Question for research. I am under the impression that if I download any arbitrary project on Stackage multiple times (at different points in time), it cannot be guaranteed that I will 100% get the exact same code every time because some dependencies (i.e., extra-deps) are not guaranteed to be in the LTS package set–is this correct?
What I’m asking is, for the sake of research, is it safe to say that downloading and building with stack is not guaranteed to have 100% fidelity for reproducibility for any random project?
Welcome to the Haskell discourse instance @cahollenbeck!
From what I understand, Stack added lock files to solve this problem. This generates an extra stack.yaml.lock file with the sha256 hashes of all dependencies. This means that dependencies in the LTS as well as dependencies in extra-deps are 100% reproducible.
However, this concerns only Haskell dependencies. There could still be differences in C libraries/toolchain that the program uses, or differences in operating systems… If that matters to you, you probably want to look at something like nix instead.