How to talk to skeptics?

John Neffenger john at
Wed Dec 14 22:22:22 UTC 2022

On 12/14/22 11:30 AM, Bernhard M. Wiedemann via rb-general wrote:
> He also once pointed me to

I also wonder how all this verification is going to work.

For example, I'll soon be providing reproducible builds of OpenJDK. How 
will I recruit volunteers to verify my builds? Is it enough just for me 
to verify them on a separate build machine and network? Should I instead 
be matching Oracle's builds of OpenJDK? To do so, I would have to set 
the "java.vendor" of my build to "Oracle Corporation", but that doesn't 
seem right.

Lots of questions! :-)

> In the end, it would be useful to collect some well-worded / 
> well-thought counter-arguments on r-b.o (if we don't have that already)

The link below is my latest attempt at persuasion:

Discussion: Reproducible builds

I'd like to think that my arguments worked, now that my two-year-old 
pull request is tentatively planned for the next release. In reality, 
though, I find that most of the resistance to reproducible builds is not 
technical, but rather due to time constraints and business plans.

It takes a lot of time to test reproducible builds. When I update my 
pull request, I have to run about 30 builds covering three operating 
systems and six hardware platforms, and reviewers have to do something 
similar. That's a lot to ask of an active project with many competing 
pull requests.

In the extreme, I see reproducible builds as the final step in the 
commoditization of open-source software. When every package of a project 
is bit-for-bit identical to every other, it doesn't matter where you get 
it. That makes it more difficult for any particular vendor to sell the 
"trust" in its brand.


More information about the rb-general mailing list