Reproducible Builds for Debian

Cite

FOSDEM VZW

Bobbio, Jérémy (Lunar)

Formal Metadata

Title

Reproducible Builds for Debian

Title of Series

FOSDEM 2014

Number of Parts

199

Author

Bobbio, Jérémy (Lunar)

License

CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/32616 (DOI)

Publisher

FOSDEM VZW

Release Date

2014

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

How can we enable multiple parties to verify that a binary package has been produced untampered from a given source in a distribution like Debian? With free software, anyone can inspect the source code for malicious flaws. But most distributions provide binary packages to their users. We would like them to be able to verify that no flaws are introduced during the build process. The idea of "deterministic" or "reproducible" builds is to enable anyone to reproduce a byte-for-byte identical binary packages from a given source. A research effort started last summer towards reproducible builds for Debian. After several small tweaks to core Debian tools, a massive rebuild in September reached 24% of builds resulting in identical binaries out of 5000+ source packages. The process uncovered challenges about both the reproducibility of the build environment and about the build processes themselves. We will review them, along with possible solutions and what remains to be done