Reproducible Builds: Increasing the Integrity of Software Supply Chains

04/13/2021

∙

Although it is possible to increase confidence in Free and Open Source Software (FOSS) by reviewing its source code, trusting code is not the same as trusting its executable counterparts. These are typically built and distributed by third-party vendors, with severe security consequences if their supply chains are compromised. In this paper, we present reproducible builds, an approach that can determine whether generated binaries correspond with their original source code. We first define the problem, and then provide insight into the challenges of making real-world software build in a "reproducible" manner-this is, when every build generates bit-for-bit identical results. Through the experience of the Reproducible Builds project making the Debian Linux distribution reproducible, we also describe the affinity between reproducibility and quality assurance (QA).

READ FULL TEXT

Reproducible Builds: Increasing the Integrity of Software Supply Chains

Building a Secure Software Supply Chain with GNU Guix

Reconciler: A Workflow for Certifying Computational Research Reproducibility

Software Supply Chain Map: How Reuse Networks Expand

Taxonomy of Attacks on Open-Source Software Supply Chains

Automatic Security Assessment of GitHub Actions Workflows

Automated Localization for Unreproducible Builds

Efficient Prior Publication Identification for Open Source Code

Reproducible Builds: Increasing the Integrity of Software Supply Chains

Related Research

Building a Secure Software Supply Chain with GNU Guix

Reconciler: A Workflow for Certifying Computational Research Reproducibility

Software Supply Chain Map: How Reuse Networks Expand

Taxonomy of Attacks on Open-Source Software Supply Chains

Automatic Security Assessment of GitHub Actions Workflows

Automated Localization for Unreproducible Builds

Efficient Prior Publication Identification for Open Source Code