[podcast suggestion] Reproducible builds

[lamby]

Hi!

I think it would be great to get someone into the Reproducible Builds project and give that some wider exposure given how important it is.

As a bit of background, whilst anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or "compiled") packages to end users.

The motivation behind "reproducible" builds is to allow verification that no flaws have been introduced during this compilation process by promising identical binary packages are always generated from a given source. This prevents against the installation of backdoor-introducing malware on developers' machines - an attacker would need to simultaneously infect all developers attempting to reproduce the build.

Currently only a handful of standalone projects advertise as being reproducible. Whilst admirable, expanding this to an entire operating system is necessary to avoid the underlying system becoming the weak link in the chain. Furthermore, a reproducible build has a wide variety technical advantages, including implicitly removing non-deterministic or unsafe behaviour (such as downloading third-party code from the internet), detecting corrupted build environments, reducing time-to-detection of a build host compromise, as well as numerous other debugging and testing advantages.

Anyway, I volunteer myself, @lamby :)

[jerodsanto]

@lamby I was a bit skeptical at first (would we have enough to talk about?), but upon further exploration, I think this could make a very interesting conversation, indeed. Please email editors@changelog.com and we'll get you scheduled. 💚

[jerodsanto]

#237

[rfay]

And... it was awesome.

[lamby]

Thanks @rfay !