Context:

Reproducible builds ensure software can be rebuilt in an identical, bit-for-bit manner anywhere at any time using the same tools. This means that someone rebuilding the software from the same source code will get exactly the same results.

Why is this important? Because it’s a crucial aspect for supply-chain security.

Source: https://news.opensuse.org/2025/02/18/rbos-project-hits-milestone/

    • F04118F@feddit.nl
      14·
      2 days ago

      There is a reason why NixOS was invented 21 years ago. Reproducible builds are not simple in most packaging build systems.

      • fossphi@lemm.eeEnglish
        4·
        2 days ago

        Nix doesn’t really guarantee reproduciblity, though. It’s a neat idea for deterministic configurations. But bit by bit reproducible binary builds are an entire difference beast. GNU Guix has way more promise in that regard

      • atzanteol@sh.itjust.worksEnglish
        5·
        2 days ago

        I believe it’s less about the packaging system and more about the build system. You’re building source code from thousands of individual projects, getting a reproducible output is difficult if, for example, some library embeds the build date/time in its output.

      • Fisch@discuss.tchncs.deEnglish
        2·
        2 days ago

        Why tho? I’m a software developer but I don’t do much with build systems. With the same source code, shouldn’t the resulting binary always be the same too?

        • atzanteol@sh.itjust.worksEnglish
          5·
          2 days ago

          You need the same source code, the same exact build tools, the same exact libraries that it depends on, and the same exact OS. Additionally every single build has to be reproducible - so not including in its output, say, the build date/time or any information about the host that built it. Now you need to repeat that for thousands of packages.

        • ugo@feddit.it
          3·
          2 days ago

          Not necessarily. Timestamps, file paths, and other environment metadata can easily sneak into an executable and make a program not build reproducibly

  • DigitalMus@feddit.dk
    3·
    2 days ago

    Thought I would mention Guix. I don’t know about using it as an OS but just the package manager is so nice to build reproducible software environments (although disclaimer I discovered this myself a few weeks ago). At least as close you can get without including proprietary hardware drivers. Building MPI applications on my laptop and moving them to an HPC cluster with full performance feels like magic.