[rb-general] Definition of "reproducible build"

[Ludovic Courtès]

Hello,

Marvin Humphrey <marvin at rectangular.com> skribis:

> 2.  Hoovering up the build environment into a Docker container or
>     similar might be enough to produce "reproducible" results, but
>     without provenance information for the "relevant attributes of the
>     build environment", the benefits are diminished. ("Does the all-new
>     opaque build environment for release X.Y.Z contain a trojan?")

I agree that insisting on provenance is crucial.  Dockerfiles (and
similar) are often viewed as “source”, but they really aren’t source:
the actual source would come with the distros they refer to (Debian,
pip, etc.)

Those distros might in turn refer to external pre-built binaries,
though, such as “bootstrap binaries” for compilers (Rust, OpenJDK, and
so on.)

(In a way this has a connection to the work on
<https://bootstrappable.org> by fellow hackers.)

>     Assuming that keeping the generality of the official definition is
>     important to you, can you suggest any options for downstream
>     "authors or distributors" to tighten that up?

The GPL (probably other licenses have something similar) has a
definition of “Corresponding Source” that suggests provenance:

    The "Corresponding Source" for a work in object code form means all
  the source code needed to generate, install, and (for an executable
  work) run the object code and to modify the work, including scripts to
  control those activities.  However, it does not include the work's
  System Libraries, or general-purpose tools or generally available free
  programs which are used unmodified in performing those activities but
  which are not part of the work. […]

Perhaps we would need a “recursive” definition of “Corresponding Source”
to really convey the idea of provenance tracking and reproducibility of
a complete software stack?

Anyway, I’m interested in what the ASF or Debian might come up with!

Thanks,
Ludo’.