The advantages are better verifyability that the source code matches the binaries, thus addressing one of the many steps one has to check before trusting the software one runs.
We discussed various topics during the conference in small groups:
- technical aspects (how to achieve this, how to cooperate over distributions, ...)
- social aspects (how to argue for it with programmers, managers, lay people) financial aspects (how to get funding for such work)
- lots of other stuff
Making the base system reproducible: a big part of the work for this has already been done, but there a number of open issues, visible e.g. in Debian's regularly scheduled test builds, up to the fact that this is not the default yet.
Making pkgsrc reproducible: This will be a huge task, since pkgsrc targets so many and diverse platforms. On the other hand, we have a very good framework below that that should help.
For giggles, I've compared the binary packages for png built on 7.99.22 and 7.99.23 (in my chrooted pbulk only though) and found that most differences were indeed only timestamps. So there's probably a lot of low-hanging fruit in this area as well.
If you want to help, here are some ideas:
- fix the MKREPRO bugs (like PRs 48355, 48637, 48638, 50119, 50120, 50122)
- check https://reproducible.debian.net/netbsd/netbsd.html for more issues, or do your own tests
- discuss turning on MKREPRO by default
- starting working on reproducibility in pkgsrc:
- remove gzip time stamps from binary packages
- use a fixed time stamp for files inside binary packages (perhaps depending on newest file in sources, or latest change in pkgsrc files for the pkg)
- identify more of the issues, like how to get symbols ordered reproducible in binaries (look at shells/bash)