grarpamp cited this important law recently while trying to talk about some important things with me that I still don't quite understand Here's an update on reproducibility! TLDR: bsd is still more secure than linux but debian has a tool to verify before install, tails says it is fully reproducible, and of course guix takes it seriously. tor made a project-independent reproducibility manager. coreboot is reproducible. * Arch Linux is 88.1% reproducible with 1360 bad 37 unknown and 10375 good packages. [1]https://reproducible.archlinux.org/ Debian 29629 (95.7%) packages which built reproducibly in bullseye/amd64 [2]https://tests.reproducible-builds.org/debian/bullseye/amd64/index_re producible.html (debian unstable is more 85%) => on debian, in-toto can be used to verify reproducibility before installation [3]https://github.com/in-toto/apt-transport-in-toto ElectroBSD itself (kernel + world), the distribution tarballs (base.txz, kernel.txz, lib32.txz, src.txz) and thus the MANIFEST can be built reproducible on all the supported architectures (a fancy way to refer to amd64 and i386). There's work in progress to make the release image reproducible as well. [4]https://www.fabiankeil.de/gehacktes/electrobsd/#reproducible-electro bsd F-droid enumerates its reproducibility but does not appear to quickly summarise it on the web: [5]https://verification.f-droid.org/ Most of FreeBSD builds "reproducibly" (aka. with two builds producing identical binaries) but there are a few deviations from this [6]https://wiki.freebsd.org/ReproducibleBuilds/Base The guix distribution is founded on reproducibility (but not security). I didn't find their current status on the web, but if using guix there is a command-line tool to display it. [7]https://guix.gnu.org/ [8]https://hydra.gnu.org/ NetBSD 2017-02-20 we have fully reproducible builds on amd64 and sparc64 [9]https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_builds NixOS (this is the same as guix right?) 99.83% paths in the minimal installation image are reproducible [10]https://r13y.com/ OpenSUSE 95.34% reproducible packages [11]https://rb.zq1.de/compare.factory/report.txt Building reproducible binaries takes configuration [12]https://en.opensuse.org/openSUSE:Reproducible_Builds# With_OBS OpenWRT For x86/generic we could built 1 (100.0%) out of 1 images and 9217 (98.1%) out of 9390 packages reproducibly in our test setup. [13]https://tests.reproducible-builds.org/openwrt/openwrt_x86.html Qubes hasn't reported in a couple years. In 2019 it was expected that dom0 would have all reproducible packages for 4.1 [14]https://github.com/QubesOS/qubes-issues/issues/816#issuecomment-519 912024 Tails ISO and USB images should be reproducible: everybody who builds one of them should be able to obtain the exact same resulting image from a given Git tag. [15]https://tails.boum.org/contribute/build/reproducible/ Yocto 99.79% 34095 packages in openembedded-core [16]https://www.yoctoproject.org/reproducible-build-r esults/ The following individual projects set up infrastructure for fully reproducible builds: - Bitcoin [17]https://github.com/bitcoin-core/docs/blob/master/gitian-bui lding.md - BitShares [18]https://github.com/bitshares/bitshares-gitian - Coreboot, crucially [19]https://tests.reproducible-builds.org/coreboot/coreboot.h tml - Monero [20]https://github.com/monero-project/monero/issues/2641#issueco mment-501197384 - Trevor [21]https://wiki.trezor.io/Developers_guide:Deterministic_firmwa re_build - Tor Browser's general purpose reproducible build manager [22]https://rbm.torproject.org/ - webconverger's link is to a video, so is not included Data collected from links on [23]https://reproducible-builds.org/projects/ . The page does not look recently updated everywhere, and some listed projects had no links, and I did not visit those projects without links. References 1. https://reproducible.archlinux.org/ 2. https://tests.reproducible-builds.org/debian/bullseye/amd64/index_reproducible.html 3. https://github.com/in-toto/apt-transport-in-toto 4. https://www.fabiankeil.de/gehacktes/electrobsd/#reproducible-electrobsd 5. https://verification.f-droid.org/ 6. https://wiki.freebsd.org/ReproducibleBuilds/Base 7. https://guix.gnu.org/ 8. https://hydra.gnu.org/ 9. https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_builds 10. https://r13y.com/ 11. https://rb.zq1.de/compare.factory/report.txt 12. https://en.opensuse.org/openSUSE:Reproducible_Builds#With_OBS 13. https://tests.reproducible-builds.org/openwrt/openwrt_x86.html 14. https://github.com/QubesOS/qubes-issues/issues/816#issuecomment-519912024 15. https://tails.boum.org/contribute/build/reproducible/ 16. https://www.yoctoproject.org/reproducible-build-results/ 17. https://github.com/bitcoin-core/docs/blob/master/gitian-building.md 18. https://github.com/bitshares/bitshares-gitian 19. https://tests.reproducible-builds.org/coreboot/coreboot.html 20. https://github.com/monero-project/monero/issues/2641#issuecomment-501197384 21. https://wiki.trezor.io/Developers_guide:Deterministic_firmware_build 22. https://rbm.torproject.org/ 23. https://reproducible-builds.org/projects/