Collaborative Working Sessions - Distributed verification III

Evaluation criteria

Must Have

Builds must be discoverable along with useful metadata

Must scale

Reduce the build cost of reproducible everything by sharing over a pool
Tooling and infra to append multi-party reproducibility verification scale
Distributed reproducible monitoring #scale #infra

Must be be resilient against

outages
disagreements
corruption
malicious rebuilder

Must be possible to delegate trust to another party or parties in a limited controlled matter

I want to trust the published artifact because someone trustworthy reproduced it
Delegation implies recursion
Understanding web of trust
Users downloading software want to verify that the software has been built by multiple trusted people
“5 out of 7” is possibly good enough
Distributing / sharing trust
Software updater should check that the available update has been built by multiple trusted builders
I want to be able to change who I trust over time and reason about roots of trust
I should be able to list who I trust to build my software
Consensus is subjective

A rebuilder should be able to indicate what they built in a non-repudiatable way

Source and dependencies –> binary

We need to be able to identify a rebuilder securely such as with a public key

Trust and trust management requires identity

UX is essential especially for non-interested users

Making RB actionable/useful to downstream consumers
Making RB benefits easy to access for end users
Trustless binary distribution

Extra nice to have

Doing a rebuild should be accessible

Distros reproducing is silver, users reproducing is gold

There should not be properties that discourage institutional diversity in rebuilders.

Developer experience is important and developers shouldn’t be expected care for RB.

The system should be invisible to them.
Ideally, developers don’t need to update their workflows (much)
Developers shouldn’t be surprised by RB results and the system behavior, aka. understandability
As developer of a lib I want to make sure I can do a simple fix.

Nice to have

Diverse rebuilder support is desirable

Comparing rebuilder results
RB creates resilience by having free choice of build system
Diversity is a means to achieve resilience

Ideally there is a usable means to report irreproducibility possibly implicitly

Ideally closed source / secrets in software should be supported

Optional

Support for diverse build inputs would be desirable

Ideally there is a way to verify a rebuilder did work

We are proud to be sponsored by

Open Technology Fund

Sovereign Tech Agency

Follow us on Mastodon @reproducible_builds@fosstodon.org or Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info

software freedom conservancy