From: Luke Kenneth Casson Leighton Date: Mon, 25 Apr 2022 16:19:02 +0000 (+0100) Subject: add reproducible script X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=7a4483464feb6520920ab04987e535ba11a557ab;p=dev-env-setup.git add reproducible script --- diff --git a/README.mdwn b/README.mdwn index 6c498ce..5265d50 100644 --- a/README.mdwn +++ b/README.mdwn @@ -7,7 +7,10 @@ get started. All packages are installed within a baseline debian/10 debootstrapped schroot. For reproducible builds, you have to pick an OS, and debian/10 -is good enough +is good enough. Note, obviously, that adding security updates would +completely defeat the purpose and object of being "reproducible", so +it is *strongly recommended* that you do **not** make these chrooted +installs internet-facing. Prerequisites: @@ -35,6 +38,34 @@ Installs (at recent but usually specific - reproducible - versions): Note: we don't use conda. we don't use docker. +# Why reproducible? + +Imagine that you are about to drop USD 16 million on 7nm mask charges. +Two - or more - engineers run the VLSI build scripts, to create the +Multi-Terabyte GDS-II Files. You have a week before the deadline: it +takes 48 hours to run the VLSI build. You find that, after 48 hours, +a comparison of all the engineer's GDS-II files show differences. + +More than a week's worth of investigation - long after the deadline +has been missed to submit the Masks to the Foundry (which you paid for +up-front and now cannot recover) - you discover that one developer +used Ubuntu and had a PRNG library that created a different Place-and-Route +sequence, another used BSD which had an older library with a bug, and yet +another had installed security updates which changed memory-allocation. + +The "perfect" reproducible build system uses absolutely identical hardware, +installs on bare-metal (no Virtual Machines), does a complete and full +OS wipe and automated install, and, after running, if two *Drives* are +compared, they should be bit-level identical. This is of course a little +extreme (but hey, you're spending USD 16 million on 7nm masks then you're +entitled to a little paranoia) so the closest we can get is: + +* (a) pick an OS +* (b) don't add updates and +* (c) pin as many packages with explicit versions and git tags as possible. + +It works. don't knock it. + # Installation Notes During their development, each install script had notes taken which,