Making reproducible builds & GitBOM work together in spite of low-level component variation
Vagrant Cascadian
vagrant at reproducible-builds.org
Wed Jun 22 19:28:51 UTC 2022
On 2022-06-22, Vagrant Cascadian wrote:
> On 2022-06-22, David A. Wheeler wrote:
>> GitBOM is explained at <https://gitbom.dev/>. As they explain it, its purpose is to:
>> • Build a compact Artifact Dependency Graph (ADG), tracking every source code file incorporated into each built artifact.
>> • Embed a unique, content-addressable reference for that Artifact Dependency Graph (ADG), the GitBOM identifier, into the artifact
>> at build time.
In my previous reply, I somehow glazed over the fact that the ADG and
GitBOM identifier are embedded in the artifacts at build time...
I can see the value in embedding provenence information in the build
artifacts, but that makes reproducible builds considerably harder to
achieve if it is recording *everything* about the build environment.
Because GitBOM metadata is intentionally included in the build artifacts
themselves, maybe GitBOM should be very discriminating in what is
included in the GitBOM; I don't imagine GitBOM records the running cpu
microcode, but that is arguably just as relevent as the running
kernel...
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20220622/8fc6961f/attachment.sig>
More information about the rb-general
mailing list