Skip to content

Prove bit-for-bit repeatable release builds #127

Description

@jeremi

Context

OpenSSF Best Practices silver criterion build_repeatable requires being able to regenerate information from source files and get exactly the same bit-for-bit result.

origin/main documents a repeatable-build policy and the release workflow pins source refs, a builder image, and locked dependencies, but the project does not yet publish evidence that an independent rebuild of release outputs produces byte-identical artifacts.

Scope

  • Define which release outputs are in scope for bit-for-bit rebuild verification.
  • Add or document a rebuild procedure that starts from the release tag and lockfiles.
  • Compare rebuilt outputs against published release artifacts or recorded SHA256 manifests.
  • Capture public evidence that the process succeeds, or document any remaining non-determinism.
  • Update the Best Practices submission and public docs once the proof exists.

Done when

  • A release can be rebuilt from source and produce byte-identical outputs for the agreed scope.
  • The verification procedure is public and repeatable by an external reviewer.
  • Any exclusions are documented clearly.

Non-goals

  • Do not claim full reproducibility based only on pinned dependencies or release workflow policy.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:platformRegistryStack platform and cross-product ownership.criticality:p2Priority/criticality P2.enhancementNew feature or requesttriage:roadmapRoadmap triage.

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions