"Reproducible build" definition in OpenSSF glossary
Bernhard M. Wiedemann
bernhardout at lsmod.de
Sun Jul 13 16:30:50 UTC 2025
On 7/12/25 5:22 PM, David A. Wheeler via rb-general wrote:
>
>
>> On Jul 2, 2025, at 4:49 AM, Holger Levsen <holger at layer-acht.org> wrote:
>>
>>
>> I'm not particularily keen on continuing this disussion here, right
>> now (holiday season and all that) and would rather we continue to
>> prepare for having this dicussion at the summit, possible by preparing
>> some coherent statements on wikis or some such. (=a static place, not
>> a mailing list post.)
>
> Sadly, I don't plan to be at that summit, and I suspect others won't be able to
> be there either.
>
> To be clear: my goal is to have a *clear* definition of "reproducible builds".
> I see at least 2 options:
>
> 1. My earlier proposal, expanding the definition slightly to include what Debian does
> for its full images (to handle binary blobs).
> 2. A stricter ("original" ) definition that requires source code for what is being built.
> In that case, I think it'd be important to define some *other* term, because what Debian
> does is important & clearly related.
1. would require that one set of given build inputs always produce one
certain output - similar to a mathematical function where f(const1)=const2
2. would include 1. and require extra properties for build inputs - that
they be produced from sources - and ideally that includes all toolchain
packages (gcc, glibc) as well and transitively their respective build
inputs... and that sounds a lot like what we called "bootstrappable
builds" so far.
And when we already have this nice word for that concept that is clearly
a superset of reproducible builds, we can keep calling 1. "reproducible
builds".
Ciao
Bernhard M.
More information about the rb-general
mailing list