Originally posted by chocolate
View Post
Announcement
Collapse
No announcement yet.
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Collapse
X
-
- Likes 1
-
Originally posted by spicfoo View Post
You are conflating ABI compatibility with reproducible builds. They are not the same thing. Nobody using clones care about the latter. Some of the clone users care about the former. Phoronix already covered the news that Red Hat developers are actively working on the same thing. It wouldn't make sense for them to allot resources to something they hate.
That's why it's in RHEL's interest for reproducible builds for internal use and for their paying customers while simultaneously being not in their best interest for non-paying users who can turn reproducible builds into a competing product. This is something RHEL would back because it's great for internal auditing and how they use it internally isn't something they actually have to share back with the community. Those reproducible build config files, just like their SPEC files, are allowed to be proprietary and stay internal.
- Likes 1
Comment
-
Originally posted by skeevy420 View Post
I'm not. If builds are 1:1 reproducible and that's done for an entire distribution's repository, then a 1:1 ABI compatible fork is created by default. That's why RHEL made their SPEC files harder for non-paying customers to access
- Likes 1
Comment
-
-
Originally posted by loganj View Postbut the source code might be the issue with these open source softwares. so even if u download it and test it then u might have the same sneaky malware as the repo.
Reproducible builds means independent third parties can exactly reproduce the binary, giving confidence nothing else is there.
- Likes 2
Comment
-
Originally posted by Jaxad0127 View Post
You can audit the source repo. You can audit the build environment. But can you be sure that the binary you were given has had nothing else added?
Reproducible builds means independent third parties can exactly reproduce the binary, giving confidence nothing else is there.
so you will audit every package that will have to install/upgrade or you will audit the repo in general and not the specific packages?
Comment
Comment