[rb-general] Definition of "reproducible build"
marvin at rectangular.com
Tue Jan 22 00:10:44 CET 2019
Over on the legal-discuss list at the Apache Software Foundation, we are
currently discussing reproducible builds.
If anyone would like to participate in the discussion, you can subscribe
by sending an email to: legal-discuss-subscribe at apache.org
The history of binary packages at the ASF is long and fraught. The
Foundation only officially endorses pure source code packages; what is
being considered is whether the ASF should give its official imprimatur
to binary releases and whether such binary release packages should be
required to be the result of a reproducible build.
For a while now, I've been contemplating what a patch to the ASF's
Release Policy requiring reproducibility ought to look like. In some
ways it would be nice if you folks could serve as a steward for the
definition of "reproducible build", similar to how the Open Source
Initiative maintains the Open Source Definition, so that an external
policy document could reference it.
You currently have a definitions page which is nice and easy to
understand. A couple of comments:
1. The current definition would be a bit awkward to reference in an
official document or policy because it is not either frozen or
2. Hoovering up the build environment into a Docker container or
similar might be enough to produce "reproducible" results, but
without provenance information for the "relevant attributes of the
build environment", the benefits are diminished. ("Does the all-new
opaque build environment for release X.Y.Z contain a trojan?")
Assuming that keeping the generality of the official definition is
important to you, can you suggest any options for downstream
"authors or distributors" to tighten that up?
More information about the rb-general