• Mark Lodato's avatar
    Add Reproducibility as a recommendation for SLSA 3. · 5310e40a
    Mark Lodato authored
    At SLSA 3, we now recommend reproducible builds. This is not a strict
    requirement because not all builds can become reproducible, as explained
    in the text. Once we write the detailed requirements, we will likely
    want to somehow explain that reproducible should be the default, while
    still allowing individual projects to opt-out.
    The reason for adding this recommendation is to move the industry
    towards reproducibility, which is a generally useful property. By having
    it as the "default" path, most software will just go with the past of
    least resistance rather than opting out.
    Note that this does not require *verifying* the reproduction for
    security. Instead, the builder just claims that it was reproducible,
    presumably by building it twice and making sure that the output is