Head is spinning: now we setup our reproducible builder as a job of itself, just updated (API change in a used library), and the reproducible builder built itself, and the output thereof is exactly the same as one further build step.
Wanting to ask: how reproducible are your reproducible build setups? Do you have written down what the dependencies / a bootstrap thereof looks like (and which packages are involved)? Asking for a friend of a reproducible builder ;)
@pukkamustard "leading the way" surely, though they have various different gcc versions in there... imho that's rather big. for me it is a tradeoff: minimize binary seed AND minimize source code.
or, do you believe that anyone audits the source of 5 different gcc versions? ;)
@hannesm yeah! Completely agree that amount of source code needs to be minimized.
But I think we should count source code size including the entire dependency graph.
For OCaml this means counting the source code of the OCaml compiler and also the C compiler that was required to build the OCaml compiler.
I guess Guix includes 5 different GCC versions because it takes a couple of GCC versions to bootstrap itself and there are packages in Guix that require different GCC versions.
@hannesm I also think that taking the compiler as given is reasonable most of the times.
I recently learnt that the Ada compiler (GNAT) is not bootstrappable. If you want to rebuild your Ada compiler you will eventually have to use a binary blob of an older Ada version that is lying on some dusty FTP server.
This seems to be ok for Ada people who are apparently building highly-reliable, safety-critical software.
Still, interesting to think about the odd-case: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!