> I would be very interested to know more about what makes a build process > reproducible? My guess is that this would be if the components used in > the building procedure are specified (so that there is no variation > occuring i.e. simply because different compiler(versions) generate > different code i.e. due to optimization patters being differnt etc.?)
There should be no such differences: coreboot uses a fixed known-working crosstoolchain version (while I don't know what issues are there depending on both host and target systems). This is used to avoid compiler bugs. Multiple builds with the same toolchain can differ: e.g. by including timestamps in code or archive files, or compilers doing nondeterministic optimizations. Nice thing to check: extract git commit hash and .config from a ROM, build from source and compare. Then make it generate such ROMs that two builds will produce exactly the same ROMs. (Just comparing whole ROM images won't work for systems storing memory training data in flash. It also won't work for systems with nonredistributable blobs there.) https://wiki.debian.org/ReproducibleBuilds/About has many references that might help.
signature.asc
Description: PGP signature
