[rb-general] Definition of "reproducible build"
Ludovic Courtès
ludo at gnu.org
Fri Jan 25 15:59:51 CET 2019
Hello,
Marvin Humphrey <marvin at rectangular.com> skribis:
> 2. Hoovering up the build environment into a Docker container or
> similar might be enough to produce "reproducible" results, but
> without provenance information for the "relevant attributes of the
> build environment", the benefits are diminished. ("Does the all-new
> opaque build environment for release X.Y.Z contain a trojan?")
I agree that insisting on provenance is crucial. Dockerfiles (and
similar) are often viewed as “source”, but they really aren’t source:
the actual source would come with the distros they refer to (Debian,
pip, etc.)
Those distros might in turn refer to external pre-built binaries,
though, such as “bootstrap binaries” for compilers (Rust, OpenJDK, and
so on.)
(In a way this has a connection to the work on
<https://bootstrappable.org> by fellow hackers.)
> Assuming that keeping the generality of the official definition is
> important to you, can you suggest any options for downstream
> "authors or distributors" to tighten that up?
The GPL (probably other licenses have something similar) has a
definition of “Corresponding Source” that suggests provenance:
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. […]
Perhaps we would need a “recursive” definition of “Corresponding Source”
to really convey the idea of provenance tracking and reproducibility of
a complete software stack?
Anyway, I’m interested in what the ASF or Debian might come up with!
Thanks,
Ludo’.
More information about the rb-general
mailing list