They use a Mac to compare the Ubuntu Go package to a self-compliled go from source:
"Now we can diff the Go toolchain we’ve created on our Mac with the Go toolchain that Ubuntu ships:" [..]
"We’ve successfully reproduced the Ubuntu package’s executables" [..]
"Note in particular that we’ve reconstructed the toolchain binaries bit-for-bit: they do not show up in the diff at all. That is, we proved that the Ubuntu Go binaries correspond exactly to the upstream Go sources."
Also, for your own programs:
"For Go programs that don’t need cgo, a reproducible build is as simple as compiling with CGO_ENABLED=0 go build -trimpath. Disabling cgo removes the host C toolchain as a relevant input, and -trimpath removes the current directory"
"Now we can diff the Go toolchain we’ve created on our Mac with the Go toolchain that Ubuntu ships:" [..]
"We’ve successfully reproduced the Ubuntu package’s executables" [..]
"Note in particular that we’ve reconstructed the toolchain binaries bit-for-bit: they do not show up in the diff at all. That is, we proved that the Ubuntu Go binaries correspond exactly to the upstream Go sources."
Also, for your own programs:
"For Go programs that don’t need cgo, a reproducible build is as simple as compiling with CGO_ENABLED=0 go build -trimpath. Disabling cgo removes the host C toolchain as a relevant input, and -trimpath removes the current directory"