Tag version note - Githubissues

zcash / zcash-gitian

Deterministic build environment for Zcash

https://z.cash/blog/deterministic-builds.html

18 stars 29 forks source link

Tag version note #83

Closed zancas closed 5 years ago

zancas commented 5 years ago

In this PR add notes about:

the possibility of needing to start an ssh-agent
how to choose a tag to build against, with a preference for the most recent rc tag
move verification paragraph above instructions about opening a PR

garethtdavies commented 5 years ago

how to choose a tag to build against, with a preference for the most recent rc tag

Curious why target the most recent rc tag and simply not the latest release?

zancas commented 5 years ago

I had thought, that deterministic builds should be demonstrated prior to a release (hence while the release is still a candidate).

In retrospect, I don't understand the release process well enough to know this is correct.

If the accepted release candidate is (as I had assumed) the exact code used in the release, and if there aren't so many releases that gitian builders would be overwhelmed, then I think it makes good sense to have multiple attestations of the rc before it becomes the release.

zancas commented 5 years ago

Now that I think about it, and because I don't know how minor bug-fixes, hotfixes, are handled, my grep might grab the wrong thing.

Basically, I wanted to "gitian attest" to the latest thing in production, and assumed that others would want to do that as well.

(I'm grateful for feedback/clarification.)

charlieok commented 5 years ago

I think you are both right. There is some value in comparing results... a) on any commit (to verify determinism in the build process) and additional value for b) releases (to help build assurance in the integrity of a copy of the release).

(a) is possible to automate, and we want to add that to our CI system. That should make all of this easier in the future. (b) is in some measure about trust, and can never really be solved by us, the publishers, by ourselves. This is what the signatures actually committed and pushed to the gitian.sigs repository are for.

charlieok commented 5 years ago

In the docs in question, I didn't go into how or for what reasons someone might choose a particular commit or tag to build. Maybe it would be helpful to include some of the stuff discussed in this thread to help clarify that. As gareth notes, giving special preference to 'rc' tags doesn't seem like the answer.

zancas commented 5 years ago

In the docs in question, I didn't go into how or for what reasons someone might choose a particular commit or tag to build. Maybe it would be helpful to include some of the stuff discussed in this thread to help clarify that. As gareth notes, giving special preference to 'rc' tags doesn't seem like the answer.

@garethtdavies has explained why targeting rc tags for attestation is wrong. I will fix that.