IRC channel logs
2023-10-14.log
back to list of logs
<muurkha>ekaitz, stikonas: congratulations, that's wonderful news <muurkha>oriansj: I think the VAX had a lot of custom DEC silicon in it <Mikaku>ekaitz: stikonas: congratulations, amazing milestone! <luke-jr>FWIW, I finally succeeded in getting Guix going without third-party trusted blobs <luke-jr>first I modified Guix to use my own seeds, and built static binaries it wanted; then I started over, let it download the blobs it wanted, and replaced them in the store data behind its back <luke-jr>and once it gets past bootstrapping, I assume the hashes do match <luke-jr>my next goal is to build the official 1.4.0 iso, so I can just save its hash and be sure it's something I could make myself <stikonas>but not everything in guix is 100% reproducible <luke-jr>I did, but in my experience it's rare to get answers <oriansj>luke-jr: nice; guix really should welcome multiple alternate roots as it will enable greater trust <stikonas>yeah, ironically \guix doesn't really have an easy bootstrapping path <stikonas>if you don't want to trust a few binaries <stikonas>which are only used for build orchestration but still <luke-jr>stikonas: well, the hard part for me is figuring out what the command is <oriansj>well I don't think guix was ever designed to be easilty broken out <oriansj>well if guix was designed to be easily broken out, you would expect it to be trivial to replace bootstrap binaries and create new build chains <luke-jr>it is, but the hashes of everything changes <luke-jr>considering the only purpose of guix for me, is to generate matching hashes, it is :) <oriansj>oh, I build everything from source and dont use substitues, so the hashes never mattered <luke-jr>same here, but the hashes are the goal for me <luke-jr>I want to sign the same binaries everyone else signs <luke-jr>the actual system/binaries made get thrown away afterward, I just need to verify the hashes <oriansj>well the hash, should only be based on the source code and the binaries used in generation; not the orchestration bits <oriansj>so the alternate guile binary and the stage0 bits should not result in an alternate hash value <stikonas>oriansj: but guix hash is based on inputs, not on outputs <stikonas>so stuff will be installed into different locations <stikonas>(which might also change output hashes as input locations of dependencies changed) <oriansj>stikonas: agreed but the guix version shouldn't be included as an input (or any of the orchestration bits) <oriansj>so you think it is just a name/location issue for luke-jr ? <luke-jr>I'm not actually sure it IS an issue, I guess <luke-jr>but I expect it will be if I want to sign Guix's iso for example <luke-jr>(which would be useful at least to me, if I ever need a trustable root to install from in the future; and also to anyone who trusts me) <oriansj>luke-jr: well to be honest, once you share your steps; I'll cross verify myself and others can repeat the process to expand the number of parties verifying the guix install media from source to ISO <luke-jr>oriansj: I shared my steps so far already? :) <luke-jr>but I suppose I should also share my patch to guix that audits every fixed derivation it downloads... <luke-jr>(to ensure it doesn't download any blobs) <oriansj>luke-jr: I can't identify a git repo associated with your work, could you provide a link?