Introducing: Semantically reproducible builds

[David A. Wheeler]

On Sun, 28 May 2023 21:10:36 -0700, Vagrant Cascadian <vagrant at reproducible-builds.org> wrote:

> Do such tools actually exist, or are we talking about something
> theoretical here?  I am nervous about investing too much energy in
> something without a specific, precise, working proof of concept.
> 
> In your earlier mention of OSSGadget, it was not immediately clear that
> anything in there could actually do this sort of analysis... ?

OSSGadget is a collection of tools.
One of its tools is oss-reproducible, which measures this:

https://github.com/microsoft/OSSGadget/blob/main/src/oss-reproducible/README.md

They originally called it just verifying a "reproducible build".
I learned about the tool, thought it was neat but I told them
that using the term "reproducible build" for this was confusing.
They agreed and decided to change their term to
"semantically reproducible build". I thought the approach was
interesting and so posted about it here.

> I still expect it will be harder to actually do "semantically
> reproducible builds" than "fully reproducible builds.

This isn't intended for the developers and builders.
It's a way to identify some packages that are low risk
because, while the builds aren't reproducible, the
differences are unlikely to be an issue.

> To be honest, it sounds like a lot of extra work to avoid fixing things
> properly...

As a user I often cannot choose what the builder or developer do.
I can propose a patch set, but it takes time to create them,
and there's no guarantee the project will accept them.