> Repeatable, provable builds are I understand a recent phenomenon. Use a different compiler, or different flags, and you get different binaries.
You are right that I overstated my case somewhat. You are not guaranteed to get the exact same binary even with the exact same build system, and reproducing the exact same build system decades later may not be easy.
However, using the same version of the same compiler with the same flags, you'll get very close to the same binary even without repeatable builds. Not exactly the same – some binaries embed compilation timestamps, sometimes compilers have a bit of non-determinism in their processing. People who want repeatable builds for security need to produce exactly the same binary. For a copyright lawsuit, you don't need the exact same binary, just a binary which is as close as possible – expert human analysis will compare the two binaries and their disassembly in order to demonstrate copying. (So, while ideally you'd have the exact same compiler version, even if you don't, it can still work – the binary doesn't have to be exactly the same, just close enough that a human expert can determine that it is more likely than not produced from the same source code). The whole point of repeatable builds is you don't need an expert forensic analysis to determine that the two binaries are compiled from the same source, you just compare the hashes.
> the burden of proof still lies with the alleged copyright holder of a work, who certified in their internal processes, does not exist anymore.
Microsoft will pay an expert witness a lot of money to perform a forensic analysis of the distributed source code and compare it to the surviving Windows 3.0 binaries. That expert witness will testify the copying occurred. It is up to the defendant to find their own expert witness to testify to the opposite. If they do so, it then comes down to which expert witness the judge and/or jury finds more convincing.
You are right that I overstated my case somewhat. You are not guaranteed to get the exact same binary even with the exact same build system, and reproducing the exact same build system decades later may not be easy.
However, using the same version of the same compiler with the same flags, you'll get very close to the same binary even without repeatable builds. Not exactly the same – some binaries embed compilation timestamps, sometimes compilers have a bit of non-determinism in their processing. People who want repeatable builds for security need to produce exactly the same binary. For a copyright lawsuit, you don't need the exact same binary, just a binary which is as close as possible – expert human analysis will compare the two binaries and their disassembly in order to demonstrate copying. (So, while ideally you'd have the exact same compiler version, even if you don't, it can still work – the binary doesn't have to be exactly the same, just close enough that a human expert can determine that it is more likely than not produced from the same source code). The whole point of repeatable builds is you don't need an expert forensic analysis to determine that the two binaries are compiled from the same source, you just compare the hashes.
> the burden of proof still lies with the alleged copyright holder of a work, who certified in their internal processes, does not exist anymore.
Microsoft will pay an expert witness a lot of money to perform a forensic analysis of the distributed source code and compare it to the surviving Windows 3.0 binaries. That expert witness will testify the copying occurred. It is up to the defendant to find their own expert witness to testify to the opposite. If they do so, it then comes down to which expert witness the judge and/or jury finds more convincing.