"Reproducible build" definition in OpenSSF glossary
Holger Levsen
holger at layer-acht.org
Fri Apr 25 11:36:11 UTC 2025
On Thu, Apr 24, 2025 at 05:38:54PM +0200, Simon Josefsson via rb-general wrote:
> I like it, but one question about the new addition of "source code":
>
> > Reproducible builds are a set of software development practices that
> > create an independently-verifiable path from source code to build
> > artifacts (e.g., binary code) that counters attacks on the build
> > process.
> ...
> > Source code is the preferred form of the work for making modifications to it. It is usually a checkout from version control at a specific revision of a source code archive.
>
> This imply to me that the Debian live CD is not reproducible. It was
> not built from source code and, even further, we don't even have access
> to source code for some of the non-free parts, so we cannot build it
> from source code. Is that what you intend? I think that is reasonable
> definition (what's the point of reproducability if you don't have source
> code?), and one that I tend to agree with. Still I cannot help but feel
> it is a bit unfair to the Debian Live CD project. Maybe there is some
> compromise (but still reasonable) definition that would covers what they
> do too. Or there is simply agreement that we don't want to call that
> "reproducible" since we lack source code for some of the parts.
I do not only think this is "unfair" to the Debian Live CD project, but
it's also breaking expectations and lived practice of the last 5 years,
which is roughly (according to my memory, might been 6 or 7) since when
the TAILS iso has been reproducible, built from .deb artifacts.
This is a common definition ("we rebuilt the TAILS iso and got exactly
the same .iso TAILS produced and distributes, so we reproduced the TAILS
iso") seen in the wild.
And to those (rightfully) claiming this is not pure "from source" I'd
like to remind we're also using binary compilers to build from source...
(and bootstrappable.org addresses this.)
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
"I know what you're thinking" used to be an idiom but now it's a business model.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250425/4f8a1b3f/attachment.sig>
More information about the rb-general
mailing list