Ever wondered what happens when you run "pip install torch"? What's in a package? 📦 👉 hpc.guix.info/blog/2021/09/w… This post is about 📦 verifiability and its impact on #security and #ReproducibleScience. Cc: @ReproBuilds @pypi @anacondainc @spackpm @nixos_org @PyTorch
2
7
2
16
Guix looks great and it’s good to see diversity in software deployment tools. However, reducing conda packages to “opaque binaries [...] lacking reproducible build methodology and tooling” with “no signs […] of moving in that direction”... Have you heard about @condaforge?

6:59 PM · Sep 20, 2021

2
0
0
7
I see you've met @GuixHpc! There is a certain amount of hyperbole you have to get past to appreciate that Guix is still pretty darn cool! Agree that wheels and CondaForge packages are not the same thing. Don't worry -- Spack is doomed, too! 😉
0
0
0
5
Apologies if it came out harshly. It'd be worth mentioning @condaforge in an update next to that sentence. What steps does @condaforge take to ensure builds are reproducible though? Would be nice to see it join the @ReproBuilds effort!
1
0
0
2
I don't think they are fully reproducible (would be great), but a deep stack of conda-forge packages transparently built/uploaded through CI from recipes maintained in public repos by the community is not either what I’d call “opaque binaries built on a developer’s machine” 🙂.
1
0
0
4