A tale of several distros joining forces for a common goal: reproducible builds
8 comments
·February 8, 2025jmclnx
It is very cool to see distros working together for a common goal.
But I still do not understand the point of "reproducible builds". I know what they are, but to me the amount of work involved outweighs the benefit.
I even heard NetBSD is also working on "reproducible builds". So maybe I am missing something :)
david-gpu
It's a safety measure. Reproducible builds ensure identical binaries are produced from the same source. They help detect e.g. hidden backdoors.
3s
A really important application of reproducible builds is running code inside Secure Enclaves that has been committed to on a public transparency log. A client can connect to a remote secure enclave that can then prove to the client that it’s running the commit code via a process known as remote attestation. It’s pretty cool stuff. However it’s only possible if the build inside the enclave is reproducible (deterministic) and always identical to the build on the transparency log
ssivark
What makes you so confident that the benefit is less than the effort?
Given the increasing likelihood of supply chain attacks, isn’t this a very prudent precaution?
samsartor
The video gets into that. The main purpose is to verify that the binary you're running came from the actual source code.
Foxboron
I see the lobste.rs reposter strikes again.
mohsen1
20 years ago I was a Linux user and was going through all of the pains of using apps on Linux.
This month I was building a simple CLI app[1] and decided to publish it for Linux too. To this day it's a mess. You have to build for a few targets and it's still not clear to me if I'm covering all Linux users?
Why is it such an impossible task to make it possible for Linux users to download and use apps like Windows and Mac?
Reproducibility changes everything, because nothing changes. We go from shamans chanting incantations over a blessed code base to a mathematical function with an algebra of system composition.
Let me give you the simplest example, when builds are reproducible you don't need package repositories, you need build caches.
All the problems with maintaining a repository (save bandwidth) evaporate.