This is fantastic to see. Reproducible builds adds yet another layer of trust on top of open source software. The wiki page is also classic Arch Wiki-style, with all the detail one would expect. Every OSS project should strive to be this helpful.
I care more about if maintainers actually audit the contents of packages rather than if their builds are reproducible (though the latter still matters)!
Not just is there obvious malware, but also are there obvious vulnerabilities, is the person that wrote it of good nature / located in a country where they’re safe from nation state pressure, is there a lot of history behind the app.
Obviously this is too much work for any individual and requires a chain of trust. I believe fedora and Ubuntu at the very least audit to some extent but I’ve never seen any doco.
Debian have done a huge amount of work in this area - https://wiki.debian.org/ReproducibleBuilds
Based on my reading of this Arch wiki page[0], it looks like this doesn't impact packages in the AUR. Does anyone who is more familiar with this know if that is true? It appears that it does work for community packages though (see the bottom of this page[1]).
[0] https://wiki.archlinux.org/index.php/Rebuilderd
[1] https://wiki.archlinux.org/index.php/Rebuilderd#Syncing_pack...
Interesting to see https://github.com/kpcyrd/rebuilderd in Rust. Is this the first Arch project in Rust?
This is very good news. I was wondering recently just how to do this, as I wanted to build everything with some different compiler configuration.
The wiki says:
> a large number of builds are not reproducible yet
I never got around to submitting my blog to HN. But if people are curious about some technical details of the underlying problems of reproducing Arch Linux packages I wrote something a few months ago.
https://linderud.dev/blog/reproducible-arch-linux-packages/
EDIT: I did self-discover I did submit the article when I wrote it. Just forgot. Oh well :)