"Reproducible build" definition in OpenSSF glossary
Ismael Luceno
ismael at iodev.co.uk
Sun Jun 29 19:51:20 UTC 2025
El 29 de junio de 2025 13:58:24 UTC, Leo Wandersleb <Leo at LeoWandersleb.de> escribió:
>Hi Ismael,
>
>I think we're talking past each other. Even in the OS world, binaries are distributed - through apt, snap stores, flatpak, etc. When a maintainer uploads a .deb or someone publishes a snap, those binaries need verification.
A wider definition threatens with a chasing game we don't want to play with upstream authors.
We want people to, ideally, fix their buildsystems, and maintain that support forward.
At some point it can be made a requirement, we don't expect to do any reverse engineering, and we don't want it to be an afterthought in the future.
A narrow definition keeps those problems at bay as inherently out of scope.
Binary distributions should aim for the same experience source based distributions have been providing for 25 years, binary packages should act like an optimisation to skip the build more or less.
So it isn't about verifying the work of any single maintainer, but ideally a distributed check on the whole ecosystem.
Does that make sense?
More information about the rb-general
mailing list