| ▲ | tonsky 4 days ago | |||||||
> Lockfiles are essential for somewhat reproducible builds. No they are not. Fully reproducible builds have existed without lockfiles for decades | ||||||||
| ▲ | its-summertime 4 days ago | parent | next [-] | |||||||
of distros, they usually refer to an upstream by hash https://src.fedoraproject.org/rpms/conky/blob/rawhide/f/sour... also of flathub https://github.com/flathub/com.belmoussaoui.ashpd.demo/blob/... "they are not lockfiles!" is a debatable separate topic, but for a wider disconnected ecosystem of sources, you can't really rely on versions being useful for reproducibility | ||||||||
| ||||||||
| ▲ | andix 4 days ago | parent | prev | next [-] | |||||||
Sure, without package managers. It's also not about fully reproducible builds, it's about a tradeoff to get modern package manger (npm, cargo, ...) experience and also somewhat reproducible builds. | ||||||||
| ||||||||
| ▲ | pluto_modadic 4 days ago | parent | prev [-] | |||||||
...source? show me one "decades old build" of a major project that isn't based on 1) git hashes 2) fixed semver URLs or 3) exact semver in general. | ||||||||