[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] Reproducible builds

>>> Wondering if there may be anything to do on our end though, as well?
>>> (Particularly perhaps with the various cross compilation things that
>>> rump support probably entails.) eg., having the generated makefile
>>> snap the hashes of all opam package used etc into some kind of
>>> manifest perhaps?
>> Functoria generates a manifest of the package versions and names used by the 
>> build (look into Info_gen.ml I think). We could try to extend it to keep 
>> track of some kind of SHAx as well, but the data is not really available in 
>> opam's metadata (we only get the md5 of a tar.gz file, which is not really 
>> ideal)
> Ah right-- sounds like it could be a start though?
> Is there any chance that OPAM might evolve toward this, Eg by
> supporting SHAx of some sort rather than MD5, or that it would be
> beneficial to just add MD5 of the package tarball downloaded by OPAM,
> or something?

Your are lucky, this is coming in opam 1.3, with opam signing [1,2] :-) 

[1]: https://github.com/ocaml/opam/wiki/Signing-the-OPAM-repository---draft
[2]: https://github.com/hannesm/conex

MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.