TIL how “pip install torch” works: it downloads an 830 MiB “wheel” (zip file) containing .so files for PyTorch but also for some of its dependencies, including GCC’s libgomp and NVIDIA’s proprietary libcudart (is distribution legal?).
Trading user freedom and security for convenience.
However, the key property is that you can verify that pre-built binaries you get from a server are genuine, thanks to #ReproducibleBuilds:
(I was at the 1st Reproducible Builds Summit where I had the chance to meet folks who’d been working on this: <https://reproducible-builds.org/events/athens2015/>.)
@reto @samae With #Debian or #Guix, you’re not trusting “whoever has access to the build farm or repositories”: builds are reproducible, which means anyone can verify binaries match the source, without trusting the server.
Guix has tools to facilitate verification, and it also makes it easy to pick another server for binaries, or several, or none.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!