I'm using a hook for pacman on Arch to verify reproducible builds but one issue I've found is it slows down package management substantially. Has anyone else encountered this and is there a solution for verification without slowing down the package manager?
What are you describing here, compile time for a local verification?
If so, how would you imagine that could be sped up?
- If the distro is working on reproducibility, they should have a dashboard somewhere with reproducibility status.
For arch that would be https://reproducible.archlinux.org/
It would be done in their CI and there should be no reason for you do also manually verify this, unless you are a very targeted individual and you think its reasonable that arch linux infrastructure is hacked to target you.
Basically, either you trust your distro or you don't. If you are running local verifications of reproducibility, I am guessing you are not.
So consider switching to a distro that you do trust.