“Reproducible builds” is a way to ensure that the source code for any software and the binary code resulting from building that source code are matched byte-for-byte; that is, no one tampered with the software during the build phase to add malicious code or other changes to it. Person A and Person B building the same source code should get the exact same binary package resulting from it.
Reproducible builds are important to mitigate what’s known today as “supply-chain attacks”; attacks that are not directly aimed at the target system but rather at a sub-software, library or dependency that is part of that system.
Just because you read the source code for an open source software on GitHub it doesn’t mean that the binary package you download and install on your operating system is 100% originating from that source code. A middleman in the build phase could interfere with that package sometimes without anyone knowing, and add malicious codes or scripts to user systems.
Many years ago, mainstream Linux distributions started the effort of making all of their packages marked as reproducible builds. That is, anyone who builds the source code for any package in their distribution will get the exact same binary package from that source code, allowing independent verifiers and auditors to make sure the supply chain is safe and secure. Today, most Linux distributions stand at above a 90% rate for reproducible builds, and you can track their progress from this website:
https://reproducible-builds.org/citests/
A few days ago some researchers from the “Lucerne University of Applied Sciences and Arts” in Switzerland published a research paper detailing how much of Arch Linux packages are actually reproducible according to their own independent tests:
https://dl.gi.de/server/api/core/bitstreams/f8685808-2e51-4a53-acc0-2b45fa240e3b/content
The summary they have found is that around 89% of Arch Linux packages are reproducible, while the remaining 11% is not. They have set up an online service for continuously building Arch Linux packages and displaying the results of reproducible builds rate:
https://reproducible.crypto-lab.ch/
As an additional effort, the researchers selected 16 unreproducible packages that belong to the Certbot program from the Let’s Encrypt project; a bot that generates HTTPS certificates for free for any web server, and reported the issues with them to the upstream so that they get fixed.
Additionally, they have found that a package belonging to the fwupd project is not reproducible. fwupd is an open-source firmware distribution mechanism that is included by default in most Linux distributions, and is currently part of the Linux Foundation. They have submitted a PR to the upstream to fix the issue.
Thus, with the exception of the packages mentioned earlier, around 89% of Arch Linux packages are currently reproducible according to these independent verifiers. There is still a journey and a lot of time to hit the 100% mark apparently, but the open source community is closely getting to that target.