I think there are only a few cases where it would be helpful:
- one hash to rule them all, perfectly reproducible
- a big mess, consider avoiding it
- just two or four cohorts, package maintainer may want to investigate
- everbody agrees on the output hash except for you, something local is compromized
I don't anticipiate peering into the mess and coming up with many useful conclusions.
> if we were to mark a package as non-reproducible, we could recursively mark everything else that has it as a (transitive) input.
I like that idea, to sort of carve out a space within the already-pretty-reliable nixpkgs which can be expected upon to be perfectly reproducible. I'd strive to get my packages included in that set, and to select my dependencies from it.
- one hash to rule them all, perfectly reproducible
- a big mess, consider avoiding it
- just two or four cohorts, package maintainer may want to investigate
- everbody agrees on the output hash except for you, something local is compromized
I don't anticipiate peering into the mess and coming up with many useful conclusions.
> if we were to mark a package as non-reproducible, we could recursively mark everything else that has it as a (transitive) input.
I like that idea, to sort of carve out a space within the already-pretty-reliable nixpkgs which can be expected upon to be perfectly reproducible. I'd strive to get my packages included in that set, and to select my dependencies from it.