Reproducible Builds: Trust Building through Best Practices*
Reproducible builds introduces best practices enabling bit-by-bit identical software builds. With identical builds, independent verification becomes achievable by individual developers, who are then able to publicly share those verifications to the community at large.
The Reproducible Builds project fixes toolchains and code so that binaries can be independently verified as the result of compiling source code. Without verifying the connection between source code and binary software, toolchains become a tempting target to inject exploits, subverting many of the strengths of Free/Libre Open Source Software.
This talk will briefly introduce the history behind the problem and move on to demonstrate why reproducibility matters, common issues and fixes, and tools used to identify and troubleshoot issues, moving towards reproducibility as a set of best practices when developing and improving software.
This talk will be a variation of the last several I've given in the past year, focusing on the best practices and security concerns addressed by reproducible builds.
I've given links to several of the talks with video and slides below:
LibrePlanet 2017: Verifying Software Freedom with Reproducible Builds
Embedded Linux Conference 2017: The Reproducible Build Zoo
SeaGL and Scale 15x: Introduction to Reproducible Builds
Debconf 16: The Many ARMed Monster of Reproducibility
Vagrant Cascadian has been a Debian developer since 2010 and involved with the Reproducible Builds project since 2015, maintaining an ARM build farm of over 20 systems rebuilding all of Debian’s 25,000 source packages.