Fantastic news for security!

Are there any other distributions which currently offer reproducible builds?

Really a great achievement.

Instead of making excuses they put their thinking caps on and got to work.

From a security standpoint, that now makes them my number one Linux distro to use when security is of the utmost importance.

I'm going to have to install it on my guinea pig system and give it a whirl.

Nice job.

NixOS does. You can look at the reproducible-builds.org site for more informations.

Just asking, do reproducible builds work only when all libs have fixed versions (like those LTS Distros), or could it work when building against different versions of libraries (like Arch). If the second is true then How?
I mean for a rolling release platform where libraries are updated continuously, does it make sense?

Yes, the Layman version is the reproducible builds means that the build output I get on my system will be the same as upstream. That's regardless of how fast or slow the OS updates their source code. Once they update the code and release their binaries, we outta be able to rebuild it exactly the same as they did assuming everything and everyone is all setup in a reproducible manner. It helps verify that a MITM attack doesn't occur.

It can be argued that things that move as fast as possible could be more susceptible to MITM if they don't have some form of build replication and reproduction.

It can also be argued that all the bad actor has to do is target the reproducible build system. If everyone gets their code from the MITM, would he still be in the middle?

It can also, also be argued that RHEL will fucking hate this. Reproducible builds turned into distributions is basically what Rocky, Alma, etc are.

Depends on the definition: https://linderud.dev/blog/nixos-is-not-reproducible/

Not Linux distro but NetBSD can since version 8.0 https://blog.netbsd.org/tnf/entry/re...it_venice_2022

wait, what- won't the same source code compiled with the same dependencies provide the same binary?

anyway, opensuse is heavily underrated distribution

No. Already something as simple as and make the build non-deterministic as they include the compilation time. Then there are funny things such as time stamps and possibly order of compilation that could influence the generated code. There is also a recent issue for GEGL where hardware information is introduced in the build (for some reason they have "runtime data" in /usr/share/ https://gitlab.gnome.org/GNOME/gegl/-/issues/368)