Summary
The repository currently documents reproducibility using a plain nix-build flow, but in practice that depends on the caller's ambient <nixpkgs> resolution. This can make local reproduction fragile across environments.
A small improvement would be to add a canonical Makefile target for a pinned reproducible build.
Problem
The current documented verification flow uses nix-build directly. In my testing:
- ambient
nixpkgs can be too new for the current default.nix
- using the default
nix-build out-link (result) in a repo whose default.nix uses src = ./. can make repeated runs confusing
- the release workflow already points toward a specific nixpkgs family (
nixos-21.05), but the local documented command does not make that explicit
Proposed change
Add a small repro-build target to the Makefile that:
- uses a pinned nixpkgs revision and tarball hash
- runs
nix-build --no-out-link ...
- prints the realized Nix store output path on stdout
Then update the README reproducibility example to use that target.
For example, the local verification flow would become:
cat "$(make repro-build)"/bin/blackhole-opt.wasm | sha256sum
Summary
The repository currently documents reproducibility using a plain
nix-buildflow, but in practice that depends on the caller's ambient<nixpkgs>resolution. This can make local reproduction fragile across environments.A small improvement would be to add a canonical Makefile target for a pinned reproducible build.
Problem
The current documented verification flow uses
nix-builddirectly. In my testing:nixpkgscan be too new for the currentdefault.nixnix-buildout-link (result) in a repo whosedefault.nixusessrc = ./.can make repeated runs confusingnixos-21.05), but the local documented command does not make that explicitProposed change
Add a small
repro-buildtarget to theMakefilethat:nix-build --no-out-link ...Then update the README reproducibility example to use that target.
For example, the local verification flow would become: