Reproducible Builds for Trustworthy Binaries


Playlists: 'MCH2022' videos starting here / audio

Reproducible Builds is a technique that can be used to secure the software delivery pipeline.

For open source software, they even allow independently auditing published binaries, removing a single point of trust from the distribution process. This can be used by individual projects or even complete Linux distributions.

The software delivery pipeline is an increasingly popular attack vector: even when your project source code is known-good (audited), an attacker can inject malware by gaining access to the machine used to build (and sign) the binaries.

Reproducible Builds provides a mechanism to counter such attacks: by building the same source code on independently-administered machines and comparing their outcome.

Several Linux distributions (Debian, Arch, openSUSE, NixOS, OpenWrt, ...) are working towards using Reproducible Builds to make their binary packages independently verifiable, but also individual projects use it to verify their deliverables. This talk will give an overview of progress, results and next steps.