Making reproducible builds & GitBOM work together in spite of low-level component variation

Vagrant Cascadian vagrant at
Wed Jun 22 19:28:51 UTC 2022

On 2022-06-22, Vagrant Cascadian wrote:
> On 2022-06-22, David A. Wheeler wrote:
>> GitBOM is explained at <>. As they explain it, its purpose is to:
>> 	• Build a compact Artifact Dependency Graph (ADG), tracking every source code file incorporated into each built artifact.
>> 	• Embed a unique, content-addressable reference for that Artifact Dependency Graph (ADG), the GitBOM identifier, into the artifact
>> at build time.

In my previous reply, I somehow glazed over the fact that the ADG and
GitBOM identifier are embedded in the artifacts at build time...

I can see the value in embedding provenence information in the build
artifacts, but that makes reproducible builds considerably harder to
achieve if it is recording *everything* about the build environment.

Because GitBOM metadata is intentionally included in the build artifacts
themselves, maybe GitBOM should be very discriminating in what is
included in the GitBOM; I don't imagine GitBOM records the running cpu
microcode, but that is arguably just as relevent as the running

live well,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the rb-general mailing list