[rb-general] Definition of "reproducible build"

[Marvin Humphrey]

Greetings,

Over on the legal-discuss list at the Apache Software Foundation, we are
currently discussing reproducible builds.

    https://markmail.org/message/k7ldwepd3ph2qxsp

If anyone would like to participate in the discussion, you can subscribe
by sending an email to: legal-discuss-subscribe at apache.org

The history of binary packages at the ASF is long and fraught.  The
Foundation only officially endorses pure source code packages; what is
being considered is whether the ASF should give its official imprimatur
to binary releases and whether such binary release packages should be
required to be the result of a reproducible build.

For a while now, I've been contemplating what a patch to the ASF's
Release Policy[1] requiring reproducibility ought to look like.  In some
ways it would be nice if you folks could serve as a steward for the
definition of "reproducible build", similar to how the Open Source
Initiative maintains the Open Source Definition[2], so that an external
policy document could reference it.

You currently have a definitions page[3] which is nice and easy to
understand.  A couple of comments:

1.  The current definition would be a bit awkward to reference in an
    official document or policy because it is not either frozen or
    versioned.

2.  Hoovering up the build environment into a Docker container or
    similar might be enough to produce "reproducible" results, but
    without provenance information for the "relevant attributes of the
    build environment", the benefits are diminished. ("Does the all-new
    opaque build environment for release X.Y.Z contain a trojan?")
    Assuming that keeping the generality of the official definition is
    important to you, can you suggest any options for downstream
    "authors or distributors" to tighten that up?

Marvin Humphrey

[1] https://apache.org/legal/release-policy
[2] https://opensource.org/osd
[3] https://reproducible-builds.org/docs/definition