Context
OpenSSF Best Practices silver criterion build_repeatable requires being able to regenerate information from source files and get exactly the same bit-for-bit result.
origin/main documents a repeatable-build policy and the release workflow pins source refs, a builder image, and locked dependencies, but the project does not yet publish evidence that an independent rebuild of release outputs produces byte-identical artifacts.
Scope
- Define which release outputs are in scope for bit-for-bit rebuild verification.
- Add or document a rebuild procedure that starts from the release tag and lockfiles.
- Compare rebuilt outputs against published release artifacts or recorded SHA256 manifests.
- Capture public evidence that the process succeeds, or document any remaining non-determinism.
- Update the Best Practices submission and public docs once the proof exists.
Done when
- A release can be rebuilt from source and produce byte-identical outputs for the agreed scope.
- The verification procedure is public and repeatable by an external reviewer.
- Any exclusions are documented clearly.
Non-goals
- Do not claim full reproducibility based only on pinned dependencies or release workflow policy.
Context
OpenSSF Best Practices silver criterion
build_repeatablerequires being able to regenerate information from source files and get exactly the same bit-for-bit result.origin/maindocuments a repeatable-build policy and the release workflow pins source refs, a builder image, and locked dependencies, but the project does not yet publish evidence that an independent rebuild of release outputs produces byte-identical artifacts.Scope
Done when
Non-goals