Hacker News new | past | comments | ask | show | jobs | submit login

There are some efforts [1] to make reproducible builds really work, also nix guys have some experience with them, as others have noted. Isolated deterministic environments and stripping binaries/archives (strip-nondeterminism tool) [2] generally do the trick.

[1] https://reproducible-builds.org

[2] https://reproducible-builds.org/tools/




Some of my predecessors on buildpacks went through a bunch of work to establish reproducibility for binaries we ship, with varied levels of success:

"Investigate how we can allow users to independently verify/authenticate a final buildpack" (https://www.pivotaltracker.com/story/show/104469634)

"Explore: Compiled binaries should be reproducible" (https://www.pivotaltracker.com/story/show/104746074)

"determine whether the libfaketime reproducible build strategy will work across all of our binaries" (https://www.pivotaltracker.com/story/show/107752798)

"Investigate Why are our node builds not reproducible?" (https://www.pivotaltracker.com/story/show/128161137)

As well as supporting work to help independent verification of the "chain of custody". There's 25 of those under that label, if you use the search box.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: