"Reproducible build" definition in OpenSSF glossary

[fosslinux]

Hi David, list,

Of course, it would be ideal for r-b.org and OpenSSF to have the same definition!

On 4/24/25 03:30, David A. Wheeler via rb-general wrote:
> I think that's a reasonable tweak. There is an annoyance: in this revised definition, you could define "my build environment copies the binary from malicious.org<http://malicious.org/>" and "reproduce" the results, so maybe it should be clear that the build results must build the results from the given source code 🙂.
>
> It'd be nice if reproducible-build.org<http://reproducible-build.org/> had*ONE* definition, instead of two. How about this?
>
> Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code that counters attacks on the build process. A build is reproducible if given the same source code, any party can recreate bit-by-bit identical copies of all specified artifacts generated from the source code by the build process. Information about the build environment and build instructions is usually needed to achieve that.

I quite like this definition. It gives a good overarching picture of what a reproducible build is without any clunkiness 
about individually reproducible/"pure" processes (which I have now been convinced is a good thing for this general 
definition). Although for sake of clarity around the specified artifacts, I would be inclined to reword the second 
sentence as follows:

"A build is reproducible if given the same source code, any party can recreate bit-by-bit identical copies of all 
artifacts specified in the build process, which generates them from the source code."

Does this help with "maybe it should be clear that the build results must build the results from the given source code"?

Kind regards,

Samuel