Mike Swanson

Debian going full reproducible might help them discontinue shipping most debugging symbols in packages (they can be very large, take up a lot of room on the DVDs/BDs). If you need debugging, you could build the package yourself, and get them. Probably Linux itself should be always have provided debugging symbols, and I don't think of any other exceptions.

If you have build options so that compile time and file system paths aren't included in the output, you can pretty quickly verify that a binary wasn't tampered with, or built from the same source code as the input. The "sha256sum" utility is one such easy way to verify. You can often dig into and find the innocuous build difference (such as timestamps and paths) with a diff, but it's harder. Then of course there's shell scripts; there's a bunch of nasty ASCII control codes that can effectively overwrite the display of the current line and you can easily hide malicious commands in them that don't show up with a normal "cat https://t.co/q1TnK35Fxx" command.

Debian Linux has declared that, effective immediately, they will reject all packages which are not reproducible. “Debian must ship reproducible packages.” “block migration of new packages that can't be reproduced [2] or existing packages (in testing) that regress in reproducibility.” https://t.co/eOG4xAL56V