Building this package twice does not produce the bit-by-bit identical result each time, making it harder to detect CI breaches. You can read more about this at https://reproducible-builds.org/ .
Fixing bit-by-bit reproducibility also has additional advantages, such as avoiding hard-to-reproduce bugs, making content-addressed storage more effective and reducing rebuilds in such systems.
Steps To Reproduce
nix-build '<nixpkgs>' -A gegl.dev --check --keep-failed
You can use diffoscope to analyze the differences in the output of the two builds.
To view the build log of the build that produced the artifact in the binary cache:
nix-store --read-log $(nix-instantiate '<nixpkgs>' -A gegl)
Building this package twice does not produce the bit-by-bit identical result each time, making it harder to detect CI breaches. You can read more about this at https://reproducible-builds.org/ .
Fixing bit-by-bit reproducibility also has additional advantages, such as avoiding hard-to-reproduce bugs, making content-addressed storage more effective and reducing rebuilds in such systems.
Steps To Reproduce
You can use
diffoscope
to analyze the differences in the output of the two builds.To view the build log of the build that produced the artifact in the binary cache:
Additional context
https://reproducible.nixos.org/nixos-iso-gnome-runtime/diff/772365d091bf360014e12d75ccec1356f69d324132a54164d35a6236e3a3efa9-535322532b56cd5259c9a401fdc672857575fe9eb4a8ce8cb7008edf8aeee0c5.html