Reproducible Builds: Trust Building through Best Practices

*
Proposal
Short Form
Intermediate

Excerpt

Reproducible builds introduces best practices enabling bit-by-bit identical software builds. With identical builds, independent verification becomes achievable by individual developers, who are then able to publicly share those verifications to the community at large.

Description

The Reproducible Builds project fixes toolchains and code so that binaries can be independently verified as the result of compiling source code. Without verifying the connection between source code and binary software, toolchains become a tempting target to inject exploits, subverting many of the strengths of Free/Libre Open Source Software.

This talk will briefly introduce the history behind the problem and move on to demonstrate why reproducibility matters, common issues and fixes, and tools used to identify and troubleshoot issues, moving towards reproducibility as a set of best practices when developing and improving software.

Tags

security, best-practices

Speaking experience

This talk will be a variation of the last several I've given in the past year, focusing on the best practices and security concerns addressed by reproducible builds.

I've given links to several of the talks with video and slides below:

LibrePlanet 2017: Verifying Software Freedom with Reproducible Builds
https://media.libreplanet.org/u/libreplanet/m/verifying-software-freedom-with-reproducible-builds/
https://www.aikidev.net/~vagrantc/lp2017/

Embedded Linux Conference 2017: The Reproducible Build Zoo
https://openiotelcna2017.sched.com/event/9Iu4/the-reproducible-build-zoo-vagrant-cascadian-aikidev-llc
https://www.youtube.com/watch?v=vEqph5qWv0A

SeaGL and Scale 15x: Introduction to Reproducible Builds
https://osem.seagl.org/conference/seagl2016/program/proposal/166
https://www.socallinuxexpo.org/scale/15x/presentations/introduction-reproducible-builds
https://cascadia.aikidev.net/~vagrant/scale15x/Introduction-to-Reproducible-Builds.pdf

Debconf 16: The Many ARMed Monster of Reproducibility
http://meetings-archive.debian.net/Public/debian-meetings/2016/debconf16/The_Many_ARMed_Monster_of_Reproducibility.webm

Speaker