"Reproducible build" definition in OpenSSF glossary

Fri Apr 25 11:30:35 UTC 2025

Hi David,

On Wed, Apr 23, 2025 at 01:30:21PM -0400, David A. Wheeler via rb-general wrote:
> This "OpenSSF" definition was copied from the two different definitions posted on the reproducible-builds.org <http://reproducibel-builds.org/> website. The proposed OpenSSF definition attempts to combine these two DIFFERENT definitions from the reproducible-builds site, because the reproducible-builds site itself isn't consistent. These aren't "David's definitions", these are the reproducible-builds.org <http://reproducible-builds.org/> definitions.

thank you for clearing this up!

> The first definition is way clearer on what it *means* to be a reproducible build, and the second definition is way clearer on *why* you would want such a thing. The proposed OpenSSF definition attempts to combine these two different definitions, both formally posted on reproducible-builds.org <http://reproducible-builds.org/>, into a single definition. That's all.

also.

> I see several people complaining about this proposed OpenSSF definition, but those complaints also apply to the reproducible-builds.org <http://reproducible-builds.org/> website definitions. I suggest that there be a discussion about whether or not the reproducible-builds website definitions should be be changed. If they are changed, then OpenSSF definitions should be reviewed to see if they should match. I don't see why the OpenSSF definitions should be seriously different from reproducible-builds.org <http://reproducible-builds.org/>, which is what proposers seem to be suggesting.

agreed.

Historically, https://reproducible-builds.org/docs/definition/ was there first,
like almost 10 years ago, while the definition on the frontpage was rather
recently added to have a version which more applies to the general public,
I believe.

(
 And then we realized that this is still uncomprehensive to "normal people"
 and we came up with the "improving supply chain security" slogan, which very
 much hides how we do things and rather focus on the outcome. :)
)

I do agree that having two definitions on our website is bad or sub-optimal
and would welcome patches (and/or discussions in an MR as opposed to this list,
though obviously its great to use this list to prepare such an MR) to address
that. I also do think that https://reproducible-builds.org/docs/definition/ 
should have our definition because thats a stable URL since almost 10 years.

Thanks!

-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

The entire society has no clue what the word freedom means in the context of
relating to the world around them. It has degenerated into "my ego first". It
is why the entire planet is dying right now.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250425/22c1f992/attachment.sig>