Next: , Up: Introduction   [Contents][Index]


1.2 Reproducible Builds

The current Reproducible Builds effort incubated in the Debian project4 and was organized by Lunar. Quoting the Reproducible Builds website5

A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

1.2.1 Can we trust our freedom?

Now consider the opposite, that a second build of a piece of source code produces a different binary program. Upon further investigation we might find that the only difference is probably harmless: a timestamp that was embedded in the binary, or perhaps the name of the user that built it or directory it was built in. Such investigations can be nontrivial and are highly unpractical. And what if the binary difference is not so trivial, cannot be easily accounted for?

A piece of software that cannot be built bit-by-bit reproducible is probably not a good community member in the world of software freedom. We think the importance of reproducibility should not be underestimated largely because failing that precondition makes justifable trust in binaries provided suspect at best and downright dangerous in reality.

It becomes clear that a bit-by-bit reproducible build of all our sofwares is essential if we value our Freedom 1.

1.2.2 An Old Idea

The idea of reproducible builds is not very new. It was implemented for GNU tools in the early 1990s (which we learned, much later in 2017). In the Debian world it was mentioned first in 2000 and then more explicitly in 2007 on debian-devel6

I think it would be really cool if the Debian policy required that packages could be rebuild bit-identical from source.

Martin Uecker

Footnotes

(4)

The Debian Project

(5)

Reproducible Builds

(6)

Martin Uecker on debian-devel on bit-reproducibility


Next: Bootstrappable Builds, Up: Introduction   [Contents][Index]