Fedora 41 Aims For More Reproducible Package Builds Thanks To A Rust Program

Written by Michael Larabel in Fedora on 15 April 2024 at 10:26 AM EDT. 26 Comments
Continuing a trend worked on in recent Fedora Linux releases and more broadly in the open-source ecosystem at large for securing the software supply chain and ensuring unaltered binaries, Fedora 41 is aiming to ensure more reproducible package builds.

As part of the reproducible builds effort in the Fedora world, Fedora 41 is looking to employ the "add-determinism" Rust program to help ensure better determinism/consistency for making software builds more reproducible.

The newly-filed change proposal explains:
"add-determinism is a Rust program which, as its name suggests, adds determinism to files that are given as input by attempting to standardize metadata contained in binary or source files to ensure consistency and clamping to $SOURCE_DATE_EPOCH in all instances. add-determinism is the "Fedora version" of strip-nondeterminism from the Debian project. Since strip-nondeterminism is written in perl, it is undesirable for use in Fedora, as we don't want to pull perl in the buildroot for every package.

It's worth noting that this Change does not intend to impose any specific reproducibility requirements on Fedora packages. Once this Change is implemented and we have been through a mass rebuild and can verify that the common causes of irreproducibility have indeed been removed, we can consider further steps. But that will be at least one release later.

This change does add a small amount of time to the processing of RPMs at the end of a build. Accordingly, packages containing large quantities or sizes of files be slower, but this effect is not expected to be noticeable. add-determinism takes steps to ensure it does not interfere with other buildroot post processors like mangle-shebangs, python-hardlink, python-bytecompile. It defaults to not doing any modifications in case it doesn't understand the input file or there are any other problems."

All in a good move to provide for more determinism for Fedora package builds to help with the reproducible builds effort. The change proposal still needs to receive approval from the Fedora Engineering and Steering Committee (FESCo), but given all the talk these days around securing the software supply chain and reproducible builds, it will likely pass well for this change going into effect this autumn with Fedora 41.

Fedora Workstation 40

Those curious about the add-determinism Rust post-processor for resetting metadata fields can find the project on GitHub. Currently there are processors for ar, jar, javadoc, and pyc files.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week