"Reproducible build" definition in OpenSSF glossary
Eric Myhre
hash at exultant.us
Mon Apr 28 08:51:45 UTC 2025
On 4/27/25 10:52 PM, David A. Wheeler via rb-general wrote:
> How about replacing "souce code" with "build inputs (e.g., source code)"?
> The first sentence then becomes:
>
>> Reproducible builds are a set of software development practices that create an independently-verifiable path from build inputs (e.g., source code)
>> to build artifacts (e.g., binary code) that counters attacks on the build process.
>>
I think this above is a great definition!
Specifically because it handles this (very real, very practical)
scenario so gracefully:
>> We permit higher-level builds to use build inputs
>> that are not reproducible, e.g., due to closed-source drivers, but those build inputs
>> present a higher risk since they cannot themselves be reproduced.
>>
>
... as long as there's also some language about using those
less-reproducible inputs only via some logged fixed point / snapshot of
those materials. (Probably "obvious" to us, but the sort of "obvious"
that's worth putting in the docs nonetheless.)
For a bit of historical spice:
If I recall correctly, we had considerable discussion about exactly this
bit of phrasing about "what is source, really" during the in-person time
at the summit where the current definitions were heavily workshopped.
Exactly who was holding forth on what positions fades from my
recollection... but I think a considerable amount of interest in the use
of the word "source" so prominently came from people who were interested
in what we'd now call the "bootstrappable" story. (And at the time, the
word "bootstrappable", that entire website, and so forth, had not yet
come to be!)
So, several years later, where now it is the case that now that the
"bootstrappable" story is more established, and has claimed its own set
of words... maybe now an adjustment of the definition of "reproducible"
to a focus on "build inputs" (and stepping every so slightly aside from
the debate of "source") will be more tenable to everyone. Both stories
have happy representation now!
More information about the rb-general
mailing list