Hi all,
I've been following this thread with interest. At walletscrutiny.com, we
regularly work with reproducible builds in the context of cryptocurrency
wallets, where we verify that published binaries match what can be built from
source.
I'd like to suggest that "reproducible builds" should indeed be a broader
umbrella concept, but we need to recognize distinct categories within it:
*1. Deterministic/Designed Reproducibility*Applications where developers
intentionally implement reproducible build practices. They avoid timestamps, use
consistent build environments, etc. This is what most of this thread has focused on.
*2. Post-hoc/Forensic Reproducibility*Artifacts that can be reproduced even when
the original author didn't specifically design for it. At walletscrutiny.com, we
often reverse-engineer build processes, figure out the exact build environment,
and successfully reproduce binaries that were never intended to be reproducible.
This is equally valuable for security verification.
Both serve the same ultimate goal: independent verification that binaries match
their claimed source. But they represent different approaches:
* The first requires developer buy-in and careful engineering
* The second can be applied retroactively to any software, though it may
require significant detective work
In practice, we often deal with "functionally reproducible" artifacts - where
signatures or compression might differ, but all executable code and resources
are identical. For security verification purposes, this is sufficient.
I believe the definition should acknowledge both paths to reproducibility.
Something like:
"Reproducible builds encompass software development practices and verification
techniques that enable independent parties to recreate build artifacts from
source materials, whether through deliberate design for reproducibility or
through post-hoc reconstruction of build environments."
This would recognize both the important work of projects making their builds
deterministic AND the valuable security work of independently verifying builds
that weren't designed for it.
Best regards,
Leo Wandersleb
On 4/22/25 17:37, David A. Wheeler via rb-general wrote:
The OpenSSF is building a "glossary" set (so we consistently use the
same meaning for the same term), and I drafted a definition for "reproducible
build"
based on this group:
https://glossary.openssf.org/reproducible-build/
If there's an issue please let me know!
--- David A. Wheeler
