Documentation index

commandments of reproducible builds

Commandments by the church of reproducible builds:

  1. Thou shall not record the name of thy maker nor the place of thy making (username, hostname)
  2. Thou shall not record the date nor time of thy making, unless you respect the holy SDE spec (date+time)
  3. Thou shall not use memory without initialization or use memory addresses to decide outcomes (ASLR)
  4. Thou shall do all your work in order - not use filesystem-readdir-order nor random order of hash elements
  5. Thou shall not (gamble and) record random numbers (UUID, private/public key, hash-seed, ASLR)
  6. Thou shall only do one thing at a time or ensure races do no harm (parallelism)
  7. Thou shall not look at build machine processor capabilities (CPU)
  8. Thou shall not look at build machine benchmarks for optimizations
  9. Thou shall be careful with profile-guided-optimization for it can amplify any sin (non-determinism)
  10. Thou shall keep your workspace environment clean of timezones, locales and umasks or ensure they do no harm
  11. Thou shall allow for offline builds (aka “vendoring” as servers can be down, contents can change)
  12. If Thou publishst binaries, Thou shall take note of your build inputs

License: CC-BY-SA 4.0

Documentation index

Documentation home

Introduction
Achieve deterministic builds
Define a build environment
Distribute the environment
Verification
Specifications

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info