Are there similar efforts in other distros other than Debian and Fedora/IBM Red Hat?

Between them, Debian and Fedora are the seeds for over half the Linux distos out there. I think that's already a good start.

I am not sure flatpak runtimes count but they really try to have reproducible builds.

Reproducible build mean that PGO and BOLT are no longer viable unless use bundled build system like Chromium.

Do PGO and BOLT not have deterministic outputs?

Unless the compiler, compiler flags, and training process are identical, reproducible builds are absolutely impossible. Of course you can choose to distribute fdata, but without a bundled build system it's useless.

When I read this article and the change proposal i said to myself that there is something very wrong here, there should be no need for something like this.

Here's why, I build much of the software i use from source, for instance I always build the latest ffmpeg release from source.

My expectation is that if i download the latest git on a system running Fedora, another running Manjaro, and a third running Ubuntu and ./configure && make, that I will end up with the same binary on each system and it will function the same.

This announcement turns that expectation on its head and basically says that if i set up 3 systems with fresh installs of Fedora 40, it is not possible to end up with the same binary and more so, the binary i compile will not be the same as the one in the repos, even if we use the same code base, same compiler and same settings.

This tells me there is something fundamentally wrong and sure enough the Fedora project is nice enough to confirm that for us:



At least Fedora admits that open source code is sloppy and full of errors.

For those of you with a computer science background or know how to use Google, what this announcement is saying that compiling code on Fedora is nondeterministic, which means that there is a major gaping security hole in Fedora, and most likely Red Hat.

Compiling code should always be deterministic, that is that given the same source code and the same compiler and the same underlying dependencies, the same binary should be created every single time.

Further, packaging that binary into an rpm should always result in the same output, what i do on this system running Fedora 40 should match what you do on your system running Fedora 40.

Fedora should not be looking at adding a band-aid to their build processor or rpm creation tools but rather maybe fix the underlying problem, which they already know what it is, namely:

It turns out that quite often those irreproducible bits are caused by an error or sloppiness in the code.​

Time for these people to get their act together, they have had about 20 years now, there's no excuse for this garbage.

My point is that this is exactly as true without PGO or BOLT as it is with PGO or BOLT, so I don't see what difference it makes.

avis sophisticles Btw, would you happen to know what the status of reproducible builds is in Windows? I can't find any info on it and just thought you might know since it's your favorite OS.