-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No release on GitHub #13
Comments
There seems to be artifacts published on each action, e.g. this latest one: https://github.com/robur-coop/qubes-miragevpn/actions/runs/10033371815 About what sha256 checksum to check against is a good question. The builds on builds.robur.coop use the latest system packages and opam (OCaml package manager) packages. Furthermore, we are building of different platforms: FreeBSD 14 and now debian 11 and debian 12 too. It is expected that different platforms will not reproduce the same binary. Updates in dependencies or system packages can also break reproducibility. However, enough information should be recorded that you should be able to reproduce the build (using orb). I was hoping the debian 12 build would reproduce the GitHub action / docker build, but unfortunately not. The docker build (see the Dockerfile) pins the debian repository to a fixed snapshot. It also uses a fixed snapshot of the opam repository (the OCaml packages). Thus the builds are more stable and should consistently reproduce the same build. So most likely you are interested in the GitHub build as it is most reproducible. On the other hand the builds.robur.coop builds will have the latest versions of dependencies including the latest fixes (and latest bugs). |
It would be very useful to publish them as actual github releases. Building a Salt template to download and install the latest version a la Mirage Firewall is the thing that I am looking for or to do. Arbitrary strings in the GitHub Actions channel is maybe not the best way for that. I am less interested in reproducibility (though I understand and agree with its importance), than I am installability. |
The handbook states that a release can be downloaded from the reproducible build server, or from the official GitHub, which this is.
https://robur-coop.github.io/miragevpn-handbook/qubes_miragevpn.html
There do not appear to be binary releases pushed on GitHub - is this intentional and a typo in the handbook?
Additionally, the sha256 on github (https://github.com/robur-coop/qubes-miragevpn/blob/main/qubes-miragevpn.sha256) does not match the most recent downloaded version from the build server. Where is the appropriate sha256 published for checking?
The text was updated successfully, but these errors were encountered: