Journal article in reproducible builds

Simon Butler simon.butler at his.se
Sat Dec 3 10:29:50 UTC 2022


Hi

On 2022-12-02 at 14:53 +01, Ludovic Courtès <ludo at gnu.org> wrote: 
> Hi,
>
> Simon Butler via rb-general <rb-general at lists.reproducible-builds.org>
> skribis:
>
> In the “Findings” section, you write:
>
>   We identified three areas in which R-Bs are or may be of value as
>   day-to-day software engineering practices within the six businesses.
>   The first is the verification of software binaries distributed by OSS
>   projects.  Much of the OSS used in systems we develop is built from
>   source, in some cases we are building on the software before
>   contributing revisions upstream, or there is a need to audit the
>   source code for reasons including licensing and security.
>
> Would you be able to estimate, within those companies, the extent to
> which engineers resort to building from source as opposed to fetching
> pre-built binaries from Debian, PyPI, Conda, DockerHub, etc.?
>
> Thanks,
> Ludo’.

I can only answer in broad terms as there are so many variables,.

Most products are built entirely from source. Firstly, there is a need
to audit the code for licences and security, and, depending on use
context, OSS code can be closely reviewed and tested before being
used. One way to motivate this kind of detailed scrutiny is that with
OSS there is nobody to sue if something goes wrong in production, but by
creating a product containing OSS a business may be sued. Secondly, a
proportion of OSS code taken in to products is adapted in some way -
either to work with the existing code base, or the business adds some
differentiating functionality to support their product or service.

Away from products and service delivery platforms, the extent to which a
company will build from source depends on the operating context and
whether the software needs to be certified. 

Simon


More information about the rb-general mailing list