Introducing: Semantically reproducible builds

FC Stegerman flx at obfusk.net
Mon May 29 12:18:17 UTC 2023


* FC Stegerman <flx at obfusk.net> [2023-05-29 13:14]:
[...]
> > I find it hard to believe it could so close that you can programatically
> > determine something is (probably!) mostly harmless and yet still have it
> > be implausible to go all the way to make a properly reproducible build.
> > 
> > That flys in the face of the thousands of packages I have personally
> > reviewed, and submitted patches for hundreds of them... sometimes only
> > partially successful, but in the vast majority of cases I end up staring
> > at megabytes of leftover gibberish... or something bit-for-bit
> > reproducible.
> 
> +1

One addition here: I've seen cases where the build is almost
completely reproducible except for some ordering differences
introduced by non-determinism in the build tooling (e.g. [1,2]).
Obviously, fixing the tooling would be the right solution, but that
often takes time and updating to a newer toolchain might not be
feasible short-term.

In these cases, it's usually easy for an experienced programmer to
look at the diff and conclude that the differences are indeed
harmless.  I'm not sure I'd trust any tool to programmatically verify
that though.  And I do worry that there might be differences that
don't show up in the diff I'm looking at, as kpcyrd mentioned [3].

But that is a rare case where I would personally be likely to trust
that the build has no semantically meaningful differences and is
functionally equivalent, assuming I'm sufficiently certain those are
the only differences.

- FC

[1] https://issuetracker.google.com/issues/195968520
[2] https://issuetracker.google.com/issues/281825213
[3] https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002970.html


More information about the rb-general mailing list