openSUSE announced that its rolling release Linux distro, openSUSE Tumbleweed, is now bit-by-bit reproducible, an important factor impacting security and quality of the distro.
Tumbleweed is a popular rolling release distro that provides extensive testing, giving users a higher degree of reliability than is often associated with rolling releases. openSUSE is also well-known for its tight security, making reproducible builds an obvious next step for the distro.
The project’s Jan Zerebecki detailed the change in a blog post:
In March, the configuration for building openSUSE Factory was changed to be bit-by-bit reproducible (except for the embedded signature). Following this, the first openSUSE Tumbleweed packages were verified to be bit-by-bit reproducible.
Zerebecki went on to describe the importance of reproducible builds:
Reproducible builds have a multitude of uses for security and quality. To further enhance their utility, reproducible builds need to be combined with other techniques such as distributed post-merge code review and capability based designs.
A recent example is that reproducible builds allow for the creation of proof, simply by rebuilding and comparing the result, that a GCC build whose source was extracted with a compromised xz was not compromised; this process was achieved without needing to reverse engineer how the compromise occurred. Similarly, reproducible builds were reported as being usefully during investigations of the xz compromise.
Reproducible builds enable collaboration that otherwise would not be possible by supporting more scientifically-based arguments for security, which can be independently verified.
More Linux distros have been moving to reproducible builds for the reasons Zerebecki outlined.