"Reproducible build" definition in OpenSSF glossary
Simon Josefsson
simon at josefsson.org
Wed Jul 2 07:34:26 UTC 2025
John Gilmore <gnu at toad.com> writes:
> fosslinux via rb-general <rb-general at lists.reproducible-builds.org> wrote:
>> And not everyone is convinced that reproducible builds are a priority
>> or even necessary, unfortunately. So what are we to do with this?
>> Should we just say "ok, this upstream doesn't have the desire, or
>> time, or resources to guarantee reproducible builds, therefore
>> reproducible builds for this project are a lost cause"? This seems a
>> very defeatist attitude to me.
>
> I recommend that you find a project that is more compatible with your
> own goals. This one does seek to have maintainers of both individual
> programs, and operating systems, produce bit-for-bit reproducible
> results from human-readable source code, which end-users can easily
> verify, with automation for doing rebuilds and comparing them.
Are you saying that as intentionally excluding the Debian LiveCD from
being called reproducible? Honest question, I'm curious about what you
(and others) actually think that the Debian LiveCD build process should
be called.
The Debian LiveCD doesn't fulfil your requirements. It is built from
pre-built binaries, some of them cannot be rebuilt reproducible, and
some of them we don't have source code for. This is not a bug that
Debian community desire to see fixed, it is is encoded in the social
contract (which of course could be modified again, but that's another
discussion..).
I think the Debian LiveCD build process is reproducible enough to be
allowed to use some reproducibility term. We've seen a lot of
fragmentation in the FOSS community over the years on fairly minor
philosophical grounds, while strongly proprietary systems like iPhone or
Windows wins ground. I'm hoping we can defragment the reproducible
build situation by inventing terminology that covers different
situations.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250702/4f068421/attachment.sig>
More information about the rb-general
mailing list