"Reproducible build" definition in OpenSSF glossary
fosslinux
fosslinux at aussies.space
Wed Apr 23 09:34:38 UTC 2025
Hi David and list,
In light of the recent discussion surrounding what "reproducibility" of the Debian ISO images means, and the further
sub-discussion about what one should treat as "source code", I would suggest modifying "A build is reproducible if given
the same source code, build environment and build instructions any party can recreate bit-by-bit identical copies of all
specified artifacts." to something like
"A build is reproducible if given the same build environment and identified set of source material, any party can
recreate bit-by-bit identical copies of all specified artifacts, by following build instructions operating on the source
material within the build environment."
Perhaps with some note that "in most cases, this identified set of source material should be the original source code of
the artifacts".
I'm uncertain that the definition as it stands provides any clarity around the work on the Debian ISO images in making
them reproducible from binary packages - clearly they have some status - but should they be called "reproducible", or
something else?
Kind regards,
Samuel Tyler
On 4/23/25 01:37, David A. Wheeler via rb-general wrote:
> The OpenSSF is building a "glossary" set (so we consistently use the
> same meaning for the same term), and I drafted a definition for "reproducible build"
> based on this group:
>
> https://glossary.openssf.org/reproducible-build/
>
> If there's an issue please let me know!
>
> --- David A. Wheeler
>
More information about the rb-general
mailing list