"Reproducible build" definition in OpenSSF glossary
Ismael Luceno
ismael at iodev.co.uk
Wed Jul 2 14:49:35 UTC 2025
On 29/Apr/2025 11:16, Larry Doolittle wrote:
<...>
> Even if "you" don't have permission to redistribute a binary,
> and just provide a URL to download it, its hash can still be part
> of the instructions so that other people (and scripts) can confirm
> the reproducible starting conditions. Actually archiving old artifacts
> is a separate problem. IPFS? (GD&R)
Anything in the chain that is not FOSS is going to be a serious problem
for reproducibility, even permission to distribute and freely use aren't
enough, as modifications might be required in the future to ensure the
reproducibility of dependees, e.g. because of new ABIs, so it has to be
FOSS.
More information about the rb-general
mailing list