What is it about?
Reproducible builds are a set of software development practices that create a verifiable path from human readable source code to the binary code used by computers.
Why does it matter?
Most aspects of software verification are done on source code, as that is what humans can reasonably understand. But most of the time, computers require software to be first built into a long string of numbers to be used. With reproducible builds, multiple parties can redo this process independently and ensure they all get exactly the same result. We can thus gain confidence that a distributed binary code is indeed coming from a given source code.
What made the recent Volkswagen emissions scandal possible is software that has been designed to lie about its sensors in a lab environment. Having the source code under public scrutiny would have made adding such a misfeature only a little more difficult. Without reproducible builds, it is hard to confirm that the binary code installed in the car was actually made using the source code that has been verified.
Several free software projects already, or will soon, provide reproducible builds.
First, the build system needs to be made entirely deterministic: transforming a given source must always create the same result. Typically, the current date and time must not be recorded and output always has to be written in the same order.
Second, the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined.
Third, users should be given a way to recreate a close enough build environment, perform the build process, and verify that the output matches the original build.
Learn more on how to make your software build reproducibly…