You are not logged in.
I'd like to monitor the procedure of testing as much as possible.
Last edited by jronald (2024-04-08 04:59:33)
Offline
No
Online
So is the procedure like this?
1. someone build installers(.zst) locally
2. updateload them to the official repo for public use
If it is true, how to make sure that the binaries are safe?
Last edited by jronald (2024-04-07 03:36:23)
Offline
If it is true, how to make sure that the binaries are safe?
You could participate in the testing
Offline
You could participate in the testing
How does participation in testing make sure that it is safe?
Is there a chance to modify the code after testing and before building the final package?
Offline
Online
Reproducibility is useful, but it's not practical for an average user to take so much time to reproduce every binary, and that will be like "Linux From Scratch".
If the building procedure is totally open (like github actions), I think it's a good start.
Last edited by jronald (2024-04-07 08:08:28)
Offline
You really don't have to reproduce every binary. You can look at the status page and see which packages are reproducible.
Online
So is the procedure like this?
1. someone build installers(.zst) locally
2. updateload them to the official repo for public useIf it is true, how to make sure that the binaries are safe?
Not quite. Many / most packages go into the [testing] repository for a bit before being moved to the main repo.
But what do you really mean by "safe" in these contexts? You say that testing software cannot prove software is safe, and that's certainly true. But you started this thread only asking about "CI" which does far far less to ensure safety.
You've now stated that you are not interested in testing the built software, you are not interested in building the software, and your goals are not addressed by reproducible builds. Instead of telling us all the things that don't meet your needs, how about you just tell us what your needs are? What do you mean by "safe"? Safe from what? Safe for what?
"Continuous Integration" as it's normally defined is simply nonsensical in the context of packaging software: there are not a bunch of developers writing code for the same final binary. Continuous integration (as normally defined) might apply to some upstream sources, not to packaging. Of course if you define it more broadly just as where the work of many people is assembled for testing before broader release, then yes, we have that - it's called the testing repos (which you've said you're not interested in).
Last edited by Trilby (2024-04-07 13:40:59)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
If you mean CI simply in the form of tests that run during the build, then some packages provide a check()-function that runs tests provided by upstream and aborts packaging if the test fails. There are no public logs about their results and packagers may choose to skip running them.
That doesn't have anything to do with safety either, just that the packaged program is able to perform some specific tasks without error.
So is the procedure like this?
1. someone build installers(.zst) locally
2. updateload them to the official repo for public useIf it is true, how to make sure that the binaries are safe?
If "safe" means the packager did not modify the public source code, then that can be verified using the reproducible builds. The official rebuilder runs on infrastructure provided by arch. If you do not trust that, you'll have to find others or run your own to ensure that the source code was not modified to build the package that is provided in the repository.
Last edited by progandy (2024-04-07 14:00:41)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
@Trilby @progandy
But what do you really mean by "safe" in these contexts?
If "safe" means the packager did not modify the public source code, then that can be verified using the reproducible builds. The official rebuilder runs on infrastructure provided by arch. If you do not trust that, you'll have to find others or run your own to ensure that the source code was not modified to build the package that is provided in the repository.
This is exactly what I mean about "safe". I trust the official rebuilder, does the official packages used by "pacman" are built by the official rebuilder? Or is the official rebuilder only for verification by checking the reproducibility?
Last edited by jronald (2024-04-07 14:55:52)
Offline
I believe official packages can be build on whichever machine the packager wishes. Is there any reason to trust the rebuilder more than the packagers - other than minimizing the number of trusted entities?
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
I believe official packages can be build on whichever machine the packager wishes. Is there any reason to trust the rebuilder more than the packagers - other than minimizing the number of trusted entities?
Generally when the rebuider and the input of it are both open, the result should be trustable.
Take github for example, compare the two cases:
1. The releases are generated automatically by "github actions"
2. The releases are built and uploaded by the author
Which one is more trustable? I think the former one is.
Last edited by jronald (2024-04-07 15:47:44)
Offline
Generally when the rebuider and the input of it are both open, the result should be trustable.
The input used by the packager is "open" too. But I'm not sure what you mean by the rebuilder being open. Is there a rebuilder-rebuilder to confirm that the rebuilder is indeed what it is supposed to be? No, you just trust the team that set up the rebuilder server. And that's fine - but why trust that team, and not the packaging team?
I don't really use github. So that comparison is a bit lost on me. But I find it odd given news over the past year or so that you'd use github as an example of a trustworthy source.
Last edited by Trilby (2024-04-07 16:22:43)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
The input used by the packager is "open" too. But I'm not sure what you mean by the rebuilder being open. Is there a rebuilder-rebuilder to confirm that the rebuilder is indeed what it is supposed to be? No, you just trust the team that set up the rebuilder server. And that's fine - but why trust that team, and not the packaging team?
I don't really use github. So that comparison is a bit lost on me. But I find it odd given news over the past year or so that you'd use github as an example of a trustworthy source.
Compare the 2 cases:
1. input -> man -> output
2. input -> builder -> output
Man is dynamic, he himself may change (e.g. good today, bad tomorrow), and he might be replaced by another one oneday.
Comparatively the builder is static.
A static one is possible to be verified, a dynamic one is not.
Last edited by jronald (2024-04-08 04:49:05)
Offline
Fedora has a single builder for their packages. Can you verify it? I don't mean theoretically. In practise, is it possible to verify?
This is the entire point of reproducible builds. Arch does quite well in this regard:
https://reproducible.archlinux.org/
Online
Fedora has a single builder for their packages. Can you verify it? I don't me theoretically. In practise, is it possible to verify?
This is the entire point of reproducible builds. Arch does quite well in this regard:
https://reproducible.archlinux.org/
Reproducibility is the way, thanks.
Offline