Go、日次の再現ビルド報告で1.26.4の検証結果を公開

Go's official "Go Reproducible Build Report" page was updated on June 7 and showed that the distributed Go 1.26.4 artifacts were verified. The page lists public downloads side by side with rebuild results.

According to the page, the report reflects a daily `gorebuild` run inside an Ubuntu VM. It also publishes the procedure, including `git`, `msitools`, and `go run golang.org/x/build/cmd/gorebuild@latest -p=4`, showing a four-way parallel build setup.

In the June 7 update, the go1.26.4 log is shown from start to finish and ends with a PASS. The overall run took 2 hours and 26 minutes, and the various archives were verified in sequence.

The log also records a practical failure path: fetching the canonical Go source hit an HTTP 429, waited five minutes, and then switched to `git clone`. That makes the page more operationally useful than a simple success announcement.

The Go blog explains that reproducibility is important because supply-chain attacks are harder to hide when anyone can rebuild the same source and compare binaries. Since Go 1.21, the project says its published toolchains are designed so anyone can verify them.

The same blog says Go distributions are built separately on trusted Linux/x86-64 and Windows/x86-64 systems, and a release does not proceed unless the artifacts match bit for bit. The daily report can be read as a way to make that philosophy externally traceable.

For developers, the report shifts trust in the language distribution away from gut feeling and toward something verifiable. Its value is especially high for organizations that treat dependency and runtime audits seriously.

This update matters because Go is not only declaring reproducibility, but exposing it as a daily operational record. For companies adopting Go and for platform engineers, it adds another concrete artifact for observing how the language distribution pipeline is handled.