Introducing: Semantically reproducible builds

Bernhard M. Wiedemann bernhardout at
Mon May 29 08:31:23 UTC 2023

On 29/05/2023 05.25, David A. Wheeler wrote:
> If you have tips on common likely errors, please post, I think
> that would be of interest to many.

We use bash there to not add dependencies.
Looking at the bugs, those were mostly problems of tracking state in 

It would be less troublesome if we would not use it like diffoscope to 
report all diffs, but instead exit on the first relevant diff to keep it 

>> The cleaner way is to use strip-nondeterminism to remove all these 
>> insignificant bits during build and make the resulting bit-reproducible 
>> output the official binary.
> As a *recipient* who has no control over the build process used by
> someone else to create their package, I need some workable
> alternatives to estimate risk.

A recipient could still use strip-nondeterminism (and custom sed) on 
both files before calling diff.
Testing for bit-identity is trivial.
Testing for semantic equivalence is not.

To ensure that the filters did not remove significant parts (e.g. sed 
/.*//), they should then use the filtered version in production.

Bernhard M.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the rb-general mailing list