"Reproducible build" definition in OpenSSF glossary

Roland Clobus rclobus at rclobus.nl
Wed Apr 23 11:21:34 UTC 2025 

Hello list,

On 23/04/2025 11:34, fosslinux via rb-general wrote:
> Hi David and list,
> 
> In light of the recent discussion surrounding what "reproducibility" of 
> the Debian ISO images means, and the further sub-discussion about what 
> one should treat as "source code"
[snip]

This discussion reminds me of a discussion that was held in Debian some 
time ago [citation needed] about which files are to be considered source 
code. Please don't go there again :-)

IIRC the outcome was, that a Debian Maintainer could decide that a 
certain file was 'source code enough'.
Examples would be:
1) a PNG generated by the commercial closed-source package autocad. Even 
though the PNG file is not the real source, it is good enough, or the 
package maintainer does not have a license for autocad and it not able 
to regenerate the PNG file.
2) the configure script vs. configure.in or configure.ac. Not always are 
the real sources available any more and the derived versions (due to 
many manual modifications) have become the source instead.

Before this thread started, I was working on a small diagram, which is 
now published (with its source code) at
https://wiki.debian.org/ReproducibleInstalls/LiveImages
https://wiki.debian.org/ReproducibleInstalls/LiveImages?action=AttachFile&do=get&target=reproducible_liveiso.svg

Additionally I've sent an update of my first, bold mail to this list 
https://lists.reproducible-builds.org/pipermail/rb-general/2025-April/003700.html 
which identifies me at the person making the claim within a specific 
context ('the author'), therefore fulfilling every aspect of the current 
definition of 'reproducible builds'.

Finally, I think the reproducible effort can have both a top-down and 
bottom-up strategy implemented at the same time. Both strategies involve 
a lot of effort to make them work. I know for sure that making 
reproducible live images has taken a lot of effort.

With kind regards,
Roland Clobus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250423/982d64c5/attachment.sig>

More information about the rb-general mailing list