NixOS Reproducible Builds - Public Room Timeline - Matrix Static

	NixOS Reproducible Builds	458 Members
	Report: https://reproducible.nixos.org Project progress: https://github.com/orgs/NixOS/projects/30	96 Servers

You have reached the beginning of time (for this room).

Sender	Message	Time
14 Mar 2024
	@federicodschonborn:matrix.org left the room.	02:03:34
	@lotte:chir.rs changed their display name from Charlotte 🦝 (it/rac/racs/racself/🦝/plush) to Charlotte 🦝 (it/its).	10:58:48
	NixOS Moderation Botchanged room power levels.	18:44:40
	Lillian (GLaDTheresCake She/Her) joined the room.	22:56:57
15 Mar 2024
	Dave Lester joined the room.	23:34:23
	@grahamc:nixos.org joined the room.	23:59:32
16 Mar 2024
	mj joined the room.	14:00:22
Toma	I have previously done some work on making java builds reproducible (I posted some of it in this channel) and I tried my hand at it again. I'm looking for some feedback about the following: Should java `.jar` archives be made deterministic using existing methods inside the build tools, which differ tool-by-tool? or Should there be one generic setup-hook, which rewrites the archives timestamps after it was built? I have done some progress on both ways (former, latter), but I don't know which should be the one I continue working on. The latter solution seems a bit cheat-y for me, as almost all build systems for Java have a way for reproducibility, however this method doesn't use any of those ways, but works on all build systems. One of my concerns about this is that rewriting files inside an archive is not too transparent, so we'd need to make sure no malicious code gets included in the tool. The former solution has its own merits, however it requires more work to implement.	23:10:13
Toma	* I have previously done some work on making java builds reproducible (I posted some of it in this channel) and I tried my hand at it again. I'm looking for some feedback about the following: Should java `.jar` archives be made deterministic using existing methods inside the build tools, which differ tool-by-tool? or Should there be one generic setup-hook, which rewrites the `.jar` archives' timestamps after it was built? I have done some progress on both ways (former, latter), but I don't know which should be the one I continue working on. The latter solution seems a bit cheat-y for me, as almost all build systems for Java have a way for reproducibility, however this method doesn't use any of those ways, but works on all build systems. One of my concerns about this is that rewriting files inside an archive is not too transparent, so we'd need to make sure no malicious code gets included in the tool. The former solution has its own merits, however it requires more work to implement.	23:10:44
rnhmjoj	Isn't a fixupPhase like this enough? `find "$out" -name '*.jar' \| xargs strip-nondeterminism` I only ever packaged a single java application, but this worked all right in my case	23:18:57
rnhmjoj	I don't think it's hack	23:19:46
Atemu	Toma: I'd honestly say both.	23:21:14
Atemu	Though I'd start with the "hack"	23:21:22

Show newer messages

Back to Room ListRoom Version: 6