"Reproducible build" definition in OpenSSF glossary

Fri Jun 27 15:52:20 UTC 2025

Hi,

reviving an old thread... :)

On Sun, May 11, 2025 at 02:14:17PM -0700, Vagrant Cascadian wrote:
> On 2025-05-11, David A. Wheeler via rb-general wrote:
> > I'm hoping that we now have a reasonable update of the definition of
> > reproducible builds. Details here:
> > https://salsa.debian.org/reproducible-builds/reproducible-website/-/merge_requests/178/diffs
> First off, thanks for proposing some changes and getting the discussion
> going! I do think you have suggested and curated some valuable ideas in
> your proposed merge request!

yes, indeed!

> > Any strong objections to merging this?
> I think we need considerably more time and possibly a (semi)formal
> process to think over the potential ramifications of the changes. This
> is not just some grammar and typo corrections or fleshing out some new
> angles on reproducible builds; it is something fundamental and essential
> to our project.

indeed.

> We had considerable in-person discussion leading to the original
> definition, and there were some very specific reasons and rationales
> that I suspect may get lost with the proposed changes... probably time
> to dig some of those notes up!
> 
> The definition as it stands does have some oddness when considering
> things like system images, container images, etc. and I feel very mixed
> about letting go of the focus on source code, even though I do think
> there is space to call some of these usefully reproducible, I very much
> worry about dilluting the Reproducible Builds definition too much to
> accomodate them; I have the strong suspicion there will be unintended
> consequences.

again: indeed!

> While I have read over the proposed changes a few times, I apologize for
> not having more concrete suggestions at this time...
> 
> 
> I do not think we have a fundamental problem with having two definitons
> of what a Reproducible Build is; we have one definition:
> 
>   https://reproducible-builds.org/docs/definition/
> 
>   "A build is reproducible if given the same source code, build
>   environment and build instructions, any party can recreate bit-by-bit
>   identical copies of all specified artifacts.
> 
>   The relevant attributes of the build environment, the build
>   instructions and the source code as well as the expected reproducible
>   artifacts are defined by the authors or distributors. The artifacts of
>   a build are the parts of the build results that are the desired
>   primary output."
> 
> The description on the front page:
> 
>   https://reproducible-builds.org/
>   
>   "Reproducible builds are a set of software development practices that
>   create an independently-verifiable path from source to binary code."
> 
> Seems to me more a description of what the Reproducible Builds project
> is working on to achieve the sorts of things spelled out in the
> Reproducible Builds definition. Making it more clear it is about the
> project might be a good idea!

100% 

> I would be much more amenable to accepting simple changes to the
> description(s) and other messaging about what the project does, but I do
> not want to rush changes to the Reproducible Builds definition.

agreed.

All that said (mostly by quoting :) I think we should have a session
about this at the upcoming summit in Vienna end of October 2025, and
for this I think it would be benefical to do the other changes (eg
the description on the frontpage etc) as suggested to our website
(but not to the definition) before that, so that we can focus on the
definition during the summit.

does that sound sound? Should I add this comment to MR178 as well?

-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

Bottled water companies don't produce water, they produce plastic bottles.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250627/03415045/attachment.sig>