←back to thread

Debian bookworm live images now reproducible

(lwn.net)
764 points bertman | 3 comments | 26 Mar 25 17:22 UTC | HN request time: 0.726s | source
Show context
c0l0 ◴[26 Mar 25 17:43 UTC] No.43484720[source]
I never really understood the hype around reproducible builds. It seems to mostly be a vehicle to enable tivoization[0] while keeping users sufficiently calm. With reproducible buiilds, a vendor can prove to users that they did build $binary from $someopensourceproject, and then digitally sign the result so that it - and only it - would load and execute on the vendor-provided and/or vendor-controlled platform. But that still kills effective software freedom as long as I, the user, cannot do the same thing with my own build (whether it is unmodified or not) of $someopensourceproject.

Therefore, I side with Tavis Ormandy on this debate: https://web.archive.org/web/20210616083816/https://blog.cmpx...

[0]: https://en.wikipedia.org/wiki/Tivoization

replies(12): >>43484745 #>>43484754 #>>43484942 #>>43485078 #>>43485108 #>>43485155 #>>43485403 #>>43485551 #>>43485635 #>>43486702 #>>43487034 #>>43492779 #
myrmidon ◴[26 Mar 25 18:15 UTC] No.43485108[source]
Lets turn this around. Why would you ever want non-reproducible builds?

Every bit of nondeterminism in your binaries, even if it's just memory layout alone, might alter the behavior, i.e. break things on some builds, which is just really not desirable.

Why would you ever want builds from the same source to have potentially different performance, different output size or otherwise different behavior?

IMO tivoization is completely unrelated, because the vendor most certainly does not need reproducible builds in order to lock down a platform.

replies(1): >>43486473 #
RJIb8RBYxzAMX9u ◴[26 Mar 25 19:57 UTC] No.43486473[source]
> Lets turn this around. Why would you ever want non-reproducible builds?

It's not about wanting non-reproducible builds, but what am I sacrificing to achieve reproducible builds. Debian's reproducible build efforts have been going for ten years, and it's still not yet complete. Arguably Debian could have diverted ten years of engineering resources elsewhere. There's no end to the list of worthwhile projects to tackle, and clearly Debian believes that reproducible builds is high priority, but reasonable people can disagree on that.

This not to say reproducible builds are not worth doing, just that depending on your project / org lifecycle and available resources (plus a lot of subjective judgement), you may want to do something else first.

replies(1): >>43486796 #
1. progval ◴[26 Mar 25 20:19 UTC] No.43486796[source]
Debian didn't "divert engineering resources" to this project. People, some of whom happen to be Debian developers, decided to work on it for their own reasons. If the Reproducible Builds effort didn't exist, it doesn't mean they would have spent more time working on other areas of Debian. Maybe even less, because the RB effort was an opportunity to find and fix other bugs.
replies(1): >>43487311 #
2. RJIb8RBYxzAMX9u ◴[26 Mar 25 21:06 UTC] No.43487311[source]
Yes, the system is not closed and certainly people may simply not contribute to Debian at all. However, my main point is that reasonable people disagree on the relative importance of RR among other things, so it's not about "want[ing] non-reproducible builds" even if one has unlimited resources, but rather wanting RR, but not at the expense of X, where X differs from person to person.
replies(1): >>43488588 #
3. robertlagrant ◴[26 Mar 25 23:15 UTC] No.43488588[source]
"It's possible to disagree on whether a feature is worth doing" is technically true, but why is it worth discussing time spent by volunteers on something already done? People do all sorts of things in their free time; what's the opportunity cost there?