"Reproducible build" definition in OpenSSF glossary

Arnout Engelen arnout at bzzt.net
Wed Jul 2 08:38:34 UTC 2025 

On Wed, Jul 2, 2025, at 09:14, Simon Josefsson via rb-general wrote:
> Ismael Luceno <ismael at iodev.co.uk> writes:
> > On 30/Jun/2025 08:59, Simon Josefsson wrote:
> >> An example of 1) is the Debian Live CD situation, it is reproducibly
> >> built mostly based on previous binaries, and some of those binaries we
> >> don't have source code for and they are not freely licensed.
> >
> > So you're asking to bend common sense so you can include proprietary
> > drivers and/or firmware and call it "reproducible".
> >
> > That literally opens the door to call anything "reproducible".
> >
> > Maybe just label that as "I want to believe" builds instead.
> 
> I dislike binaries that are not built from source code using tools that
> themselves where not built from source code.  But I believe there is
> enough people interested in having a term for the above situation.  If I
> understand Holger's description of the history correct, the above
> situation is what we have been called reproducible for many years or
> even since the start for reproducible Debian packages (that are built
> using build dependencies that have some earlier build dependency from
> seeds that have long since bit-rottened or are undistributable).

I would say "build dependenc[ies] from seeds that have long since bit-rottened or are undistributable" are part of the "build environment", not part of the "sources", so that is fine from a reproducible builds perspective (and in "bootstrappable" territory instead). Binary firmware that is embedded into the result is more tricky, though.

> My interpretation of the history is that either we make people who like
> the traditional de-facto definition of "reproducible" unhappy, or we
> make more purist theoretical people who want a rigid definition of the
> terms unhappy.  

That's an interesting perspective. My own impression is that we've traditionally had a reasonable shared understanding of what we mean by 'reproducible', but that people are trying to stretch the definition too far in the 'loose' direction (e.g. "my product has Reproducible Builds, it only differs in timestamps"). That prompts us to have another look at our definitions to see if we can/should refine them, and perhaps make them more precise/nuanced/'rigid'. I like to think the 'rigid' and 'traditional' people are actually fairly closely aligned, and the shared goal is to avoid diluting the definition too far in the 'loose' direction.


Kind regards,

-- 
Arnout Engelen
Engelen Open Source
https://engelen.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250702/d1b06d62/attachment.htm>

More information about the rb-general mailing list