Hi all, some time ago @lynxis worked to make squashed firmware images reproducible. Here is the commit which results in a deterministic mksquashfs tool.
I'd very much like to see this being adopted upstream! It would allow to verify community builds and hopefully increase trust in tools like the Online ImageBuilder.
Please don't mistake me as one of the trolls that popped up in this forum lately.
Hi @aparcar
I see your point, but being reproducible doesn't guarantee that the image can be trusted only that an audit can reproduce an image.
The initial trust problem hasn't been resolved, Because either a user needs to trust the auditor more than the builder or the user needs to become the auditor in which case the initial build becomes redundant since the user now has their own build,
So where does the initial trust come from? I'm not gonna parse through all the code of OpenWrt but trust their core devs, as most people do. This includes the package sources, therefore any custom community image which only consists of trusted packages should be reproducible and therefore trusted.
Anyone can post these images, anyone else can verify the images are actually the output of what the created claims. Posters eventually have some kind of reputation. Done?
Apart from that, reproducible builds would even be fine to check the images posted on openwrt.org
This is where trusts comes from, by the way I am not against your suggestion, just commenting.
I'm with @aparcar here. A full reproducible build will be great, as it will increase the validation process, and the trolls will have one less argument 
Being reproducible is useful when developing too, I've used it with U-Boot to migrate some #define to Kconfig and prove that the binary was not affected by the migration of build options.
@aparcar, @mbo2o do you know of any other (core) package that require modifications to make it reproducible?