[rb-general] Definition of "reproducible build"

Thu Feb 14 13:54:58 CET 2019

Hi John,

On Mon, Jan 28, 2019 at 11:18:43PM -0800, John Gilmore wrote:
> =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo at gnu.org> wrote:
> > I agree that insisting on provenance is crucial.  Dockerfiles (andsimilar) are often viewed as “source”, but they really aren’t source:the actual source would come with the distros they refer to (Debian,pip, etc.)
> > Those distros might in turn refer to external pre-built binaries,though, such as “bootstrap binaries” for compilers (Rust, OpenJDK, andso on.)
> 
> I propose a definition for whether a bootable OS distro is reproducible.
> (If what you're building is not a whole distro that can self-compile,
> this definition doesn't apply.)
> 
> Our initial goal would be to produce a bootable binary release (DVD or
> USB stick) and a source release (ditto).  The source release would
> include the script that allows the binary release to recompile the
> source release to a new binary release that ends up bit-for-bit
> identical.  Such a binary/source release pair would be called
> "reproducible".

I like the idea, however what you are proposing is basically a new
distro/fork, where you would remove all unreproducible packages, as
every distro still has some unreproducible bits.

(I'm not opposed to creating yet another distro/fork, I just wanted to
point that out.)

It definitly would be a good prototype, for others to learn from.

-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190214/bdadf65a/attachment.sig>