"Reproducible build" definition in OpenSSF glossary

Leo Wandersleb Leo at LeoWandersleb.de
Sun Jun 29 12:23:56 UTC 2025 

Hi all,

I've been following this thread with interest. At walletscrutiny.com, we 
regularly work with reproducible builds in the context of cryptocurrency 
wallets, where we verify that published binaries match what can be built from 
source.

I'd like to suggest that "reproducible builds" should indeed be a broader 
umbrella concept, but we need to recognize distinct categories within it:

*1. Deterministic/Designed Reproducibility*Applications where developers 
intentionally implement reproducible build practices. They avoid timestamps, use 
consistent build environments, etc. This is what most of this thread has focused on.

*2. Post-hoc/Forensic Reproducibility*Artifacts that can be reproduced even when 
the original author didn't specifically design for it. At walletscrutiny.com, we 
often reverse-engineer build processes, figure out the exact build environment, 
and successfully reproduce binaries that were never intended to be reproducible. 
This is equally valuable for security verification.

Both serve the same ultimate goal: independent verification that binaries match 
their claimed source. But they represent different approaches:

* The first requires developer buy-in and careful engineering
* The second can be applied retroactively to any software, though it may
require significant detective work

In practice, we often deal with "functionally reproducible" artifacts - where 
signatures or compression might differ, but all executable code and resources 
are identical. For security verification purposes, this is sufficient.

I believe the definition should acknowledge both paths to reproducibility. 
Something like:

"Reproducible builds encompass software development practices and verification 
techniques that enable independent parties to recreate build artifacts from 
source materials, whether through deliberate design for reproducibility or 
through post-hoc reconstruction of build environments."

This would recognize both the important work of projects making their builds 
deterministic AND the valuable security work of independently verifying builds 
that weren't designed for it.

Best regards,

Leo Wandersleb



On 4/22/25 17:37, David A. Wheeler via rb-general wrote:
> The OpenSSF is building a "glossary" set (so we consistently use the
> same meaning for the same term), and I drafted a definition for "reproducible 
> build"
> based on this group:
>
> https://glossary.openssf.org/reproducible-build/
>
> If there's an issue please let me know!
>
> --- David A. Wheeler
>

More information about the rb-general mailing list