Originally posted by szymon_g
View Post
Announcement
Collapse
No announcement yet.
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Collapse
X
-
Originally posted by sophisticles View PostFrom a security standpoint, that now makes them my number one Linux distro to use when security is of the utmost importance.
- Likes 2
Comment
-
Originally posted by szymon_g View Postwait, what- won't the same source code compiled with the same dependencies provide the same binary?
anyway, opensuse is heavily underrated distribution
EDIT: just saw someone already mentioned that
Distributions that are (mostly) reproducible are Arch linux and debian (>90% on x86_64)
- Likes 5
Comment
-
Another distribution that has been doing a lot of work on the related topics of full-source bootstrapping and build reproducibility for quite a few years now is Guix. When I last looked at the numbers, I believe the figures were above 90% for x86_64; however it has been more than a year since I last checked and https://data.guix.gnu.org/repository...eproducibility isn't currently accessible.
A couple of good sources of information on build reproducibility are https://reproducible-builds.org/ and, for a more detailed view of issues that can arise and work that is being done, the Guix blog at https://guix.gnu.org/en/blog/ (in particular https://guix.gnu.org/en/blog/tags/reproducibility/ which looks to include a small number of posts with more general information, and https://guix.gnu.org/en/blog/tags/reproducible-builds/ which includes more Guix-specific posts such as specific milestones, etc).
- Likes 2
Comment
-
What're some good ways to verify the installed files on the file system match the ones that the distribution's package system installed as parts of packages?
i.e. look for whether the system files and such correspond to ones in officially installed & signed packages or are different since installation?
Obviously one can hash the present files after and maybe also before / otherwise every package installation / update and see what changed but since the
repo packages themselves are signed and I suppose may have manifests available with the content hashes I wonder if there's an easy way to compose / keep / check against the upstream package hash lists which may be downloaded / cached during a package installation anyway.
- Likes 1
Comment
-
Besides openSUSE, Debian and Archlinux also spend significant effort on reproducible builds.
So far Fedora only tries for semi-reproducible - ignoring several metadata bits in a custom compare tool. We also did that for practical reasons with our build-compare tool. However, there is always the danger that such a tool misses out on significant changes.
For openSUSE rpm verification, I now use rpm --delsign to drop the embedded signature and get over 13300 bit-identical packages from rebuilds.
Since Tumbleweed is rolling, I also keep an index of old binaries in IPFS at http://opensuse.zq1.de/ and use the _buildenv files (available via OBS API) to locate the right versions.
@pong: you can use rpm -qaV and ignore files tagged as config (c) or ghost (g).
Comment
-
Originally posted by szymon_g View Postwait, what- won't the same source code compiled with the same dependencies provide the same binary?
Comment
-
Originally posted by skeevy420 View Post
It can also, also be argued that RHEL will fucking hate this. Reproducible builds turned into distributions is basically what Rocky, Alma, etc are.
- Likes 1
Comment
Comment