"Reproducible build" definition in OpenSSF glossary
Simon Josefsson
simon at josefsson.org
Wed Apr 23 09:07:43 UTC 2025
"David A. Wheeler via rb-general"
<rb-general at lists.reproducible-builds.org> writes:
> The OpenSSF is building a "glossary" set (so we consistently use the
> same meaning for the same term), and I drafted a definition for "reproducible build"
> based on this group:
>
> https://glossary.openssf.org/reproducible-build/
Thanks. I think the "same source code, build environment and build
instructions" part may lead people the wrong way.
Others may have different goals, but for me the point of supporting
reproducible builds is so that we can get to "verified reproducible
builds", which to me is what matters for end-users. It is great that
you mention this goal above! It seems this goal is often forgotten.
With that goal in mind, I don't think it matters what the build input or
build environment is.
What matters is that someone is able to get the same bit-by-bit
identical output.
Where I think people may go wrong with the text above is that you are
led to believe that there is a one-to-one mapping involved for the build
environment.
However, I believe that achieving "verified reproducible builds" does
not require reproducing the build environment bit-by-bit identically.
For example, if I'm able to independently rebuild Debian's version of
Firefox using the same Firefox source code but some other build
environment, I would still count the firefix binary as a "verified
reproducible build". Does anyone disagree with that? Why?
Here is my attempt at clarification:
OLD:
A build is reproducible if given the same source code, build
environment and build instructions, any party can recreate bit-by-bit
identical copies of all specified artifacts.
NEW:
A build is reproducible if given the same source code, any party can
recreate bit-by-bit identical copies of all specified artifacts.
Information about the build environment and build instructions is
usually needed to achieve that.
What do you think?
Btw, I recently wrote about verifying reproducible source tarballs:
https://blog.josefsson.org/2025/04/17/verified-reproducible-tarballs/
Turns out I was not able to reproduce any upstream-published tarballs
that I looked at. Does anyone know of any earlier systematic efforts to
verify reproducability of source tarballs in a similar way? Is anyone
interested in working on this, for a couple of high-profile packages to
see if we are able to reproduce them?
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250423/f18f4624/attachment.sig>
More information about the rb-general
mailing list