"Reproducible build" definition in OpenSSF glossary

Simon Josefsson simon at josefsson.org
Wed May 7 21:25:45 UTC 2025 

"David A. Wheeler via rb-general"
<rb-general at lists.reproducible-builds.org> writes:

> My thanks to the many who commented on the need to update the
> definition of "reproducible builds".
>
> I created a merge request that *attempted* to address all the comments:
> https://salsa.debian.org/reproducible-builds/reproducible-website/-/merge_requests/178/diffs

I read it and I'm happy with everything except this part:

  A build is **reproducible** if given the same build inputs, any party
                                           ^^^^^^^^^^^^^^^^^
  can recreate bit-by-bit identical copies of all specified build
  artifacts by generating them from the build inputs.

First, the term "build inputs" is not defined (as far as I can tell), so
I'm not sure exactly what you want it to mean?

Second, I don't think we want to give the impression that the exact same
build inputs are required for a reproducible build.  What I believe
matters are the outputs: if I compile a binary using GCC version X and
get the same bit-by-bit identical output as someone with GCC version Y,
then I would count that as a success.  Therefor I suggest changing the
above into:

  A build is **reproducible** if any party can recreate bit-by-bit
  identical copies of all specified build artifacts.

This came up in a quite concrete way for the Tillitis security key
firmware [1]: the Debian package build the firmware using Clang 19 and
someone was able to reproduce it bit-by-bit identical firmware using
Clang on ArchLinux.  At the time, it wasn't exactly the same upstream
clang version in Debian and ArchLinux, but still the output firmware
blob was the same.  Shipping the firmware without this independent
confirmation feels risky.  Bit-by-bit identical reproduction of the
firmware is critical here: the private key is derived from the firmware,
so a user get a different private key if they move between two machines
that loads different firmware blobs (and the blob is loaded after every
USB insertion).

/Simon

[1] https://packages.debian.org/trixie/tillitis-tkey-device-signer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250507/585c477d/attachment.sig>

More information about the rb-general mailing list