Mostly for security, data integrity, and QA purposes, it ensures the same data can be rebuilt at any given time.
Let's say we have a recipe for a food that we really like and we want it to be the same all the time. We figured out the list of ingredients, we used it and it worked to our taste.
Two months later, we decided we want that food again. We followed the same recipe with the same ingredients and it turns out the food tasted wrong or bad.
What happened? The company that makes one of our ingredients has decided to swap out to a cheaper version without telling anyone (like different sugar alcohol or smaller ratio was used). Our recipe is no longer reproducible, the list is exactly the same but some parts of it has changed without our intervention.
The same thing when building software, we want to make sure the dependencies, CICD system tooling, terminal, etc everything matches exactly down to last bit that we can always reproduce it to be the same.
One use case of this is if we need to do a hotfix off a stable version and our CICD system has rotated out of the old cache, so we need to rebuild with the same dependencies but some companies may have changed some things in a very subtle ways that we didn't know about, which mean we can easily introduce unintentional regressions without changing anything; despite us using a trusted/tested branch that was deployed in the past.
We saw this in the past when we had exactly the same code, rebuild the release to test something and for some odd reasons we were seeing regressions despite not changing a single thing. It turned out that our CICD's compiler had been updated, which had changed some of the behaviors when compiling the same code. Which, for security reasons, you do not want changed on you.
So, for security and quality purposes, it is important to have reproducible build systems that we can confide in.
Reproducibility does not neccessarily require having perfectly matching bits.
To me it seems like md5sum is not the best program to check if two bundles are equivalent. In this case going for bit for bit reproducibility does not seem to have much of a practical benefit.
> Reproducibility does not neccessarily require having perfectly matching bits.
https://en.wikipedia.org/wiki/Reproducible_builds: "Reproducible builds, also known as deterministic compilation, is a process of compiling software which ensures the resulting binary code can be reproduced. Source code compiled using deterministic compilation will always output the same binary."
Let's say we have a recipe for a food that we really like and we want it to be the same all the time. We figured out the list of ingredients, we used it and it worked to our taste.
Two months later, we decided we want that food again. We followed the same recipe with the same ingredients and it turns out the food tasted wrong or bad.
What happened? The company that makes one of our ingredients has decided to swap out to a cheaper version without telling anyone (like different sugar alcohol or smaller ratio was used). Our recipe is no longer reproducible, the list is exactly the same but some parts of it has changed without our intervention.
The same thing when building software, we want to make sure the dependencies, CICD system tooling, terminal, etc everything matches exactly down to last bit that we can always reproduce it to be the same.
One use case of this is if we need to do a hotfix off a stable version and our CICD system has rotated out of the old cache, so we need to rebuild with the same dependencies but some companies may have changed some things in a very subtle ways that we didn't know about, which mean we can easily introduce unintentional regressions without changing anything; despite us using a trusted/tested branch that was deployed in the past.
We saw this in the past when we had exactly the same code, rebuild the release to test something and for some odd reasons we were seeing regressions despite not changing a single thing. It turned out that our CICD's compiler had been updated, which had changed some of the behaviors when compiling the same code. Which, for security reasons, you do not want changed on you.
So, for security and quality purposes, it is important to have reproducible build systems that we can confide in.