TLDR: bsd is still more secure than linux but debian has a tool to verify before install, tails says it is fully reproducible, and of course guix takes it seriously. tor made a project-independent reproducibility manager. coreboot is reproducible.
- Arch Linux is 88.1% reproducible with 1360 bad 37 unknown and 10375 good packages.
Debian 29629 (95.7%) packages which built reproducibly in bullseye/amd64
ElectroBSD itself (kernel + world), the distribution tarballs (base.txz, kernel.txz, lib32.txz, src.txz) and thus the MANIFEST can be built reproducible on all the supported architectures (a fancy way to refer to amd64 and i386). There's work in progress to make the release image reproducible as well.
Most of FreeBSD builds "reproducibly" (aka. with two builds producing identical binaries) but there are a few deviations from this
The guix distribution is founded on reproducibility (but not security). I didn't find their current status on the web, but if using guix there is a command-line tool to display it.
https://guix.gnu.org/ https://hydra.gnu.org/
NetBSD 2017-02-20 we have fully reproducible builds on amd64 and sparc64
NixOS (this is the same as guix right?) 99.83% paths in the minimal installation image are reproducible
OpenWRT For x86/generic we could built 1 (100.0%) out of 1 images and 9217 (98.1%) out of 9390 packages reproducibly in our test setup.
Tails ISO and USB images should be reproducible: everybody who builds one of them should be able to obtain the exact same resulting image from a given Git tag.
The following individual projects set up infrastructure for fully reproducible builds:
- webconverger's link is to a video, so is not included
Data collected from links on
https://reproducible-builds.org/projects/ . The page does not look recently updated everywhere, and some listed projects had no links, and I did not visit those projects without links.