[rb-general] Definition of "reproducible build"
holger at layer-acht.org
Fri Jan 25 02:17:45 CET 2019
thanks for reaching out to us reproducible-builds.org folks!
On Mon, Jan 21, 2019 at 03:10:44PM -0800, Marvin Humphrey wrote:
> Over on the legal-discuss list at the Apache Software Foundation, we are
> currently discussing reproducible builds.
yup, David Wheeler also has pointed us to that thread. Exciting!
> If anyone would like to participate in the discussion, you can subscribe
> by sending an email to: legal-discuss-subscribe at apache.org
I fear I cannot commit to yet another mailinglist. But please do feel
free to cc: me on any mail on this topic you find relevant!
> The history of binary packages at the ASF is long and fraught. The
> Foundation only officially endorses pure source code packages; what is
> being considered is whether the ASF should give its official imprimatur
> to binary releases and whether such binary release packages should be
> required to be the result of a reproducible build.
> For a while now, I've been contemplating what a patch to the ASF's
> Release Policy requiring reproducibility ought to look like. In some
> ways it would be nice if you folks could serve as a steward for the
> definition of "reproducible build", similar to how the Open Source
> Initiative maintains the Open Source Definition, so that an external
> policy document could reference it.
Thanks. A lot! :)
> You currently have a definitions page which is nice and easy to
> understand. A couple of comments:
thanks! also for the comments!
> 1. The current definition would be a bit awkward to reference in an
> official document or policy because it is not either frozen or
excellent idea, I've recorded it at
> 2. Hoovering up the build environment into a Docker container or
> similar might be enough to produce "reproducible" results, but
> without provenance information for the "relevant attributes of the
> build environment", the benefits are diminished. ("Does the all-new
> opaque build environment for release X.Y.Z contain a trojan?")
> Assuming that keeping the generality of the official definition is
> important to you, can you suggest any options for downstream
> "authors or distributors" to tighten that up?
not really. I believe https://bugs.debian.org/844431 has some more thoughts on
this issue though.
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the rb-general