From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id DCABD44078;
	Mon, 20 May 2024 17:39:59 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 6972D402E9;
	Mon, 20 May 2024 17:39:59 +0200 (CEST)
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
 [209.85.214.176])
 by mails.dpdk.org (Postfix) with ESMTP id 77D0F400EF
 for <dev@dpdk.org>; Mon, 20 May 2024 17:39:58 +0200 (CEST)
Received: by mail-pl1-f176.google.com with SMTP id
 d9443c01a7336-1eecc71311eso79864705ad.3
 for <dev@dpdk.org>; Mon, 20 May 2024 08:39:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=networkplumber-org.20230601.gappssmtp.com; s=20230601; t=1716219597;
 x=1716824397; darn=dpdk.org; 
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:subject:cc:to:from:date:from:to:cc:subject:date
 :message-id:reply-to;
 bh=MdEheydARPhioUGLwoMk+mSRJ0Bc3/jpFlI9+/TapZ4=;
 b=dyASYgrfornnl9is6W24fHcMdkDiMGg9wH2dRqzYh/eeRF+fZDZuJqgWjFPc2V6GYX
 93Om/bHO5GYAFjacHOmQwDow9kaTK+7zDOTyIbNNo65SS4Hek6Y0CB5eG0E47J7NjvnR
 hSPdxL+Uz1nHfpFIeBGEkeHo6/V2GnWFo5b6VuPlFGGYbjsLlhSyNCRExf/Y0VIOT0+A
 4M/uyzpYHRPIniZwEaPvpmAIuqeEBzRTyaD7RQhWi4VSZSrgxvoEqYMeggqR0jYleDL3
 B+m1c+yDsVwI9SNm8t2b3xolAX07BVBapWYRSp9nDuTm3cTGCr0axSTHTfqUoWmlOm98
 5PYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716219597; x=1716824397;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=MdEheydARPhioUGLwoMk+mSRJ0Bc3/jpFlI9+/TapZ4=;
 b=LsQ2feJuW2ztwWSup9E8hSV9ZLQ44OBC//HLMsuvagyjbdN/zMiltfezeGljGpbNqM
 fHt59DH7ded9ws9o31Fr1tHWuvVSZXIKSAIKy3C1/xe3sHAuyo2q6jsqZREWV/eqBL3c
 ++VVYrDUtIJ2D6LehhNIzZTTa6rFTjH9xst+VNX84A44cGqBWnd3OmXtT+ef/tBvVT9/
 oMnccL8yGY4IAnrUJjxyqzXAiAnRo3sgPoGpq3BBhVzIq/jFW8D9IPMOslqbVGwu7XvJ
 Zd6KvHypMzPVuwwR8JQnZN5BHwFf7nLWclkmf72syqTg4shZT8Ffb5mS4Ja5cp2OIDI5
 LHDA==
X-Forwarded-Encrypted: i=1;
 AJvYcCU44ACGPROIyj7COOPJ9K4osw/qntcg+/Y7wlXgpuRz4q0S4nYNeY0Fs1hG9UTCnqazqNkX99FY1QJLtWg=
X-Gm-Message-State: AOJu0Yxjic185H8HvZzuBGwOE6NwnndU6AY8o081MKmltOUD6CJhtia1
 PESY3AM3kBr2qPp44xBoDiaS1zUCznr2oSASWaeWJyW07+scTd9+yszl99ROgXc=
X-Google-Smtp-Source: AGHT+IFZSfme7OEhzR+xowFsHCkBBmb79f8Bgnlp47467+fMkAI728vxOuKnfAa0d1V4Xyog9FLtCw==
X-Received: by 2002:a17:902:ced0:b0:1f3:87a:312 with SMTP id
 d9443c01a7336-1f3087a052dmr20633815ad.16.1716219597446; 
 Mon, 20 May 2024 08:39:57 -0700 (PDT)
Received: from hermes.local (204-195-96-226.wavecable.com. [204.195.96.226])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-1f3057ac879sm15126825ad.193.2024.05.20.08.39.56
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 20 May 2024 08:39:57 -0700 (PDT)
Date: Mon, 20 May 2024 08:39:55 -0700
From: Stephen Hemminger <stephen@networkplumber.org>
To: Luca Boccassi <bluca@debian.org>
Cc: Thomas Monjalon <thomas@monjalon.net>, Christian Ehrhardt
 <christian.ehrhardt@canonical.com>, Bruce Richardson
 <bruce.richardson@intel.com>, dev@dpdk.org, david.marchand@redhat.com,
 "Mcnamara, John" <john.mcnamara@intel.com>
Subject: Re: [PATCH] doc: ensure sphinx output is reproducible
Message-ID: <20240520083955.7aecc1d8@hermes.local>
In-Reply-To: <CAMw=ZnTwMg3_0LH96WWeUOabTaZBsKuSnwnTLFCjthksNVSQ+g@mail.gmail.com>
References: <20230629125838.1995751-1-christian.ehrhardt@canonical.com>
 <2121200.bB369e8A3T@thomas>
 <CAMw=ZnQ7zUTZDr+Nv47rUgE5e2YFgn5GpWKDc-CTmS2qZYe1uQ@mail.gmail.com>
 <6628584.G0QQBjFxQf@thomas>
 <CAMw=ZnTwMg3_0LH96WWeUOabTaZBsKuSnwnTLFCjthksNVSQ+g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

On Mon, 20 May 2024 10:53:07 +0100
Luca Boccassi <bluca@debian.org> wrote:

> On Sun, 19 May 2024 at 22:11, Thomas Monjalon <thomas@monjalon.net> wrote:
> >
> > 19/05/2024 19:23, Luca Boccassi:  
> > > On Sun, 19 May 2024 at 18:13, Thomas Monjalon <thomas@monjalon.net> wrote:  
> > > >
> > > > 19/05/2024 18:36, Luca Boccassi:  
> > > > > On Sun, 19 May 2024 at 15:01, Thomas Monjalon <thomas@monjalon.net> wrote:  
> > > > > > 17/05/2024 13:29, Luca Boccassi:  
> > > > > > > On Mon, 27 Nov 2023 at 17:04, Bruce Richardson
> > > > > > > <bruce.richardson@intel.com> wrote:  
> > > > > > > >
> > > > > > > > On Mon, Nov 27, 2023 at 05:45:52PM +0100, Thomas Monjalon wrote:  
> > > > > > > > > I would prefer adding an option for reproducible build
> > > > > > > > > (which is not a common requirement).
> > > > > > > > >  
> > > > > > > > Taking a slightly different tack, is it possible to sort the searchindex.js
> > > > > > > > file post-build, so that even reproducible builds get the benefits of
> > > > > > > > parallelism?  
> > > > > > >
> > > > > > > Given the recent attacks with malicious sources being injected in open
> > > > > > > source projects, reproducible builds are more important than ever and
> > > > > > > should just be the default.  
> > > > > >
> > > > > > Yes it should be the default when packaging.
> > > > > > Why should it be the default for normal builds?  
> > > > >
> > > > > Build reproducibility is everyone's responsibility, not just Linux
> > > > > distributions. There should be no difference between a "normal build"
> > > > > and a "packaging build". As far as I know, it is still fully supported
> > > > > for DPDK consumers to take the git repository, build it and ship it
> > > > > themselves - those cases also need their builds to be reproducible.  
> > > >
> > > > Sorry I really don't understand this point.
> > > > The goal of a reproducible build is to maintain a stable hash, right?
> > > > This hash needs to be stable only when it is published, isn't it?
> > > > So isn't it enough to give a build option for having a reproducible build?  
> > >
> > > The goal is that issues breaking reproducibility are bugs and treated
> > > as such. You wouldn't have a build option to allow buffer overflows or
> > > null pointer dereferences, and so on. "The program builds
> > > reproducibly" today and in the future has the same importance as "the
> > > program doesn't write beyond bounds" or "the program doesn't crash" -
> > > they are not optional qualities, they are table stakes, and
> > > regulations are only going to get stricter.  
> >
> > I hear the technical reasons and want to address them, but
> > I don't understand how regulation comes in an open source project.  
> 
> Because they will start affecting the companies using DPDK in their
> products. There are some things in supply chain security that are
> purely the purview of companies shipping the final products, like
> providing SBOMs, but there are things that aren't, like for example
> having processes to handle security issues, or anything that requires
> code changes, like this issue.

Reproducible must be the default. It should not be an option