Hacker News new | past | comments | ask | show | jobs | submit login

There are some efforts [1] to make reproducible builds really work, also nix guys have some experience with them, as others have noted. Isolated deterministic environments and stripping binaries/archives (strip-nondeterminism tool) [2] generally do the trick.

[1] https://reproducible-builds.org

[2] https://reproducible-builds.org/tools/




Some of my predecessors on buildpacks went through a bunch of work to establish reproducibility for binaries we ship, with varied levels of success:

"Investigate how we can allow users to independently verify/authenticate a final buildpack" (https://www.pivotaltracker.com/story/show/104469634)

"Explore: Compiled binaries should be reproducible" (https://www.pivotaltracker.com/story/show/104746074)

"determine whether the libfaketime reproducible build strategy will work across all of our binaries" (https://www.pivotaltracker.com/story/show/107752798)

"Investigate Why are our node builds not reproducible?" (https://www.pivotaltracker.com/story/show/128161137)

As well as supporting work to help independent verification of the "chain of custody". There's 25 of those under that label, if you use the search box.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: