I've been meaning to spend more time learning about reproducible builds and haven't gotten around to it, but here's my naive understanding of it (please let me know if I'm off on anything here):
A project may release source code, but if you download an executable/binary from someone else's website, you still don't really know if the program you are running is the same as what is specified by the source code.
It's better to compile the program on your own. But not everyone can or will do this. So, it's helpful is some people who are so inclined can compile the code and then compare a hash of the executable they create with the executables that are publicly available from popular sources.
Unfortunately, hardware and operating system differences can make it so that there are slight differences in compiled software despite using the exact same source code.
In a great feat of persistence, you've managed to compile Core v31 on Nix and produce a program whose hash matches the hash of the binaries released on Bitcoin Core's website.
At first glance, this might sounds like this should be straightforward: Nix and Guix both compile the same Bitcoin Core source code with GCC, so why wouldn’t the resulting binaries match? In practice, reproducible builds are extremely fragile. Tiny differences in compiler behavior, filesystem paths, timestamps, linker metadata, dependency versions, or environment variables are enough to end up with a different binary, having a different final hash. And while Nix and Guix are philosophically similar, they are independently constructed toolchains with different package graphs, patches, and bootstrap chains. Bitcoin Core uses Guix so release binaries can be independently verified by other developers and users.
The matching hash shows that the Bitcoin Core build process is deterministic enough that an independently built toolchain can end up producing the exact same binary. The reproducibility doesn’t seem to be coming from Guix as a special environment alone, but from the build itself. In that sense, it shifts reproducible builds from something that only holds inside the carefully controlled Guix system to something you can actually check across two (carefully controlled) systems. In the future, Guix could be just one participant in a supply-chain model where trust comes from independent builds converging on the same artifact.
This is really cool!
I've been meaning to spend more time learning about reproducible builds and haven't gotten around to it, but here's my naive understanding of it (please let me know if I'm off on anything here):
A project may release source code, but if you download an executable/binary from someone else's website, you still don't really know if the program you are running is the same as what is specified by the source code.
It's better to compile the program on your own. But not everyone can or will do this. So, it's helpful is some people who are so inclined can compile the code and then compare a hash of the executable they create with the executables that are publicly available from popular sources.
Unfortunately, hardware and operating system differences can make it so that there are slight differences in compiled software despite using the exact same source code.
In a great feat of persistence, you've managed to compile Core v31 on Nix and produce a program whose hash matches the hash of the binaries released on Bitcoin Core's website.
Very true