This repository has been archived by the owner on Feb 4, 2020. It is now read-only.
[podcast suggestion] Reproducible builds #369
Labels
The Changelog
Conversations with the hackers, leaders, and innovators of open source.
Hi!
I think it would be great to get someone into the Reproducible Builds project and give that some wider exposure given how important it is.
As a bit of background, whilst anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or "compiled") packages to end users.
The motivation behind "reproducible" builds is to allow verification that no flaws have been introduced during this compilation process by promising identical binary packages are always generated from a given source. This prevents against the installation of backdoor-introducing malware on developers' machines - an attacker would need to simultaneously infect all developers attempting to reproduce the build.
Currently only a handful of standalone projects advertise as being reproducible. Whilst admirable, expanding this to an entire operating system is necessary to avoid the underlying system becoming the weak link in the chain. Furthermore, a reproducible build has a wide variety technical advantages, including implicitly removing non-deterministic or unsafe behaviour (such as downloading third-party code from the internet), detecting corrupted build environments, reducing time-to-detection of a build host compromise, as well as numerous other debugging and testing advantages.
Anyway, I volunteer myself, @lamby :)
The text was updated successfully, but these errors were encountered: