The FESCO Committee (Fedora Engineering Steering Committee), responsible for the technical development of the Fedora Linux distribution, has officially approved the project to provide repeated packages in the upcoming Fedora 43 release. This initiative aims to ensure that at least 99% of packages in the repository can be reproduced.
Reproducible builds will allow users to generate their own RPM packages that match the pre-built binary packages. This matching is achieved at the level of main metadata and included files, with only differences in assembly metadata, assembly host, and digital signatures. This verification process ensures that binary files in the packages are derived from the provided source texts without any unauthorized modifications.
Besides enhancing security, reproducible builds will also facilitate quality control and simplify package development. By ensuring that small changes result in minimal differences in the rebuilt packages, developers can easily compare versions and analyze changes effectively. These reproducible builds consider factors like accurate dependency correspondence, unchanged tool versions, identical options and settings, and consistent file assembly procedures.
The Fedora project infrastructure is already prepared for implementing reproducible builds. Past enhancements to the assembly system, such as synchronizing file modification times with source code and establishing a standardized procedure for listing metadata and structures in binary files, have laid the groundwork. Currently, the coverage of reproducible builds stands at 90%, with the remaining 10% requiring collaboration to address any problematic packages and ensure reproducibility.
Projects similar to Fedora’s reproducible builds are underway in other distributions like Debian, Arch Linux, OpenSUSE, and NixOS, demonstrating a collective effort to improve package reliability and security across the open-source community.