Le 11/05/2026 à 20:25, Piotr P. Karwasz a écrit :
Agreed that once a build is reproducible, the identity of the builder no
longer matters for trust in the binary itself. But SLSA Provenance
still has value even for reproducible builds:
1. Reproducibility is a property you confirm after the fact, by
rebuilding. SLSA Provenance lets a consumer make a trust decision
*before* spending the cost of a rebuild, based on who built the artifact
and how.
Reproduciblity should be confirmed at release time, everyone voting
could report the hashes of the artifacts built. Or it could be verified
continuously, on each code change, by an automated process.
Is there a machine that already do something useful out of this
attestation?
Not yet, beyond verification of the SLSA attestation itself. But once
builds start shipping with these attestations, it should be
straightforward to build a workflow that consumes the attestation and
reproduces the artifact automatically.
Without actual use case this all looks like a lot of paperwork for
little benefit. I suggest keeping an eye on this standard while fixing
the reproducibility issues in our builds.
Capturing the build environment is a good idea, but I'd rather fix the
reproducibility issue caused by the timezone than documenting the
timezone used at build time.
I'd draw the distinction slightly differently. Depending on the timezone
doesn't make an artifact non-reproducible; it just makes it harder to
reproduce. By definition, an artifact is reproducible if it can be
rebuilt on a machine with *exactly* the same environment. Reducing the
number of environment variables that matter is valuable because it
widens the set of machines that can reproduce the build, but it isn't a
precondition for reproducibility.
For the build environment I had more the compiler and build tools in
mind than the time settings. In Debian timezone independence is required
for a build to be flagged as reproducible.
Emmanuel Bourg
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
