alt Hacker NewsBut where does the original compiler come from? Reproducible builds are only as good as the compiler used to compile them. That's the point of Trusting Trust. If you build with a backdoored compiler and I reproduce your build with the same backdoored compiler, that solves nothing. This is why full-source bootstrap is important[0].
[0]: https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-...
It would be very very hard to actually accomplish something like that on mainstream x86/arm compilers. And hide it from every debugger in the world. If it diminishes the value of reproducible builds, it's by something like 1%.
> Reproducible builds are only as good as the compiler used to compile them.
Which is so so so much better than "as good as nothing".