Context:
Reproducible builds ensure software can be rebuilt in an identical, bit-for-bit manner anywhere at any time using the same tools. This means that someone rebuilding the software from the same source code will get exactly the same results.
Why is this important? Because it’s a crucial aspect for supply-chain security.
Source: https://news.opensuse.org/2025/02/18/rbos-project-hits-milestone/
There is a reason why NixOS was invented 21 years ago. Reproducible builds are not simple in most
packagingbuild systems.Nix doesn’t really guarantee reproduciblity, though. It’s a neat idea for deterministic configurations. But bit by bit reproducible binary builds are an entire difference beast. GNU Guix has way more promise in that regard
I believe it’s less about the packaging system and more about the build system. You’re building source code from thousands of individual projects, getting a reproducible output is difficult if, for example, some library embeds the build date/time in its output.
Why tho? I’m a software developer but I don’t do much with build systems. With the same source code, shouldn’t the resulting binary always be the same too?
You need the same source code, the same exact build tools, the same exact libraries that it depends on, and the same exact OS. Additionally every single build has to be reproducible - so not including in its output, say, the build date/time or any information about the host that built it. Now you need to repeat that for thousands of packages.
Not necessarily. Timestamps, file paths, and other environment metadata can easily sneak into an executable and make a program not build reproducibly