The Golang team have been on fire recently, and yesterday they published a blog titled Perfectly Reproducible, Verified Go Toolchains.

Here are the highlights in a bytesize format:

• Software is often distributed in binaries, which can be difficult to inspect.

• We want to protect our software from Supply chain attacks (which effectively means one of the dependencies used to build our project changes). The best way to do this is to make builds truly reproducible.

• Go 1.21 is the first Golang version to enable truly reproducible builds; If we start with the same toolchain source code, we will get the exact same toolchain binaries out.

It’s not enough to just claim builds are reproducible, you need to be able to prove it! The team therefore build gorebuild gorebuild will start with the source code in the Go Git repository and rebuild the current Go versions, checking that they match the archives posted on https://go.dev/dl.

The original post goes into a lot more detail as to how they implemented this and some of the challenges they faced, so be sure to check it out here.