Introducing: Semantically reproducible builds

[Bernhard M. Wiedemann]

I agree, that it is good to give it a name (I have called it 
semi-reproducible before), but we should be clear on communicating the 
disadvantages.

In openSUSE we have been working towards repeatable semantically 
reproducible builds for over a decade [1] using our open-build-service 
and a tool called build-compare to filter out "insignificant" diffs.

However, while working with the tool, I already found three (3) bugs in 
build-compare that made it report packages with significant differences 
as 'identical'.
And if you don't rely on such tools, you need expensive manual reviews 
every time that cannot be automated and might also miss issues.

I have manually reviewed hundreds of package diffs in the past and it 
took many hours, so I'm not eager to repeat that.


Another disadvantage of such binaries is that you don't have a single 
correct SHAsum that can be signed, communicated and compared easily.
You always need the full binary to compare to your rebuild.

The cleaner way is to use strip-nondeterminism to remove all these 
insignificant bits during build and make the resulting bit-reproducible 
output the official binary.

Ciao
Bernhard M.

[1] 
https://github.com/openSUSE/build-compare/commit/5cba04fb8def5d88423737a1a1957730e2217357
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230528/844ff9d8/attachment.sig>