Fedora change aims for 99% package reproducibility

The effort to ensure that open-source software is reproducible has been gathering steam over the years, and gaining traction with major Linux distributions. Debian, for example, has been working toward reproducible builds for more than a decade; it can now produce official live CDs of the current stable release that are reproducible. Fedora started on the path much later, but it has progressed far enough that the project is now considering a change proposal for the Fedora 43 development cycle, expected to be released in October, with a goal of making 99% of Fedora’s package builds reproducible. So far, reaction to the proposal seems favorable and focused primarily on how to achieve the goal—with minimal pain for packagers—rather than whether to attempt it.
↫ Joe Brockmeier at LWN.net

In the case of individual packages, reproducibility means that if you set up a build environment at home according to Fedora’s specifications, you can create an exact, bit-by-bit identical copy of a package. This is important because it can help detect and guard against supply chain attacks like the infamous xz backdoor attempt that was thwarted only by mere luck.

As the LWN article notes, however, it’s impossible for Fedora to achieve the original “bit-by-bit” part of the definition because of how RPMs are built. RPMs include the signature inside the RPM, and a few other metadata bits are problematic as well. The actual contents of an RPM – the thing you actually install, run, and use – meet the definition of “bit-by-bit”, though. By this point, Fedora has pretty much done all it can through its own infrastructure when it comes to reproducibility, which has brought the project to 90% of packages being reproducible.

It’s going to be up to the individual package maintainers and software developers to get to the desired goal of 99% by Fedora 43, though. To ensure package maintainers take this issue seriously, a change proposal has been proposed to treat reproducibility issues as bugs, with a degree of wiggle room for now (think should instead of must). It’s only a proposal for now, but it’s looking like it will make it.

The excellent – as always – LWN article has a lot more detail about both the proposes changes as well as the various points of view.