lucabrunox
commented
8 years ago This should be disabled for crypto stuff that run tests I believe.
Open copumpkin opened 8 years ago
lucabrunox
commented
8 years ago This should be disabled for crypto stuff that run tests I believe.
edolstra
commented
8 years ago Heh, nice idea :-)
copumpkin
commented
8 years ago It would be nicer if we could make them behave like a consistent PRNG, such that their state always advances in the same way. But I don't know how to do that :frowning:
lucabrunox
commented
8 years ago @copumpkin the only way I can see is to patch such softwares to avoid seed() during tests. But I wouldn't do that, really.
vcunat
commented
8 years ago The PRNG approach probably wouldn't help in combination with parallel make. As for how, I'd assume root can simply delete those device nodes and place named pipes instead (and spawn generator processes filling them).
stale[bot]
commented
3 years ago I marked this as stale due to inactivity. → More info
domenkozar
commented
3 years ago Not sure we should ever do this, as it's a slippery slope.
That's essentially a backdoor and anyone not knowing that cryptography doesn't work in Nix build could be a victim.
A much better approach is to use binary reproducibility tools to inspect packages that differ in secrets.
stale[bot]
commented
2 years ago I marked this as stale due to inactivity. → More info
The simplest approach would be for the builder sandbox to make
/dev/{,u}randominto fake character devices that actually match/dev/zero. It feels a little iffy, but also not terrible.