Fedora is closing in on its goal to deliver reproducible builds, with a change proposal for Fedora 43 that calls for 99% of packages to be reproducible.

Linux distros have been working to become reproducible, an important step toward improving the security and reliability of distros. The Reproducible Builds project provides the best definition of exactly what constitutes a reproducible build.

A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.

In its change proposal, the Fedora project shows just how far it has come.

Over the last few releases, we changed our build infrastructure to make package builds reproducible. This is enough to reach 90%. The remaining issues need to be fixed in individual packages. After this Change, package builds are expected to be reproducible. Bugs will be filed against packages when an irreproducibility is detected. The goal is to have no fewer than 99% of package builds reproducible.

As Joe Brockmeier of LWN.net points out, preventing supply chain attacks is one of the main benefits of reproducible builds.

Read More: Linux XZ Utils Supply Chain Attack—What You Should Know

Supply chain attacks took center stage in 2024 as a result of the XZ backdoor that made its way into some bleeding edge Linux distros. In that incident, a bad actor spent years gaining the trust of an overworked maintainer of a popular utility until the project was turned over to the bad actor entirely. At that point, the bad actor inserted a backdoor into the XZ utility that would have given access to millions of servers across the internet. Given the time, effort, and scope of this particular supply chain attack, it’s likely the bad actor was state-sponsored.

While the XZ incident was discovered and mitigated before any hard could be done—the backdoor was caught before it made its way into stable distros like Debian and Ubuntu, and only impacted some rolling releases like openSUSE and Arch—the entire incident was appropriately viewed within the Linux community as a cybersecurity near-miss, not smashing success.

Reproducible builds will be an important step toward preventing future XZ-type attacks. As a result, Fedora’s announcement is a wonderful development, one that other distros will hopefully soon follow.