"Reproducible build" definition in OpenSSF glossary

David A. Wheeler dwheeler at dwheeler.com
Wed Apr 23 17:30:21 UTC 2025 


> On Apr 22, 2025, at 11:47 AM, Aman Sharma <amansha at kth.se> wrote:
> 
> Hi all,
> 
> I tend to follow the definition that is stated in Reproducible Builds: Increasing the Integrity of Software Supply Chains: "The build process of a software product is reproducible if, after designating a specific version of its source code and all of its build dependencies, every build produces bit-for-bit identical artifacts, no matter the environment in which the build is performed."
> 
> The difference between the definition proposed on OpenSSF and the above is the usage of the "environment".
>     • The definition above claims that build should be reproducible regardless of environment.
>     • Definition on OpenSFF claims that build should take "build environment" in account to be reproducible.


This "OpenSSF" definition was copied from the two different definitions posted on the reproducible-builds.org <http://reproducibel-builds.org/> website. The proposed OpenSSF definition attempts to combine these two DIFFERENT definitions from the reproducible-builds site, because the reproducible-builds site itself isn't consistent. These aren't "David's definitions", these are the reproducible-builds.org <http://reproducible-builds.org/> definitions.

If you don't like the two different reproducible-builds.org <http://reproducible-builds.org/> definitions, I suggest discussing the definitions here & updating the reproducible-builds.org <http://reproducible-builds.org/> website first. The two reproducible-builds definitions are:

1. The https://reproducible-builds.org/docs/definition/ definition:
> A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.
> The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.

2. The main page https://reproducible-builds.org/ instead defines the term as:
> Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code. 


The first definition is way clearer on what it *means* to be a reproducible build, and the second definition is way clearer on *why* you would want such a thing. The proposed OpenSSF definition attempts to combine these two different definitions, both formally posted on reproducible-builds.org <http://reproducible-builds.org/>, into a single definition. That's all.

The proposed OpenSSF is the definition at: https://glossary.openssf.org/reproducible-build/ which combines these 2 definitions and says:
> A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts. This creates an independently-verifiable path from source to binary code and counters attacks on the build process.

I see several people complaining about this proposed OpenSSF definition, but those complaints also apply to the reproducible-builds.org <http://reproducible-builds.org/> website definitions. I suggest that there be a discussion about whether or not the reproducible-builds website definitions should be be changed. If they are changed, then OpenSSF definitions should be reviewed to see if they should match. I don't see why the OpenSSF definitions should be seriously different from reproducible-builds.org <http://reproducible-builds.org/>, which is what proposers seem to be suggesting.

A few responses -

Thomas Schmitt:
> The term "source code" might indeed be somewhat too narrow.
> As programmer i read it more like "high level language form" than
> like "original input of software processing".

I disagree, I think "source code" is the *correct* term.
The term "source code" is the normal term for
"what's normally edited during development".

Using a non-standard phrase for this, instead of the normal
technical term "source code", would make things *MORE* confusing.
Thinking "source code" means "high level language form" is clearly NOT
what most people mean. Many programs have source code that includes some assembly language,
and some are exclusively assembly language. Some licenses, like the GPL version 3,
provide a specific definition of "source code" that makes it clear that
"source code" means "the usual thing you edit":
> The “source code” for a work means the preferred form of the work for making modifications to it. “Object code” means any non-source form of a work.
https://www.gnu.org/licenses/gpl-3.0.en.html


One email proposed changing the reproducible-build.org <http://reproducible-build.org/> detailed definition as follows (though it appears to incorrectly assume it was an OpenSSF and not from reproducible-build.org):

Old:
> A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.
New:
> A build is reproducible if given the same source code, any party can recreate bit-by-bit identical copies of all specified artifacts. Information about the build environment and build instructions is usually needed to achieve that.

I think that's a reasonable tweak. There is an annoyance: in this revised definition, you could define "my build environment copies the binary from malicious.org <http://malicious.org/>" and "reproduce" the results, so maybe it should be clear that the build results must build the results from the given source code :-).

It'd be nice if reproducible-build.org <http://reproducible-build.org/> had *ONE* definition, instead of two. How about this?

Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code that counters attacks on the build process. A build is reproducible if given the same source code, any party can recreate bit-by-bit identical copies of all specified artifacts generated from the source code by the build process. Information about the build environment and build instructions is usually needed to achieve that.

--- David A. Wheeler

More information about the rb-general mailing list