Sharing certifications
How could users gain trust that a build has not been compromised by exchanging certifications attesting that they all have been able to get the same build results?
Debian is thinking of allowing multiple Debian Developers to upload signatures attesting that they have been able to reproduce a build.
The question is also related to the work lead by Ben Laurie on binary transparency. The idea is to have an append-only log similar to Certificate Transparency which could be used to authenticate binaries.
More research is required in this area to make reproducible builds more effective in detecting compromise early.
Introduction
Achieve deterministic builds
- Commandments of reproducible builds
- Variations in the build environment
- SOURCE_DATE_EPOCH
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Stripping of unreproducible information
- Value initialization
- Version information
- Timestamps
- Timezones
- Locales
- Archive metadata
- Stable order for outputs
- Randomness
- Build path
- System images
- JVM
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
Distribute the environment
Verification
- Cryptographic checksums
- Embedded signatures
- Sharing certifications
Specifications
Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info
