Skip to content

RFE: .NET's build is reproducible #4963

New issue
New issue
Open
Open
RFE: .NET's build is reproducible#4963
Labels
untriaged
@omajid

Description

@omajid
omajid
opened on Mar 20, 2025

Describe the Problem

Reproducible builds provide a very nice set of security advantages to a piece of software:

  • Security and verification: It becomes possible to detect and deal with a whole new class of attacks in the supply chain - including on build servers. It becomes easier to verify items like SBOMs.
  • Increasing user trust: Users can trust the binaries they have matches the sources, reducing risks of backdoors and other vulnerabilities.
  • Auditing and Compliance: It becomes easier to verify that the sources and binaries match for compliance reasons.

For more details, see https://en.wikipedia.org/wiki/Reproducible_builds and https://reproducible-builds.org/

Describe the Solution

It should be possible to build .NET in a way that the build can be reproduced by others. The general guidelines for making this happen are described at https://reproducible-builds.org/docs/commandments/.

It's okay to requires some extra set up - such as an env var like SOURCE_DATE_EPOCH - to make this happen.

Ideally, this should be the default configuration of building. But a custom configuration, or custom build flags to enable this behaviour, would be fine as a starting point (and maybe even as end-point, depending on the number/complexity).

Additional Context

Arch Linux: https://wiki.archlinux.org/title/Reproducible_builds

Debian: https://wiki.debian.org/ReproducibleBuilds

Fedora: https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds and https://lists.fedoraproject.org/archives/list/[email protected]/thread/3OGIBZWPBB43QEVDXPEHNYEYJWMRPJ4E/

Red Hat: https://access.redhat.com/blogs/766093/posts/1976033

Timing

The primary driver for this from our side that Fedora is looking to start testing reproducible builds formally in 2025 (discussion). Fedora is going to report issues against software that doesn't comply with the reproducible-build guidelines by the end of 2025. Many other languages/runtimes - including Haskell, mingw and golang packages - are in the same position as .NET and are known to be non-reproducible at the moment. I don't expect Fedora to make reproducible builds a hard requirement in 2025.

Metadata

Metadata

Assignees

No one assigned

    Labels

    untriaged

    Type

    No type

    Projects

    .NET Source Build

    • Status

      Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions