Announcement

Collapse
No announcement yet.

Fedora 41 Approved To Make Package Builds More Reproducible

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    Fedora 41 Approved To Make Package Builds More Reproducible

    Phoronix: Fedora 41 Approved To Make Package Builds More Reproducible

    In addition to approving -O3 optimized Python builds, the Fedora Engineering and Steering Committee (FESC)) this week unanimously approved a Fedora 41 change proposal for making RPM package builds more reproducible...

    Fedora 41 Approved To Make Package Builds More Reproducible - Phoronix
    https://www.phoronix.com/news/Fedora-41-More-Reproducible
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
    • Likes 1
  • #2
    Canonical needs to look into this too for Ubuntu!
    • Likes 6

    Comment

    • #3
      pretty cool. Only 20 years after T2/Linux https://t2sde.org ;-)

      Comment

      • #4
        Originally posted by uid313 View Post
        Canonical needs to look into this too for Ubuntu!
        Amen and amen. Let it be so.

        Comment

        • #5
          does anyone know how builds became non deterministic in the first place? How was this ever a thing?

          Comment

          • #6
            does compiler optimisations like LTO/BOLT are compatible with this (i have read somewhere it is possible), In NixOS they disable many compiler optimisation due to Reproduciblity

            Comment

            • #7
              Originally posted by mSparks View Post
              does anyone know how builds became non deterministic in the first place? How was this ever a thing?
              A lot of it is metadata. Time stamps, local paths, etc. The goal of reproducible builds is for independent parties to be able to create identical binaries, so embedded metadata needs cleaning.
              • Likes 1

              Comment

              • #8
                Originally posted by Jaxad0127 View Post

                A lot of it is metadata. Time stamps, local paths, etc. The goal of reproducible builds is for independent parties to be able to create identical binaries, so embedded metadata needs cleaning.
                surely verifying binaries can just ignore the metadata?, this seems like something far more insidious.

                also, metadata is still deterministic, non deterministic implies the binaries change randomly even when metadata is otherwise identical.

                Comment

                • #9
                  Originally posted by mSparks View Post

                  surely verifying binaries can just ignore the metadata?, this seems like something far more insidious.

                  also, metadata is still deterministic, non deterministic implies the binaries change randomly even when metadata is otherwise identical.
                  You're assuming it's ELF metadata, rather than things like timestamps baked into the object code via things like preprocessor defines. (eg. some applications put their build timestamps in their --version output)

                  As for deterministic vs. non-deterministic, their definition of non-determinism is broader, also covering information leaking in through side-channels not covered by their build plans, such as calls to strftime to generate those --version strings which back onto calls like localtime during the build process.

                  Comment

                  • #10
                    Originally posted by ssokolow View Post

                    their definition of non-determinism is broader
                    OK.
                    So are builds creating randomly different binaries or not?

                    Comment

                    Previous 1 2 template Next
                    Working...
                    X