"Reproducible build" definition in OpenSSF glossary
Nicolas Vigier
boklm at mars-attacks.org
Fri May 16 11:10:40 UTC 2025
On Fri, 16 May 2025, Simon Josefsson via rb-general wrote:
> "David A. Wheeler via rb-general"
> <rb-general at lists.reproducible-builds.org> writes:
>
> >> On May 11, 2025, at 5:14 PM, Vagrant Cascadian <vagrant at reproducible-builds.org> wrote:
> >> The definition as it stands does have some oddness when considering
> >> things like system images, container images, etc. and I feel very mixed
> >> about letting go of the focus on source code, even though I do think
> >> there is space to call some of these usefully reproducible, I very much
> >> worry about dilluting the Reproducible Builds definition too much to
> >> accomodate them; I have the strong suspicion there will be unintended
> >> consequences.
> >
> > Do others also have that concern?
> >
> > If so, there's a simple solution: Use the two original definitions
> > of reproducible builds (combined so they don't conflict) that *require*
> > source code, and provide a new term for the case where you don't necessary
> > have source code (for the Debian ISO case). I suggest calling these
> > "regeneratable builds" and make it clear that these two ideas are
> > very similar but not *exactly* the same.
> >
> > Would that be better?
>
> I think it would help to have different terms for these two concepts.
I think these two concepts are actually the same concept, but with
variable depth in which the inputs are rebuilt. It's almost always
possible to go deeper in rebuilding the inputs (rebuilding the
compilers, the OS, the hardware, etc ...), to get more guarantees, but
for practical reasons you have to stop somewhere, to concentrate on the
part of the build process that you care most.
I feel rebuilding a deb package or a system image to check that it's
reproducible is the same concept, the difference being that you focus on
a different step of the build process, ignoring some of the previous
steps leading to that. I think something important might be to indicate
which part of the build process is covered, when talking about something
being reproducible build, but I'm not sure we need different terms for
that. I think a term like "regeneratable builds" does not make it very
clear which part of the build process is covered.
More information about the rb-general
mailing list