"Reproducible build" definition in OpenSSF glossary
Simon Josefsson
simon at josefsson.org
Thu Apr 24 15:38:54 UTC 2025
"David A. Wheeler via rb-general"
<rb-general at lists.reproducible-builds.org> writes:
> Thoughts?
I like it, but one question about the new addition of "source code":
> Reproducible builds are a set of software development practices that
> create an independently-verifiable path from source code to build
> artifacts (e.g., binary code) that counters attacks on the build
> process.
...
> Source code is the preferred form of the work for making modifications to it. It is usually a checkout from version control at a specific revision of a source code archive.
This imply to me that the Debian live CD is not reproducible. It was
not built from source code and, even further, we don't even have access
to source code for some of the non-free parts, so we cannot build it
from source code. Is that what you intend? I think that is reasonable
definition (what's the point of reproducability if you don't have source
code?), and one that I tend to agree with. Still I cannot help but feel
it is a bit unfair to the Debian Live CD project. Maybe there is some
compromise (but still reasonable) definition that would covers what they
do too. Or there is simply agreement that we don't want to call that
"reproducible" since we lack source code for some of the parts.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250424/0c2cc413/attachment.sig>
More information about the rb-general
mailing list