-
Notifications
You must be signed in to change notification settings - Fork 50
OSS Reproducible
The purpose of OSS reproducible is to analyze open source packages for semantic equivalency. We start with an existing package (for example, the NPM "left-pad" package, version 1.3.0), and we try to answer the question, How accurately does the source code represent the published package?
Semantically equivalent builds give confidence that packages are derived from the source code that produced them.
A project build is semantically equivalent if its build results can be either recreated exactly (a bit for bit reproducible build), or if the differences between the release package and a rebuilt package are not expected to produce functional differences in normal cases.
For example, the rebuilt package might have different date/time stamps, or one might include files like .gitignore that are not in the other and would not change the execution of a program under normal circumstances.
The tool works by applying various strategies to see if it can create a semantically reproducible build.
For more information see the oss-reproducible README.