Repeating myself: At this point reproducible builds are a red herring distracting us from more important things to work on.biolizard89 wrote:Whoops, totally missed this post, sorry Daniel.domob wrote:I agree that deterministic builds are important, but what is really stopping us from simply running the source through a Python interpreter? I thought that's how it is supposed to be done anyway. With respect to a reproducible Python interpreter: What's the point if you can simply use the one bundled and signed by a major distro? You have to trust "some" component of your OS anyway.biolizard89 wrote:Reproducible builds are very important, and I don't think Joseph or I want the project to be completely dependent something that Tor devs were unable to do with several orders of magnitude more funding.
Major Linux distros are working on making all their packages reproducible (particularly Debian, though also Fedora). Armory is basically working in Debian's reproducible build toolchain (unless I'm misremembering what Joseph said), so Python on Debian-based OS's is reproducible. So for Linux users, this is less of an issue. The bigger problem is making reproducible builds for non-Linux distros. If you're a Windows user, you inherently trust Microsoft, but you may not trust a Python interpreter that you download from the Python website, and you definitely shouldn't trust a Python interpreter that's embedded in a PyInstaller-generated .exe file that a random software vendor (such as us) provides. Python is near-impossible to build for Windows reproducibly, while Go is trivially easy from looking at Tor's Gitian scripts.
edited: Added "at this point"