"Reproducible build" definition in OpenSSF glossary

[Thomas Schmitt]

Hi,

fosslinux wrote:
> Before I explain, to be entirely clear, my viewpoint is that the definition
> *should* define Roland's excellent work on the Debian live ISOs as being
> reproducible. But, I'm currently unsure that David's definition strictly
> permits this:
> "A build is /reproducible/ if given the same source code, build environment
> and build instructions, any party can recreate bit-by-bit identical copies
> of all specified artifacts. [...]"

The term "source code" might indeed be somewhat too narrow.
As programmer i read it more like "high level language form" than
like "original input of software processing".
I.e. in my personal view any non-programming-language input would have
to come from the "build environment". (I'm flexible enough to accept
this.)


> that's why I suggest the alternative term "identified set of source
> material", which would squarely place "the online Debian archive
> consisting of .deb files and corresponding metadata" as the
> identified "source material".

I agree, modulo the term "identified", which would have to be defined
or explained first.

The example of an ISO image and the role of software like Debian
"live-build" or xorriso shows that reproducibility is relative to some
original input.
Maybe one should state this first and then refer to this input when
describing the participants of a reproduction attempt.

Or maybe one should state as footnote that about any real world
attempt of reproducing software depends on input that is not source
code in the strict meaning as programming language text.
Ideally such input should have its own reproducible build process.


Have a nice day :)

Thomas