#72 LibreCMC Reproducible Builds?

I was unable to find LibreCMC in the list of operating systems which actively work towards reproducible builds. Is there any effort from LibreCMC in this direction?

For the moment, libreCMC inherits from upstream (OpenWrt/LEDE) and the majority of packages can be built in a reproducible way, but firmware images can not.

Reproducible builds don't currently address the more critical issues that we have in the free software world in terms of verifying that we are getting a clean resulting binary from the sources found in a given source repository. The battle that should be fought well before reproducible builds is the fact that the majority of critical free software projects don't sign source releases or sign commits (libreCMC is guilty of not signing commits, but I will address this). A few years ago, I set out to try to implement signature checking for all core/base components found in libreCMC and found that quite a few projects don't sign source packages or commits in their respective repositories (or commits are signed, but not source packages).

I wanted to compile a list of projects that don't currently sign source releases, but I did not want to shame projects or put them in a negative light. The goal of this list would be to contact respective free software projects and ask about signing source releases and commits. This type of campaign would take a lot of resources, but I will revisit it if there is enough parties interested.

The reason that libreCMC commits are not signed is because not all components in libreCMC are signed upstream and because the volume of contributors is small. Adding the requirement of having a gpg key and signing commits would add another barrier for contributions (but I could manually merge and sign proposed contributions).

For the v1.5.x release, I could revisit this issue and see where various upstream projects stand in this regard.