"Reproducible build" definition in OpenSSF glossary
Matthew Suozzo
msuozzo at google.com
Tue Apr 29 15:55:40 UTC 2025
To throw a few logs onto the "verification" fire:
* A single example of a reproduction does not convey the ability for anyone
to do the same, even given the same exact environment. Non-determinism in
some input or in the build itself could spuriously cause a success in spite
of the build not being reproducible to another party. I think the concept
of reproducibility becomes blurry when we start considering many parties
and diverse environments and so the idea of validating the property should
reflect that.
* Whether it is practical to reproduce a build may (and, likely, will)
change over time. Build inputs / environments may become unavailable or
costly to acquire so it may not be feasible to verify a given artifact. The
ability of someone to actively demonstrate a reproduction (maybe
"verifiable" versus "verified") seems an equally valuable asset as the
point-in-time measure that's currently proposed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250429/cecade75/attachment.htm>
More information about the rb-general
mailing list