Software distributions that take reproducible builds seriously are currently shipping well over 90% reproducible packages.
That a package builds bit-by-bit reproducibly however is not enough to guarantee Freedom 1. There is another factor that is often overlooked: opaque ascii or binary seeds that are injected during build time. Yes, a package may build reproduciblly from all inspectable sourcess...but what functionality is programmed in the opaque seed?
Possibly one of the most harmless, but certainly by far the biggest binary seed that all software distributions inject are the so called bootstrap binary seed. Bootstrap binaries are the initial binary seeds that are used to start building the distribution.
The GNU Guix operating system, version 1.0 had a relatively small closure of bootstrap binary seed: GNU binutils, GNU gcc, GNU Libc, GNU Guile, and “Static binaries” (think: bash, bzip2, coreutils, gawk, grep, gzip, patch, sed, tar, xz).
$ du -schx $(readlink $(guix build bootstrap-tarballs)/*) 2.1M /gnu/store/9623n4bq6iq5c8cwwdq99qb7d0xj93ym-binutils-static-stripped-tarball-2.28.1/binutils-static-stripped-2.28.1-x86_64-linux.tar.xz 18M /gnu/store/437xwygmmwwpkddcyy1qvjcv4hak89pb-gcc-stripped-tarball-5.5.0/gcc-stripped-5.5.0-x86_64-linux.tar.xz 1.8M /gnu/store/55ccx18a0d1x5y6a575jf1yr0ywizvdg-glibc-stripped-tarball-2.26.105-g0890d5379c/glibc-stripped-2.26.105-g0890d5379c-x86_64-linux.tar.xz 5.7M /gnu/store/bqf0ajclbvnbm0a46819f30804y3ilx0-guile-static-stripped-tarball-2.2.3/guile-static-stripped-2.2.3-x86_64-linux.tar.xz 5.8M /gnu/store/j8yzjmh9sy4gbdfwjrhw46zca43aah6x-static-binaries-tarball-0/static-binaries-0-x86_64-linux.tar.xz 33M total
only a 33MB download that unpacks to a 252MB seed of opaque binary code.
$ for i in $(readlink $(guix build bootstrap-tarballs)/*);\ do sudo tar xf $i; done $ du -schx * 130M bin 13M include 54M lib 51M libexec 5.2M share 252M total
During the Guix 1.1 development series we managed to create the first reduction by 50% of the Guix bootstrap binary seed7. This was a very important step because the ~250MB seed of binary code was practically non-auditable, which makes it hard to establish what source code produced them.