GNU bug report logs -
#37466
[PATCH 0/4] Add heads.
Previous Next
Full log
View this message in rfc822 format
Le 20 septembre 2019 15:49:54 GMT+02:00, Danny Milosavljevic <dannym <at> scratchpost.org> a écrit :
>Hi Björn,
>
>On Fri, 20 Sep 2019 14:05:29 +0200
>Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de> wrote:
>
>> That's the non-free kernel, right?
>
>Right.
>
>> Besides that neither DNS nor Google knows that host.
>
>Hmm, you're right, but it worked for me. Doesn't work now.
>Using "www" is probably better anyhow (and works).
>
>> In general, this long list of source-files looks a bit strange: I
>think
>> all/most of these packages are already a Guix package, where
>> the source code is (more or less) verified to be FSDG-compatible,
>> possibly with a snipped. Now this package is just getting a huge list
>of
>> unreviewed source tarballs in. Hm.
>>
>> Could we at least somehow reference the source package from Guix?
>
>Well, heads provides an initrd and they want reproducible builds for it
>for
>security purposes--that's the main reason they build a "cross" compiler
>too:
>To have the compiler produce verifiable executables.
>
>So basically if we change the version or anything, the hashes won't
>match
>any more and any person going along their installation guide should
>abort the installation--because heads has presumably been tampered
>with.
>
>Not sure what to do about it.
>
>Maybe at least linux-libre produces bitwise identical outputs to Linux
>for what they care about. I'll try it.
Not sure about heads, but some build systems specify the exact version of their dependencies, but we don't package all of them in guix. In that case, the guix build-system overwrites the declared hash with the actual hash of the package that is used instead. Can't you do something similar?
This bug report was last modified 5 years and 12 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.