Fedora 41 Aims For More Reproducible Package Builds Thanks To A Rust Program

Continuing a trend worked on in recent Fedora Linux releases and more broadly in the open-source ecosystem at large for securing the software supply chain and ensuring unaltered binaries, Fedora 41 is aiming to ensure more reproducible package builds.

As part of the reproducible builds effort in the Fedora world, Fedora 41 is looking to employ the "add-determinism" Rust program to help ensure better determinism/consistency for making software builds more reproducible.

The newly-filed change proposal explains:

"add-determinism is a Rust program which, as its name suggests, adds determinism to files that are given as input by attempting to standardize metadata contained in binary or source files to ensure consistency and clamping to $SOURCE_DATE_EPOCH in all instances. add-determinism is the "Fedora version" of strip-nondeterminism from the Debian project. Since strip-nondeterminism is written in perl, it is undesirable for use in Fedora, as we don't want to pull perl in the buildroot for every package.

It's worth noting that this Change does not intend to impose any specific reproducibility requirements on Fedora packages. Once this Change is implemented and we have been through a mass rebuild and can verify that the common causes of irreproducibility have indeed been removed, we can consider further steps. But that will be at least one release later.

This change does add a small amount of time to the processing of RPMs at the end of a build. Accordingly, packages containing large quantities or sizes of files be slower, but this effect is not expected to be noticeable. add-determinism takes steps to ensure it does not interfere with other buildroot post processors like mangle-shebangs, python-hardlink, python-bytecompile. It defaults to not doing any modifications in case it doesn't understand the input file or there are any other problems."

All in a good move to provide for more determinism for Fedora package builds to help with the reproducible builds effort. The change proposal still needs to receive approval from the Fedora Engineering and Steering Committee (FESCo), but given all the talk these days around securing the software supply chain and reproducible builds, it will likely pass well for this change going into effect this autumn with Fedora 41.

Those curious about the add-determinism Rust post-processor for resetting metadata fields can find the project on GitHub. Currently there are processors for ar, jar, javadoc, and pyc files.