"Reproducible build" definition in OpenSSF glossary
Holger Levsen
holger at layer-acht.org
Wed Jul 2 08:49:38 UTC 2025
On Wed, Jul 02, 2025 at 09:14:19AM +0200, Simon Josefsson via rb-general wrote:
> That's not how the Debian LiveCD itself is built -- its build process
> takes prebuilt binaries. Those prebuilt binaries may or may not be
> reproducibly built, and may or may not have source code available for
> rebuilding.
funnily this is also how reproduce.debian.net works.
we don't bootstrap from tiny binary seeds which can be reviewed, so we are all
using prebuilt binaries. (where "we" means Debian, Arch Linux or eg OpenWrt...
probably also Gentoo.)
and also if we don't do what we usually call "build from source" but
merely "assembly some blobs", I do think it's it's a meaningful distinction
whether this process can be transparently repeated and results in the
exact same bits or not.
That said...
I'm not particularily keen on continuing this disussion here, right
now (holiday season and all that) and would rather we continue to
prepare for having this dicussion at the summit, possible by preparing
some coherent statements on wikis or some such. (=a static place, not
a mailing list post.)
(& for those affected by the current heat waves in Europe and elsewhere:
stay hydrated, stay cool.!)
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
Manchmal kommt der Wind von Lee. (Konny)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250702/5cd7cfd3/attachment.sig>
More information about the rb-general
mailing list