azorius.net

openSUSE Spin Achieves 100% Bit-Identical Packages For Reproducible Builds (www.phoronix.com)
from KarnaSubarna@lemmy.ml to linux@lemmy.ml on 18 Feb 17:13
https://lemmy.ml/post/26175072

Context:

Reproducible builds ensure software can be rebuilt in an identical, bit-for-bit manner anywhere at any time using the same tools. This means that someone rebuilding the software from the same source code will get exactly the same results.

Why is this important? Because it’s a crucial aspect for supply-chain security.

Source: news.opensuse.org/…/rbos-project-hits-milestone/

#linux

threaded - newest

dan@upvote.au on 18 Feb 17:56 next collapse

This is awesome!

SatanClaus@lemmy.dbzer0.com on 18 Feb 18:03 next collapse

And here I thought this was kinda already the case. 🫣

F04118F@feddit.nl on 18 Feb 18:30 collapse

There is a reason why NixOS was invented 21 years ago. Reproducible builds are not simple in most ~~packaging~~ build systems.

Fisch@discuss.tchncs.de on 18 Feb 19:17 next collapse

Why tho? I’m a software developer but I don’t do much with build systems. With the same source code, shouldn’t the resulting binary always be the same too?

ugo@feddit.it on 18 Feb 19:24 next collapse

Not necessarily. Timestamps, file paths, and other environment metadata can easily sneak into an executable and make a program not build reproducibly

atzanteol@sh.itjust.works on 18 Feb 19:56 collapse

You need the same source code, the same exact build tools, the same exact libraries that it depends on, and the same exact OS. Additionally every single build has to be reproducible - so not including in its output, say, the build date/time or any information about the host that built it. Now you need to repeat that for thousands of packages.

atzanteol@sh.itjust.works on 18 Feb 19:26 next collapse

I believe it’s less about the packaging system and more about the build system. You’re building source code from thousands of individual projects, getting a reproducible output is difficult if, for example, some library embeds the build date/time in its output.

fossphi@lemm.ee on 18 Feb 23:33 collapse

Nix doesn’t really guarantee reproduciblity, though. It’s a neat idea for deterministic configurations. But bit by bit reproducible binary builds are an entire difference beast. GNU Guix has way more promise in that regard

DigitalMus@feddit.dk on 18 Feb 19:40 collapse

Thought I would mention Guix. I don’t know about using it as an OS but just the package manager is so nice to build reproducible software environments (although disclaimer I discovered this myself a few weeks ago). At least as close you can get without including proprietary hardware drivers. Building MPI applications on my laptop and moving them to an HPC cluster with full performance feels like magic.

[deleted] on 18 Feb 19:45 collapse