Introducing: Semantically reproducible builds

[David A. Wheeler]

> On May 30, 2023, at 10:51 AM, David A. Wheeler <dwheeler at dwheeler.com> wrote:
> I'll file an issue with OSSGadget <https://github.com/microsoft/OSSGadget/>
> to propose that they rename "semantically reproducible build" to "semi-reproducible build",
> but I can't guarantee that they'll change the name. Since it's their OSS project,
> they get to name what they do.

FYI, I posted the issue here: https://github.com/microsoft/OSSGadget/issues/426

*Nobody* wants confusion. They're currently thinking of switching to the term
"semantically equivalent build" or something similar. If you recall, originally they
were calling it "reproducible builds" & I asked them to change it to *something* else.
If they can find a better name that doesn't encroach on reproducible-builds,
they'd probably be fine with that alternative too.
You can see the details on the issue. Hopefully that will resolve things!!

For context, the survey "SLSA++: A Survey of Supply Chain Security Practices and Beliefs"
(published 2023, survey was done in 2022) has info on reproducible builds:
https://uploads-ssl.webflow.com/6228fdbc6c97145dad2a9c2b/640b6a455617000890bd79ba_SLSA%2B%2BWhitepaper_Design_Final.pdf
In particular, reproducible builds were considered much more difficult than the other practices surveyed;
Over 50% of respondents stated that this practice was either extremely difficult or very difficult.
As a result, the newly announced "SLSA version 1.0" only specified build levels 1-3.
Level 4, which originally had hermetic builds & optional reproducible builds, was intentionally
left out to allow more time to discuss "what should higher levels require".

As I posted earlier, I *want* reproducible builds. But I also want reasonable backoff
strategies when reproducible builds aren't available to users and/or the builders
are unwilling to take the steps necessary to achieve them.

--- David A. Wheeler