Debian’s docs have a great description of what it takes to make reproducible builds; I wanted to record it here so it’s easier for me to find it in the future.

  1. The build system needs to be entirely deterministic, so date and time must not be recorded. Output always has to be written in the same order.

  2. Tools used to build / the environment for the build needs to be recorded or pre-defined.

  3. Users should be given a way to recreate a close-enough build environment and verify that build output matches the original build.

It’s really easy to take good processes like these for granted when they’re already implemented at the company you work for.