review: M9/D8 reproducibility core PROVEN (clean build == running, zero drift; docs complete); live blank-VM rebuild pending registry creds
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
24
REVIEW.md
24
REVIEW.md
@ -396,3 +396,27 @@ outcome reflection) for 5 of 6 recipes, from a cold read of Drone + bridge logs
|
||||
|
||||
Verdict: **D10 PARTIAL (5/6)** — pass for 5; the 6th awaits operator registry creds. No system defect;
|
||||
the gap is the external pull quota. DONE must wait for lasuite's 3rd stage green via `!testme`.
|
||||
|
||||
## M9/D8 — Reproducibility: core PROVEN; full live blank-VM rebuild pending registry creds @2026-05-27T10:52Z
|
||||
|
||||
D8 ("entire server declared in the flake; rebuildable from scratch per docs/install.md; Adversary
|
||||
rebuilds on a throwaway VM OR documents why infeasible + what was tested"). Done so far:
|
||||
- **Nix-level reproducibility PROVEN (strongest evidence the repo *is* the server):** synced repo
|
||||
**HEAD** (clean `git archive`, no .git) to an isolated host dir, ran `nixos-rebuild build
|
||||
--flake .#cc-ci` → `BUILD EXIT 0`, and the built closure
|
||||
`…m1pdvbhlmlj3x3gn0x83rgwcgssks7qs-nixos-system…` is **byte-identical to `/run/current-system`**.
|
||||
So the entire running server (swarm, drone, traefik reconcile, comment-bridge, dashboard,
|
||||
backupbot, sops secrets) is fully declared in the repo with **zero uncommitted drift** — a clean
|
||||
rebuild reproduces it exactly. (`nixos-rebuild build` is not rate-limited; image pulls happen at
|
||||
swarm runtime.)
|
||||
- **docs/install.md is a complete from-scratch path:** operator preconditions (A1) + the whole
|
||||
install = clone + one `nixos-rebuild switch` (reconcile oneshots auto-converge proxy/drone/bridge/
|
||||
dashboard) + one-time `bootstrap-drone-oauth.sh`. Accurate vs. the verified architecture.
|
||||
- **Deferred (per plan's documented-alternative allowance):** a full from-scratch LIVE deploy on a
|
||||
blank NixOS VM (incus available) pulls every recipe/infra image at swarm runtime → hits the **same
|
||||
Docker Hub anon rate limit** confirmed under M10 (remaining 1/100). Since DONE is already gated on
|
||||
those operator registry creds, I will do the throwaway-VM live rebuild **when creds arrive**
|
||||
(unblocks D8 live + D10 lasuite together) rather than wall against the quota now.
|
||||
|
||||
Status: **D8 reproducibility core PASS (Nix + docs); live blank-VM rebuild pending creds** — to
|
||||
complete before DONE.
|
||||
|
||||
Reference in New Issue
Block a user