In openSUSE we have been working towards repeatable semantically reproducible builds for over a decade [1] using our open-build-service and a tool called build-compare to filter out "insignificant" diffs.
However, while working with the tool, I already found three (3) bugs in build-compare that made it report packages with significant differences as 'identical'. And if you don't rely on such tools, you need expensive manual reviews every time that cannot be automated and might also miss issues.
I have manually reviewed hundreds of package diffs in the past and it took many hours, so I'm not eager to repeat that.
Another disadvantage of such binaries is that you don't have a single correct SHAsum that can be signed, communicated and compared easily.
You always need the full binary to compare to your rebuild.The cleaner way is to use strip-nondeterminism to remove all these insignificant bits during build and make the resulting bit-reproducible output the official binary.
Ciao Bernhard M.[1] https://github.com/openSUSE/build-compare/commit/5cba04fb8def5d88423737a1a1957730e2217357
OpenPGP_signature
Description: OpenPGP digital signature
