[rb-general] Definition of "reproducible build"

Holger Levsen holger at layer-acht.org
Fri Jan 25 02:17:45 CET 2019

Hi Marvin,

thanks for reaching out to us reproducible-builds.org folks!

On Mon, Jan 21, 2019 at 03:10:44PM -0800, Marvin Humphrey wrote:
> Over on the legal-discuss list at the Apache Software Foundation, we are
> currently discussing reproducible builds.
>     https://markmail.org/message/k7ldwepd3ph2qxsp

yup, David Wheeler also has pointed us to that thread. Exciting!

> If anyone would like to participate in the discussion, you can subscribe
> by sending an email to: legal-discuss-subscribe at apache.org

I fear I cannot commit to yet another mailinglist. But please do feel
free to cc: me on any mail on this topic you find relevant!

> The history of binary packages at the ASF is long and fraught.  The
> Foundation only officially endorses pure source code packages; what is
> being considered is whether the ASF should give its official imprimatur
> to binary releases and whether such binary release packages should be
> required to be the result of a reproducible build.
> For a while now, I've been contemplating what a patch to the ASF's
> Release Policy[1] requiring reproducibility ought to look like.  In some
> ways it would be nice if you folks could serve as a steward for the
> definition of "reproducible build", similar to how the Open Source
> Initiative maintains the Open Source Definition[2], so that an external
> policy document could reference it.

Thanks. A lot! :)

> You currently have a definitions page[3] which is nice and easy to
> understand.  A couple of comments:

thanks! also for the comments!

> 1.  The current definition would be a bit awkward to reference in an
>     official document or policy because it is not either frozen or
>     versioned.

excellent idea, I've recorded it at

> 2.  Hoovering up the build environment into a Docker container or
>     similar might be enough to produce "reproducible" results, but
>     without provenance information for the "relevant attributes of the
>     build environment", the benefits are diminished. ("Does the all-new
>     opaque build environment for release X.Y.Z contain a trojan?")
>     Assuming that keeping the generality of the official definition is
>     important to you, can you suggest any options for downstream
>     "authors or distributors" to tighten that up?

not really. I believe https://bugs.debian.org/844431 has some more thoughts on
this issue though.


       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190125/5aca1563/attachment.sig>

More information about the rb-general mailing list