←back to thread

Debian bookworm live images now reproducible

(lwn.net)
766 points bertman | 1 comments | 26 Mar 25 17:22 UTC | HN request time: 0.209s | source
Show context
geocrasher ◴[26 Mar 25 17:58 UTC] No.43484909[source]
What is the significance of a reproducible build, and how is it different than a normal distribution?
replies(6): >>43484958 #>>43485126 #>>43487595 #>>43488312 #>>43489545 #>>43492115 #
1. orblivion ◴[27 Mar 25 01:35 UTC] No.43489545[source]
Open source means "you can see the code for what you run". Except... how do you know that your executables were actually built from that code? You either trust your distro, or you build it yourself, which can be a hassle.

Now that the build is reproducible, you don't need to trust your distro alone. It's always exactly the same binary, which means it'll have one correct sha256sum. You can have 10 other trusted entities build the same binary with the same code and publish a signature of that sha256sum, confirming they got the same thing. You can check all ten of those. The likelihood that 10 different entities are colluding to lie to you is a lot lower than just your distro lying to you.