---
layout: event_detail
title: Defining Reproducible Builds I
event: berlin2016
order: 120
permalink: /events/berlin2016/reproduciblebuildsdefinition/
---
### What's the definition of a reproducible build?
We agree on 3 factors:
* Input - same source code.
* Output - bit by bit identical output, verifiable by a checksum. But we
need to define the output files, because a build can also generate
debugging files or other output.
* Environment - what's an environment? kernel, source tree, build path,
versions of all installed packages. discussion about trust and shipping
VMs as build environments.
We agree on saying that:
### reproducible builds is:
* bit-by-bit identical
* checksum verifiable
* specified outputs
* no specialized comparator (make stripping part of your build - output
must still be usable)
We've set up an axis to define INPUTS (source and build environments).
Axis ---- (the y-axis is "relevance", the x-axis is how hard it is to fix) * same source code * build instructions (command line) * same environment configuration, build flags * dependencies and their versions * locations where dependencies are installed * pre-existing keys ABOVE THIS LINE: Ideal reproducible build ---- BELOW THIS LINE LEFT: Minimal viable reproducible build ON THE RIGHT: these are things which should not be done * LOCALE * saved optimization metadata * build path prefix * SOURCE_EPOCH_DATE * different person building * host dependent optimization EASY -------------------------------------------------> HARD TO PIN/FIX ON THE RIGHT: these are things which are not reproducible and should not matter * other filesystem content * Signing keys * system time * readdir order * random data (/dev/random)### The ideal reproducible build * same source code * build instructions (command line) * same environment configuration, build flags * dependencies and their versions * locations where dependencies are installed