"Reproducible build" definition in OpenSSF glossary

Thu Apr 24 15:12:14 UTC 2025

> On Apr 24, 2025, at 9:59 AM, fosslinux via rb-general <rb-general at lists.reproducible-builds.org> wrote:
> 
> Hi David, list,
> 
> Of course, it would be ideal for r-b.org and OpenSSF to have the same definition!

I agree! It'd be nice for r-b.org <http://r-b.org/> to have the same definition as itself, too, instead of the current situation :-).
Here's what I'd like to see:

* The page https://reproducible-builds.org/ has the *first* sentence of the definition (explaining why it's important), linking to...
* The page https://reproducible-builds.org/docs/definition/ which has the *full* definition including the first sentence (not a completely different one)
* The page https://glossary.openssf.org/reproducible-build/ has the same full definition, with a link to r-b.org <http://r-b.org/>

So here's another try, proposed as a modification to https://reproducible-builds.org/docs/definition/ given Samuel's suggestion & other comments. I've changed "source" to "source code" so it's clearer & links better. I also defined the term "source code" ("it is usually..." is NOT the correct form for a definition). I've changed the first sentence to use "build artifacts" consistently. I added a definition of what a *verified* reproducible build is (I think that's critically important, because if you don't verify it anywhere, it's not doing much good).

Thoughts?

--- David A. Wheeler

======================

Reproducible builds are a set of software development practices that create an independently-verifiable path from source code to build artifacts (e.g., binary code) that counters attacks on the build process. A build is reproducible if given the same source code, any party can recreate bit-by-bit identical copies of all build artifacts specified in the build process by generating them from the source code. Information about the build environment and build instructions is usually needed to achieve that. The relevant attributes of the build environment, the build instructions, and the source code, as well as the expected reproducible artifacts, are defined by the authors or distributors.

A verified reproducible build is a build result that has been independently verified to reproduce. Verified reproducible builds allow multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.

Explanations

Source code is the preferred form of the work for making modifications to it. It is usually a checkout from version control at a specific revision of a source code archive.

< "Relevant attributes of the build environment" unchanged >

Artifacts of a build are the parts of the build results that are the desired primary output. Artifacts would include executables, distribution packages, or filesystem images. Build logs and similar ancillary outputs are usually not considered artifacts.

< Rest unchanged, but add... >

See https://reproducible-builds.org/docs/ for tips on how to achieve reproducible builds.