Hello! I had the pleasure to attend the first “Reproducible Build Summit” this week, wonderfully well organized by Debian hackers Holger and Lunar, along with other brilliant people, and with the support of the Linux Foundation, the Open Tech Fund, and Google.
https://reproducible-builds.org/events/athens2015/ Reproducible builds are the technical means by which we can give users a chance to make sure they get the Corresponding Source, as the GPL calls it, for a given binary. If a package can be rebuilt by anyone, yielding a bit-for-bit identical result, then users can make sure they get genuine binaries. For more background, see: https://reproducible-builds.org/ Around 40 people were at the meeting, including contributors to a variety of free operating systems and distros, and to privacy- or autonomy-enhancing projects such as Tor and Coreboot. All the participants had a lot of insight to share and a common will to provide users with binaries they can trust. I think GNU has a role to play: This is all about empowering users. GNU Guix does its part by providing tools that maximize build reproducibility and easily allow users to build by themselves, publish binaries, and challenge third-party binaries: https://savannah.gnu.org/forum/forum.php?forum_id=8407 A more detailed report of the summit for Guix is available at: https://lists.gnu.org/archive/html/guix-devel/2015-12/msg00107.html But beyond Guix, all the GNU packages can help. First and foremost, packages that generate build outputs, such as compilers, must be able to produce deterministic results. Examples of packages that are being fixed include GCC (mainly for __DATE__ and __TIME__), help2man (timestamps in the outputs), GNU groff (ditto), Libtool (old versions used to not sort the output of ‘find’), Emacs autoload generation (timestamps), and many more. “Leaf” GNU packages can also have problems of their own. The Debian non-reproducibility issue database, which is going to be shared with other distros and interested parties, contains many examples of these: https://reproducible.debian.net/index_issues.html I invite you GNU hackers to look into it and see whether there’s something you can do to improve your package. We’re happy to help with Guix tools to determine whether build results are deterministic; please email [email protected] if you’re interested in it. I think GNU can also help by better supporting reproducible builds with its infrastructure. Examples of discussions to have include whether/how we can make ftp.gnu.org truly append-only, and adding recommendations to the GNU Coding Standards. There will be other meetings. I hope GNU can bring more good news there! Thanks, Ludo’.
signature.asc
Description: PGP signature
