Introducing: Semantically reproducible builds
David A. Wheeler
dwheeler at dwheeler.com
Mon May 29 14:21:46 UTC 2023
On Sun, 28 May 2023 21:10:36 -0700, Vagrant Cascadian <vagrant at reproducible-builds.org> wrote:
> Do such tools actually exist, or are we talking about something
> theoretical here? I am nervous about investing too much energy in
> something without a specific, precise, working proof of concept.
>
> In your earlier mention of OSSGadget, it was not immediately clear that
> anything in there could actually do this sort of analysis... ?
OSSGadget is a collection of tools.
One of its tools is oss-reproducible, which measures this:
https://github.com/microsoft/OSSGadget/blob/main/src/oss-reproducible/README.md
They originally called it just verifying a "reproducible build".
I learned about the tool, thought it was neat but I told them
that using the term "reproducible build" for this was confusing.
They agreed and decided to change their term to
"semantically reproducible build". I thought the approach was
interesting and so posted about it here.
> I still expect it will be harder to actually do "semantically
> reproducible builds" than "fully reproducible builds.
This isn't intended for the developers and builders.
It's a way to identify some packages that are low risk
because, while the builds aren't reproducible, the
differences are unlikely to be an issue.
> To be honest, it sounds like a lot of extra work to avoid fixing things
> properly...
As a user I often cannot choose what the builder or developer do.
I can propose a patch set, but it takes time to create them,
and there's no guarantee the project will accept them.
More information about the rb-general
mailing list