https://reproducible-builds.org/
https://wiki.debian.org/ReproducibleBuilds
neon should do and enable reproducible builds and testing thereof.
Reproducible builds seek to be able to create bit-by-bit identical binaries across multiple rebuilds of the same source, even in varying environments.
This is a uniquely important aspect of system security and trustability. Linux has no means to sign software (binaries, libraries) which has the advantage of being very tinker friendly and the disadvantage of making it super easy for someone with suitably elevated access rights to plant a back door or hijack the same. This is however also a matter of trust and accountability that open sourced tarball X + open sourced packaging Y really generate binary Z. And that neither we nor a compromised build slave poison the binary behind the scenes.
neon should implement reproducible builds.
- Needs reading up on how debian does sit
- Figure out what needs changing in our tooling to facilitate this
- Create additional subtasks as necessary to implement changes against tooling
- Probably also needs a storage solution worked out as buildinfo metadata needs to be stored somewhere for a longer time than we store the builds themselves.