Hi David and list,
In light of the recent discussion surrounding what "reproducibility" of the Debian ISO images means, and the further
sub-discussion about what one should treat as "source code", I would suggest modifying "A build is reproducible if given
the same source code, build environment and build instructions any party can recreate bit-by-bit identical copies of all
specified artifacts." to something like
"A build is reproducible if given the same build environment and identified set of source material, any party can
recreate bit-by-bit identical copies of all specified artifacts, by following build instructions operating on the source
material within the build environment."
Perhaps with some note that "in most cases, this identified set of source material should be the original source code of
the artifacts".
I'm uncertain that the definition as it stands provides any clarity around the work on the Debian ISO images in making
them reproducible from binary packages - clearly they have some status - but should they be called "reproducible", or
something else?
Kind regards,
Samuel Tyler
On 4/23/25 01:37, David A. Wheeler via rb-general wrote:
The OpenSSF is building a "glossary" set (so we consistently use the
same meaning for the same term), and I drafted a definition for "reproducible
build"
based on this group:
https://glossary.openssf.org/reproducible-build/
If there's an issue please let me know!
--- David A. Wheeler
