On Sun, Nov 17, 2024 at 08:36:24PM +0100, Patrice Dumas wrote: > > As far as I know, > > nobody is checking that the distribution archive is bit-for-bit > > reproducible from some specified commit in the git repository. > > It seems to me that it could be relevant, to be able to check more > easily that the distribution has not been tampered. > > > I > > understand the main issue of reproducible builds deals with building > > reproducibily from a released distribution archive, not how that > > archive is produced. > > If I recall well, the issue with the xz utils was tampering with the > distributed tarball, not reproducible builds. If it is easier to redo > the distributed tarball independently and compare it should be a win for > security.
I agree in theory but don't know how practical it is to achieve. It seems that it wouldn't matter as much if we required GNU tar to produce the file, as this version of tar wouldn't be required by people building the software. We could provide extra flags as described at this page: https://reproducible-builds.org/docs/archives/ However, I do not want to start trying to fix all the different ways the distribution may be non-reproducible at this stage, if it turns out there are a lot of other issues to fix.
