"Reproducible build" definition in OpenSSF glossary
Vagrant Cascadian
vagrant at reproducible-builds.org
Sun May 11 21:14:17 UTC 2025
On 2025-05-11, David A. Wheeler via rb-general wrote:
> I'm hoping that we now have a reasonable update of the definition of
> reproducible builds. Details here:
>
> https://salsa.debian.org/reproducible-builds/reproducible-website/-/merge_requests/178/diffs
>
> There could be endless tweaking of a definition, and that helps no one.
> I think this update is a big improvement.
First off, thanks for proposing some changes and getting the discussion
going! I do think you have suggested and curated some valuable ideas in
your proposed merge request!
> Any strong objections to merging this?
I think we need considerably more time and possibly a (semi)formal
process to think over the potential ramifications of the changes. This
is not just some grammar and typo corrections or fleshing out some new
angles on reproducible builds; it is something fundamental and essential
to our project.
We had considerable in-person discussion leading to the original
definition, and there were some very specific reasons and rationales
that I suspect may get lost with the proposed changes... probably time
to dig some of those notes up!
The definition as it stands does have some oddness when considering
things like system images, container images, etc. and I feel very mixed
about letting go of the focus on source code, even though I do think
there is space to call some of these usefully reproducible, I very much
worry about dilluting the Reproducible Builds definition too much to
accomodate them; I have the strong suspicion there will be unintended
consequences.
While I have read over the proposed changes a few times, I apologize for
not having more concrete suggestions at this time...
I do not think we have a fundamental problem with having two definitons
of what a Reproducible Build is; we have one definition:
https://reproducible-builds.org/docs/definition/
"A build is reproducible if given the same source code, build
environment and build instructions, any party can recreate bit-by-bit
identical copies of all specified artifacts.
The relevant attributes of the build environment, the build
instructions and the source code as well as the expected reproducible
artifacts are defined by the authors or distributors. The artifacts of
a build are the parts of the build results that are the desired
primary output."
The description on the front page:
https://reproducible-builds.org/
"Reproducible builds are a set of software development practices that
create an independently-verifiable path from source to binary code."
Seems to me more a description of what the Reproducible Builds project
is working on to achieve the sorts of things spelled out in the
Reproducible Builds definition. Making it more clear it is about the
project might be a good idea!
I would be much more amenable to accepting simple changes to the
description(s) and other messaging about what the project does, but I do
not want to rush changes to the Reproducible Builds definition.
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250511/d17f10af/attachment.sig>
More information about the rb-general
mailing list