"Reproducible build" definition in OpenSSF glossary
James Addison
jay at jp-hosting.net
Wed Jul 2 08:14:45 UTC 2025
Hi Simon,
On Wed, Jul 2, 2025, 08:26 Simon Josefsson via rb-general <
rb-general at lists.reproducible-builds.org> wrote:
> "Arnout Engelen" <arnout at bzzt.net> writes:
>
> > On Tue, Jul 1, 2025, at 09:59, fosslinux via rb-general wrote:
> >> On 6/30/25 17:29, Ismael Luceno wrote:
> >> >> some set of instructions and a set of opaque "source inputs" files
> which
> >> >> may include previously built binaries, without any requirement that
> >> >> those previously built binaries can be rebuilt or is even free
> software.
> >> > That can't possibly qualify as reproducible.
> >>
> >> Any suggestions for what to call it? There is value to such work, and
> it is at minimum very closely related to
> >> reproducible builds.
> >
> > I think it's pretty much impossible to avoid people 'maliciously'
> > misrepresenting their product as 'reproducible' when it really isn't -
> > that doesn't seem like something tweaking the definition can fix. I do
> > think it's still useful to have precise terms so we can make the
> > distinctions clear, though.
> >
> > I agree "Reproducible Builds" as a whole means "from source to binary".
>
> That would make Debian installer CDs impossible to call reproducible,
> since they are built from binaries for which we do not have source code.
>
> [ ... snip ... ]
Does this refer to binary firmware specifically?
I would hope that we could agree that building an artifact composed partly
or entirely from 100% DFSG binary packages that are themselves reproducible
would produce a transitively reproducible build.
For closed-source binary firmware blobs, the situation does seem less
clear. They arguably can be used as fixed inputs to a build to achieve
identical bit-for-bit output -- but if I understand correctly, it raises a
question of "is complete source code to all inputs required in order to
label/certify an artifact as reproducibly buildable?".
I'm not initially sure how/whether an exception clause could be written to
allow binary inputs under some circumstances, without reducing the
effectiveness of the definition (because, for example, copying an entirely
opaque blob from one directory to another could be argued as within such a
redefinition).
Regards,
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250702/7913b8a3/attachment.htm>
More information about the rb-general
mailing list