Title
Reproducible Builds — a set of software development practices that create an independently-verifiable path from source to binary code
Go Home
Category
Description
Address
Phone Number
+1 609-831-2326 (US) | Message me
Site Icon
Reproducible Builds — a set of software development practices that create an independently-verifiable path from source to binary code
Tags
Page Views
0
Share
Update Time
2022-05-08 16:32:11

"I love Reproducible Builds — a set of software development practices that create an independently-verifiable path from source to binary code"

www.reproducible-builds.org VS www.gqak.com

2022-05-08 16:32:11

Home News Documentation Tools Who is involved? Talks Events Continuous tests Contribute English Deutsch English Deutsch Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binarycode. (more) HomeNewsDocumentationToolsWho is involved?TalksEventsContinuous testsContributeWhy does it matter?Whilst anyone may inspect the source code of free and open source softwarefor malicious flaws, most software is distributed pre-compiled with nomethod to confirm whether they correspond.This incentivises attacks on developers who release software, not only viatraditional exploitation, but also in the forms of political influence,blackmail or even threats of violence.This is particularly a concern for developers collaborating on privacy orsecurity software: attacking these typically result in compromisingparticularly politically-sensitive targets such as dissidents, journalistsand whistleblowers, as well as anyone wishing to communicate securely undera repressive regime.Whilst individual developers are a natural target, it additionallyencourages attacks on build infrastructure as a successful attack wouldprovide access to a large number of downstream computer systems. Bymodifying the generated binaries here instead of modifying the upstreamsource code, illicit changes are essentially invisible to its originalauthors and users alike.The motivation behind the Reproducible Builds project is therefore toallow verification that no vulnerabilities or backdoors have been introducedduring this compilation process. By promising identical results are alwaysgenerated from a given source, this allows multiple third parties to come toa consensus on a “correct” result, highlighting any deviations as suspectand worthy of scrutiny.This ability to notice if a developer or build system has been compromisedthen prevents such threats or attacks occurring in the first place, as anycompromise can be quickly detected. As a result, front-liners cannot bethreatened/coerced into exploiting or exposing their colleagues.Several free software projects already, orwill soon, provide reproducible builds.How?First, the build system needs to be made entirely deterministic:transforming a given source must always create the same result. For example,the current date and time must not be recorded and output always has to bewritten in the same order.Second, the set of tools used to perform the build and more generally thebuild environment should either be recorded or pre-defined.Third, users should be given a way to recreate a close enough buildenvironment, perform the build process, and validate that the outputmatches the original build.Learn more about how to make your software build reproducibly…Recent monthly reports May 5, 2022: Reproducible Builds in April 2022 Apr 8, 2022: Reproducible Builds in March 2022 Mar 5, 2022: Reproducible Builds in February 2022 (See all reports…)Recent news Apr 26, 2022: Supporter spotlight: Google Open Source Security Team (GOSST) Apr 14, 2022: Supporter spotlight: Amateur Radio Digital Communications (ARDC) Apr 6, 2021: Supporter spotlight: Ford Foundation (See all…)SponsorsWe are proud to be sponsored by: HomeNewsDocumentationToolsWho is involved?TalksEventsContinuous testsContribute Follow us on Twitter @ReproBuilds, Mastodon @[email protected] & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches welcome via our Git repository (instructions) or via our mailing list. • Full contact info