"Reproducible build" definition in OpenSSF glossary
Ismael Luceno
ismael at iodev.co.uk
Mon Jun 30 07:29:48 UTC 2025
On 30/Jun/2025 08:59, Simon Josefsson wrote:
<...>
> When (re-)building the Debian LiveCD the "source code" is mostly
> previously built binary packages.
No, the source would be the source of every single binary, plus the
ensemble and the steps to package it together at each level, like a
matryoska.
<...>
> some set of instructions and a set of opaque "source inputs" files which
> may include previously built binaries, without any requirement that
> those previously built binaries can be rebuilt or is even free software.
That can't possibly qualify as reproducible.
> An example of 1) is the Debian Live CD situation, it is reproducibly
> built mostly based on previous binaries, and some of those binaries we
> don't have source code for and they are not freely licensed.
So you're asking to bend common sense so you can include proprietary
drivers and/or firmware and call it "reproducible".
That literally opens the door to call anything "reproducible".
Maybe just label that as "I want to believe" builds instead.
<...>
Anyway, lot of clarification is in order.
> I don't think 2) necessarily requires recursive transitive closure of
> the same requirement on all of the build inputs. There are at least two
> terms covering that additional requirement: A) "bootstrappable build",
> which recursively rebuild things bit-by-bit identical back to a small
> seed using earlier versions of software, and B) "idempotent rebuild",
> which recursively bit-by-bit identically rebuild things using the latest
> version of all involved tools. Guix has proved A) is possible, but I'm
> not aware of any proof that B) is possible with any modern non-trivial
> OS.
B would impose impractical implementation restrictions on the tools,
but maybe a slightly weaker guarantee would be possible: keep track
of a version of each involved package, check against that one, and if
that works, create a derivative with the latest versions, which then
automatically gets submitted somewhere for voting, if a threshold of
agreement is reached, the new derivative can be automatically promoted
as the new base for checking.
More information about the rb-general
mailing list