A change proposal filed for the upcoming Fedora Linux 43 development cycles hopes to establish an expectation that RPM package builds for the distribution are reproducible.
Fedora has spent much time the past several years working on the infrastructure and changes to allow for reproducible builds so that independent users can rebuild packages in a bit-for-bit identical manner to ensure that their software isn’t tainted or otherwise modified. It’s been part of the larger reproducible builds Linux effort. With the change proposal being considered for Fedora 33, it would establish an expectation that package builds are reproducible and Fedora package maintainers take any needed steps to ensure that those conditions are met.
The “Package builds are expected to be reproducible” change proposal explains:
“Over the last few releases, we changed our build infrastructure to make package builds reproducible. This is enough to reach 90%. The remaining issues need to be fixed in individual packages. After this Change, package builds are expected to be reproducible. Bugs will be filed against packages when an irreproducibility is detected. The goal is to have no fewer than 99% of package builds reproducible.”
This change is mostly about making sure maintainers will resolve reproducibility issues with their packages. There are though some outstanding issues that may block/exempt some packages like Haskell packages currently not being reproducible if compiled on more than one CPU thread, MinGW packages having irreproducible debug data, Golang packages also having irreproducible debug data, the kernel uses an ephemeral key for module signatures, and some packages using a private key for signing for UEFI Secure Boot..
Hopefully this change pans out and everything goes ahead with this welcoming change for Fedora 43 to add more determinism to package builds and ensuring that all packages — or as many as possible — can be built in a reproducible manner.
