Introducing: Semantically reproducible builds
John Gilmore
gnu at toad.com
Mon May 29 20:17:52 UTC 2023
David A. Wheeler <dwheeler at dwheeler.com> wrote:
> Please don't view the text above as opposing reproducible builds.
> I think reproducible builds are the gold standard for countering subverted builds, and I will continue to encourage them.
> But when you can't get them (e.g., because you don't have time to patch every program
> in the universe or the builders won't make changes to their build process),
> it's useful to look for some *workable* backoff alternatives. The backoffs may not give
> you all you wanted, but they can at least help users focus on their biggest risks first.
To the extent that the text causes the public to be confused about what
reproducibility means, that text *will* oppose reproducible builds.
Can you call packages that aren't reproducible because the maintainers
insist on keeping timestamps or temp file names or etc in the binaries,
(or whose maintainers simply don't care), "irreproducible" rather than
"semantically reproducible"? That would be much clearer.
John
More information about the rb-general
mailing list