Rebuilderd - An Independent Binary Package Verification System for Arch Linux


Recently the launch of ”Rebuilderd” was announced which is positioned as an independent verification system for binary packages which allows to organize the verification of the packages of a distribution by implementing a running build process that compares the downloadable packages with the packages received as a result of the rebuild on the local system.

In other words, this system provides a service that monitors the status of the packet index and automatically start rebuilding new packages in the reference environment, whose state is synchronized with the environment settings Arch Linux main build package.

When compiling again, nuances such as the exact correspondence of the dependencies are taken into account, the use of compositions and unchanged versions of the build tools, the identical set of options and default settings, and the preservation of the file assembly order (using the same sorting methods).

The build process settings exclude the compiler from adding inconsistent overview information such as random values, links to file paths, and data about the compilation date and time.

About Rebuilderd

Currently only experimental support is available for checking Arch Linux packages with rebuilderd, but plans to add Debian support soon.

Currently, repeatable builds are provided for 84.1% of packages from the main Arch Linux repository, he 83.8% from the extras repository and 76.9% from the community repository. For comparison, in Debian 10 this figure is 94,1%.

Whereas, builds are an important part of security as they allow you to give any user the opportunity to ensure that the byte-for-byte packages offered by the distribution package match those personally compiled from source.

Without the ability to verify the identity of the compiled binary, the user can only blindly trust someone else's build infrastructure, compromising the compiler or compilation tools where it can lead to hidden marker substitution.

Installation and execution

In the simplest case, to run rebuilderd it is enough to install the rebuilderd package from the normal repository, import the GPG key to verify the environment and activate the corresponding system service. It is possible to implement a network of multiple rebuilt instances.

To install, we must open a terminal and in it we type the following command:

sudo pacman -S rebuilderd

Done this, now we must import the GPG key, since Rebuilderd must verify the Arch Linux boot image, for this in the terminal we will have to type the following command:

gpg --auto-key-locate nodefault,wkd --locate-keys

After this we have to add our user to the Rebuilderd group, since we may receive an error:

usermod -aG rebuilderd $USER

Now we simply have to verify that Rebuilderd is already running about the system, for this, we just have to type:

rebuildctl status

And in case we want to share results on the network, we have to type:

systemctl enable –now rebuilderd rebuilderd-worker @ alpha

Now it is important to take into account that Rebuilderd will not come into action until it is explicitly specified from where the system packages are synchronized, for this we have to modify the /etc/rebuilderd-sync.conf file where the synchronization profiles are configured and that profile names are unique:

An example of this is the following:

## rebuild all of core
[profile."archlinux-core"] distro = "archlinux"
suite = "core"
architecture = "x86_64"
source = ""

## rebuild community packages of specific maintainers
#[profile."archlinux-community"] #distro = "archlinux"
#suite = "community"
#architecture = "x86_64"
#source = ""
#maintainer = ["somebody"]

Once the file has been modified, you simply have to enable the timer to automatically synchronize the profile:

systemctl enable --now rebuilderd-sync@archlinux-core.timer

Finally if you want to know more about Rebuilderd, they should know that it is written in Rust and is distributed under the GPLv3 license and you can check all its details and the code In the following link.

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.