[liberationtech] Deterministic Builds Part One: Cyberwar and Global Compromise
phreedom at yandex.ru
phreedom at yandex.ru
Fri Aug 23 03:58:10 PDT 2013
> > [1] http://nixos.org/nixos/
>
> A very interesting project! Does the following:
> > Packages are never overwritten after they have been built; instead, if you
> > change the build description of a package (its ‘Nix expression’), it’s
> > rebuilt and installed in a different path in /nix/store so it doesn’t
> > interfere with the old version.
> mean that upgrading a library due to e.g. security fixes requires
> recompiling all packages that depend on it?
There's no way to know to what extent a change in the package source code
and/or its build script is going to affect the dependencies. Thus, the strong
guarantees provided by Nix* currently require a rebuild. In case of a simple
security fix, the rebuild is a formal check that the change is indeed trivial.
This doesn't cause too much troubles in real life though but if builds are
generally deterministic, caching could be used to make trivial rebuilds very
fast. This is #2 motivation for me to pursue deterministic builds.
I believe it is possible to make verification/trivial rebuilds fast enough to
not put us at a disadvantage compared the distros which rely on maintainers to
decide what to rebuild and when, while still providing formal guarantees.
More information about the liberationtech
mailing list