Provenance: Highlight reproducible build inputs as a step to reproducible outputs

[mlieberman85]

Had a discussion with some of the folks who do a lot of the work on Nix and one of the things they highlighted was where you can't do reproducible outputs it still makes sense if possible to establish reproducible inputs throughout the the chain.

e.g. take a hash of the source files, dependencies, build command and parameters, and any environment variables along with any other pertinent metadata as a reproducible input hash.

The above isn't necessarily going to create an output binary that is bit for bit reproducible but is still very useful when tracing provenance. For example if a environment variable changes in my build or if a hash of a dependency changes I know something in my build has been modified which is a good step towards fully reproducible.

[dlorenc]

Nice, I like it.

[joshuagl]

This is sensible indeed. I think it's already implicit at L3 and L4 (i.e. ephemeral and isolated builds, provenance includes build parameters at L3; parameterless and hermetic builds, provenance includes transitive dependencies at L4).

Do you think there are additional requirements needed to capture this recommendation? Or perhaps this is implementer advice?

[mlieberman85]

Let me think about it for a bit.

[kimsterv]

Is it clear anywhere that provenance of dependencies means their hashes?