RFE: .NET's build is reproducible

[omajid]

Describe the Problem

Reproducible builds provide a very nice set of security advantages to a piece of software:

• Security and verification: It becomes possible to detect and deal with a whole new class of attacks in the supply chain - including on build servers. It becomes easier to verify items like SBOMs.
• Increasing user trust: Users can trust the binaries they have matches the sources, reducing risks of backdoors and other vulnerabilities.
• Auditing and Compliance: It becomes easier to verify that the sources and binaries match for compliance reasons.

For more details, see https://en.wikipedia.org/wiki/Reproducible_builds and https://reproducible-builds.org/

Describe the Solution

It should be possible to build .NET in a way that the build can be reproduced by others. The general guidelines for making this happen are described at https://reproducible-builds.org/docs/commandments/.

It's okay to requires some extra set up - such as an env var like SOURCE_DATE_EPOCH - to make this happen.

Ideally, this should be the default configuration of building. But a custom configuration, or custom build flags to enable this behaviour, would be fine as a starting point (and maybe even as end-point, depending on the number/complexity).

Additional Context

Arch Linux: https://wiki.archlinux.org/title/Reproducible_builds

Debian: https://wiki.debian.org/ReproducibleBuilds

Fedora: https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds and https://lists.fedoraproject.org/archives/list/[email protected]/thread/3OGIBZWPBB43QEVDXPEHNYEYJWMRPJ4E/

Red Hat: https://access.redhat.com/blogs/766093/posts/1976033

Timing

The primary driver for this from our side that Fedora is looking to start testing reproducible builds formally in 2025 (discussion). Fedora is going to report issues against software that doesn't comply with the reproducible-build guidelines by the end of 2025. Many other languages/runtimes - including Haskell, mingw and golang packages - are in the same position as .NET and are known to be non-reproducible at the moment. I don't expect Fedora to make reproducible builds a hard requirement in 2025.

[omajid]

I added a bit more context and details around timing, as suggested by @MichaelSimons

[akoeplinger]

One place I'm aware of which uses the current date is CreateDebPackage.cs#L33 and BuildFPMToolPreReqs.cs#L81, but I think you don't use these tasks right?

[MichaelSimons]

One place I'm aware of which uses the current date is CreateDebPackage.cs#L33 and BuildFPMToolPreReqs.cs#L81, but I think you don't use these tasks right?

Correct, linux package creation is outside the scope of source build and is something distro maintainers are responsible for creating. This documentation aims to ensure consistency in packaging across distros.

[omajid]

I am adding support for nupkg to diffoscope here: https://salsa.debian.org/reproducible-builds/diffoscope/-/merge_requests/151