahamc/r13y.com/blob/master/src/eval/mod.rs18:35:39
@baloo_:matrix.orgbaloo * they list the requisites of the iso_minimal recursively, and rebuilds each derivation and compare with what's made available on the mirrors/cache18:36:05

Show newer messages

Back to Room ListRoom Version: 6