* "Bernhard M. Wiedemann via rb-general" <rb-general@lists.reproducible-builds.org> [2022-12-14 20:30]: > a colleague of mine is rather skeptic towards bootstrapping and > reproducible-builds. > [...] > In the end, it would be useful to collect some well-worded / well-thought > counter-arguments on r-b.o (if we don't have that already) > [...] > Any thoughts and/or volunteers?
One aspect that I think only Tristan van Berkom explicitly mentioned [1] so far is IMO quite important: bit-by-bit identical binaries must behave identically (or at least if they don't we know the problem lies elsewhere). Even if reproducible builds cannot provide 100% protection against malicious subversion, we know that bit-by-bit identical binaries cannot behave differently, whether through subversion or accident. There can be no bug present in one but not the other, whether the cause is malicious or simply a non-deterministic build process -- or even a random bitflip -- producing subtly different binaries. Non-determinism often hides bugs or makes them harder to find. With RB, you know that any change in a program's behaviour must be caused by a change in its source code and cannot be caused by a "random" difference between different builds, making debugging easier. - FC [1] https://lists.reproducible-builds.org/pipermail/rb-general/2022-December/002789.html