can someone please elucidate the _benefits_ of reproducible builds ? perhaps i am missing something trivial?
thank you kindly!
Its very important in FOSS imo.
There is FOSS called ungoogled chromium. And building chromium takes a lot of times (in my case 8 hours). The problem here is chromium build is not reproducible and repo author can't build chromium for every platform and every versions as its very expensive from him. So what he currently do now is accepts the binaries from others.
But as a user how can I trust the user who build the binaries? He might have tempered with binaries? He might have inserted back doors secretly? Just because he published binaries lets say for 10 years doesn't grants 100% trustworthy right? He might be hacked etc too?
I think reproducible builds fixes such problems. Other than trust factor I really don't think there is significant advantage.
Chromium's build is reproducible: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/d...
To confirm I went to https://github.com/Eloston/ungoogled-chromium it says "NOTE: These binaries are provided by anyone who are willing to build and submit them. Because these binaries are not necessarily reproducible, authenticity cannot be guaranteed;"