Commit 78a0a627 authored by Holger Levsen's avatar Holger Levsen
Browse files

venice 2022: move https://pad.riseup.net/p/rbsummmit2022-taxonomy-keep to here 



Signed-off-by: default avatarHolger Levsen <holger@layer-acht.org>
parent 40cd6399

_events/venice2022/agenda.md

+1 −1
Original line number Diff line number Diff line
@@ -93,7 +93,7 @@ Day 3 - Thursday, November 3rd 
  * The day started with a summary of Day 2 outcomes and a Day 3 Agenda Overview.

* 9.30 Collaborative Working Sessions, break-out discussions continue.

  * Verifying packages at installation discussion (in-toto): FIXME https://pad.riseup.net/p/rbsummmit2022-installation-keep

  * RB Taxonomy FIXME https://pad.riseup.net/p/rbsummmit2022-taxonomy-keep

  * [taxonomy]({{ "/events/venice2022/taxonomy/" | relative_url }})

  * Debian FIXME https://pad.riseup.net/p/rbsummmit2022-debian-keep

  * Firmware FIXME https://pad.riseup.net/p/rbsummmit2022-firmware-keep

* 10.45 Break

_events/venice2022/taxonomy.md

0 → 100644
+50 −0
Original line number Diff line number Diff line 
---

layout: event_detail

title: Collaborative Working Sessions - Taxonomy

event: venice2022

order: 110

permalink: /events/venice2022/taxonomy

---



Reproducible Builds Summit 2022





Aim: Map distros/package managers on to a linear scale about how difficult it is to build things reproducibly



Not attempting to solve any problems, but just describing the space. We also didn't know everything we needed to know to place things accurately, so there might be some errors.







Tool:

 * Warpforge / Golang (modules)

  * Below this point, bytes/hashes of build inputs are not necessarily the same

 * GNU Guix / Nix

  * Below this point, the specific packages/versions used in a build aren't entirely specifyed by the source package alone

 * Debian / Ubuntu / Fedora

  * Below this point, all the inputs aren't necessarily captured by the tool, but there might be some description of "foreign" inputs

 * Cabal / Stack / Opam / Cargo

 * Maven

  * Below this point there isn't a description of "foreign" inputs

 * NPM

 * Rubygems / Pip







We made a few categories about how the above tools differ:

    

 * How source and inputs are referenced

  * Specific bytes/hash

  * Complete description of build process

  * Name/version

  * ...

      

 * How versions are handled

  * Versions are fully specified in the source definition

  * Versions are decided at build time

  * ...

     

 * How "foreign" dependencies are handled?

  * No "foreign" dependencies, a complete description of what is used

  * Some support for specifying "foreign" dependencies

  * No assistance around foreign dependencies