So much time has been wasted on reproducible builds which could have better spen...

Hendrikto · 2026-05-10T11:27:25 1778412445

It allows verifying that the binaries actually match the source, which is extremely valuable.

charcircuit · 2026-05-10T16:14:48 1778429688

Bit for bit matching is not required for that.

Hendrikto · 2026-05-11T13:55:26 1778507726

It makes it much simpler and more robust though. Also, it allows for content addressing a la Nix, among other benefits.

charcircuit · 2026-05-11T18:57:17 1778525837

I reject that those benefits are actually that useful compared to the effort needed to do so.

You can content addressing without reproducible builds. You just have a canonical version, which typically is built by the application developer.

farfatched · 2026-05-10T12:15:18 1778415318

Yes, making sure build timestamps are reproducible isn't a security win.

What is a win is that two independent parties can run the same build, and get the same binaries.

This is important because it removes trust from builders: anyone can verify their output.

It just so happens that unimportant things like build versions impede that.

charcircuit · 2026-05-10T16:15:59 1778429759

Anyone can verify the actual code in the binary matches even if some bytes within the binary file itself are different. The verification routine doesn't have to be a basic bit for bit equality test.

farfatched · 2026-05-11T08:39:33 1778488773

For sure.

This has been the status quo in Debian for a while now. You can build, and use diffoscope to audit the differences.

It's a stronger security property to have bit-for-bit reproducibilty, and it looks like Debian are ready to commit to it.

charcircuit · 2026-05-11T18:57:24 1778525844

You are just restating the point of the thread and not addressing the low return on investment doing this is.

farfatched · 2026-05-12T04:17:29 1778559449

Fair point.

I had figured the cost would decrease in time as deterministic builds became the norm (i.e. build tools stop including build timestamps).

I agree that it might not have positive POI. Bit tricky for me to judge.

deknos · 2026-05-10T14:17:41 1778422661

you are free to provide patches instead of bitching.

charcircuit · 2026-05-10T16:17:40 1778429860

And Debian is able to offer me a few million dollars yearly to help fix their security situation.

deknos · 2026-05-11T05:45:49 1778478349

the idea that debian has a few million dollars to spare creates the assumption, that even if they would have... you would either not know how to fix issues, or not worth it.