openSUSE Spin Achieves 100% Bit-Identical Packages For Reproducible Builds
openSUSE Spin Achieves 100% Bit-Identical Packages For Reproducible Builds
Context:
Reproducible builds ensure software can be rebuilt in an identical, bit-for-bit manner anywhere at any time using the same tools. This means that someone rebuilding the software from the same source code will get exactly the same results.
Why is this important? Because it’s a crucial aspect for supply-chain security.
Source: https://news.opensuse.org/2025/02/18/rbos-project-hits-milestone/
And here I thought this was kinda already the case. 🫣
There is a reason why NixOS was invented 21 years ago. Reproducible builds are not simple in most
packagingbuild systems.I believe it's less about the packaging system and more about the build system. You're building source code from thousands of individual projects, getting a reproducible output is difficult if, for example, some library embeds the build date/time in its output.
Nix doesn't really guarantee reproduciblity, though. It's a neat idea for deterministic configurations. But bit by bit reproducible binary builds are an entire difference beast. GNU Guix has way more promise in that regard
This is awesome!
Thought I would mention Guix. I don't know about using it as an OS but just the package manager is so nice to build reproducible software environments (although disclaimer I discovered this myself a few weeks ago). At least as close you can get without including proprietary hardware drivers. Building MPI applications on my laptop and moving them to an HPC cluster with full performance feels like magic.