Fedora change aims for 99% package reproducibility

The real treasure was the friend I found along the way<p><a href="https:&#x2F;&#x2F;github.com&#x2F;keszybz&#x2F;add-determinism">https:&#x2F;&#x2F;github.com&#x2F;keszybz&#x2F;add-determinism</a>

nice to see they&#x27;re in this too.<p><a href="https:&#x2F;&#x2F;news.opensuse.org&#x2F;2025&#x2F;02&#x2F;18&#x2F;rbos-project-hits-milestone&#x2F;" rel="nofollow">https:&#x2F;&#x2F;news.opensuse.org&#x2F;2025&#x2F;02&#x2F;18&#x2F;rbos-project-hits-miles...</a>

Another thing I&#x27;d love to see is more statically linked binaries. Something like Python, for instance, is a nightmare to install and work with

As a user of fedora what does this actually get me? I mean I understand it for hermetic builds but why?

Can someone provide a brief clarification about build reproducibility in general?<p>The stated aim is that when you compile the same source, environment, and instructions the end result is bit identical.<p>There is, however; hardware specific optimizations that will naturally negate this stated aim, and I don&#x27;t see how there&#x27;s any way to avoid throwing out the baby with the bathwater.<p>I understand why having a reproducible build is needed on a lot of fronts, but the stated requirements don&#x27;t seem to be in line with the realities.<p>At its most basic, there is hardware, where the hardware may advertise features it doesn&#x27;t have, or doesn&#x27;t perform the same instructions in the same way, and other nuances that break determinism as a property, and that naturally taints the entire stack since computers rely heavily on emergent design.<p>This is often hidden in layers of abstraction and&#x2F;or may be separated into pieces that are architecture dependent vs independent (freestanding), but it remains there.<p>Most if not all of the beneficial properties of reproducible builds rely on the environment being limited to a deterministic scope, and the reality is manufacturers ensure these things remain in a stochastic scope.

Reproducibility is at odds with Profile-Guided-Optimization. Especially on anything that involves networking and other IO that isn&#x27;t consistent.

&gt; For example, Haskell packages are not currently reproducible when compiled by more than one thread<p>Doesn&#x27;t seem like a big issue to me. The gcc compiler doesn&#x27;t even support multithreaded compiling. In the C world, parallelism comes from compiling multiple translation units in parallel, not any one with multiple threads.

&quot;trust in the contents of both source and binary packages is low.&quot; - I wonder will this convince organisations to adopt proper artifact management processes? If supply chain attacks are on the rise, than surely its more imperative than ever for businesses to adopt secure artifact scanning with tools like Cloudsmith or jFrog?

Amazing to see this progress! Cudos to everyone who put in the effort.<p>Related news from March <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43484520">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43484520</a> (Debian bookworm live images now fully reproducible)

YES! I want more tools to be deterministic. My wish-list has Proxmox config at the very top.

Interesting take. I&#x27;m building something related to zk systems — will share once it&#x27;s up.

99%? Debbie Downer says it only takes 1 package to screw the pooch

Linux folks continue with running away with package security paradigms while NPM, PyPI, cargo, et. al. (like that VSCode extension registry that was on the front page last week) think they can still get away with just shipping what some rando pushes.

I often see initiatives and articles like this but no mention of Nix. Is it just not well known enough for comparison? Because to me that’s the standard.

This goal feels like a marketing OKR to me. A proper technical goal would be &quot;all packages, except the ones that have a valid reason, such as signatures, not to be reproducible&quot;.

This is a waste of time compared to investing in sandboxing which will actually protect users as opposed to stopping theoretical attacks. Fedora&#x27;s sandbox capabilities for apps is so far behind other operating systems like Android that it is much more important of an area to address.