Sharing certifications
How could users gain trust that a build has not been compromised by exchanging certifications attesting that they all have been able to get the same build results?
Debian is thinking of allowing multiple Debian Developers to upload signatures attesting that they have been able to reproduce a build.
The question is also related to the work lead by Ben Laurie on binary transparency. The idea is to have an append-only log similar to Certificate Transparency which could be used to authenticate binaries.
More research is required in this area to make reproducible builds more effective in detecting compromise early.
Introduction
- Which problems do Reproducible Builds Solve?
- Definitions
- History
- Why reproducible builds?
- Making plans
- Academic publications
Achieve deterministic builds
- Commandments of reproducible builds
- Variations in the build environment
- SOURCE_DATE_EPOCH
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Stripping of unreproducible information
- Value initialization
- Version information
- Timestamps
- Timezones
- Locales
- Archive metadata
- Stable order for outputs
- Randomness
- Build path
- System images
- JVM
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
Distribute the environment
Verification
- Cryptographic checksums
- Embedded signatures
- Sharing certifications