Re: [PATCH] doc: ensure sphinx output is reproducible

[Luca Boccassi <bluca@debian.org>]

On Sun, 19 May 2024 at 22:11, Thomas Monjalon <thomas@monjalon.net> wrote:
>
> 19/05/2024 19:23, Luca Boccassi:
> > On Sun, 19 May 2024 at 18:13, Thomas Monjalon <thomas@monjalon.net> wrote:
> > >
> > > 19/05/2024 18:36, Luca Boccassi:
> > > > On Sun, 19 May 2024 at 15:01, Thomas Monjalon <thomas@monjalon.net> wrote:
> > > > > 17/05/2024 13:29, Luca Boccassi:
> > > > > > On Mon, 27 Nov 2023 at 17:04, Bruce Richardson
> > > > > > <bruce.richardson@intel.com> wrote:
> > > > > > >
> > > > > > > On Mon, Nov 27, 2023 at 05:45:52PM +0100, Thomas Monjalon wrote:
> > > > > > > > I would prefer adding an option for reproducible build
> > > > > > > > (which is not a common requirement).
> > > > > > > >
> > > > > > > Taking a slightly different tack, is it possible to sort the searchindex.js
> > > > > > > file post-build, so that even reproducible builds get the benefits of
> > > > > > > parallelism?
> > > > > >
> > > > > > Given the recent attacks with malicious sources being injected in open
> > > > > > source projects, reproducible builds are more important than ever and
> > > > > > should just be the default.
> > > > >
> > > > > Yes it should be the default when packaging.
> > > > > Why should it be the default for normal builds?
> > > >
> > > > Build reproducibility is everyone's responsibility, not just Linux
> > > > distributions. There should be no difference between a "normal build"
> > > > and a "packaging build". As far as I know, it is still fully supported
> > > > for DPDK consumers to take the git repository, build it and ship it
> > > > themselves - those cases also need their builds to be reproducible.
> > >
> > > Sorry I really don't understand this point.
> > > The goal of a reproducible build is to maintain a stable hash, right?
> > > This hash needs to be stable only when it is published, isn't it?
> > > So isn't it enough to give a build option for having a reproducible build?
> >
> > The goal is that issues breaking reproducibility are bugs and treated
> > as such. You wouldn't have a build option to allow buffer overflows or
> > null pointer dereferences, and so on. "The program builds
> > reproducibly" today and in the future has the same importance as "the
> > program doesn't write beyond bounds" or "the program doesn't crash" -
> > they are not optional qualities, they are table stakes, and
> > regulations are only going to get stricter.
>
> I hear the technical reasons and want to address them, but
> I don't understand how regulation comes in an open source project.

Because they will start affecting the companies using DPDK in their
products. There are some things in supply chain security that are
purely the purview of companies shipping the final products, like
providing SBOMs, but there are things that aren't, like for example
having processes to handle security issues, or anything that requires
code changes, like this issue.