"The end result is that it is essentially impossible to get reproducible builds of a large software environment without either freezing it (and accepting bugs, including security bugs, won't be fixed) or rebuilding everything all the time (and then you get a build anyone can reproduce for the few days it will live before being replaced by a new build)."
The good news is that we've got a lot more cycles to throw at the problem, and a lot of this is embarrassingly parallel. You can force rebuilds so that on release everything was built with the current dev tools. You want to do that anyway, because that means that all the packages use the current optimizations, etc. There's no reason you have to wait to the very end to do this; you could recompile lower-level dev tools, then slowly move up the tree. Regression tests can catch a lot, since recompilation of unchanged source code should not be changing functionality at all.
"Even getting a bootstrapable distro (something that can be built from scratch once, without depending on binaries of suspect origin) is non-trivial due to how many software bits accumulated cyclic dependencies over time. When A depends on B that depends on C which depends on A what is the build order exactly you are supposed to follow so people can reproduce your stack ?"
It's annoying, but for bootstrapping you can break the dependencies. There are lots of ways to to do it. And in the longer term, you can work to break the dependencies; a lot of these cycles are inadvertent.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds