Reproducible Builds for Trustworthy Binaries
2022-07-25, 23:20–23:50, Clairvoyance 🔮

Reproducible Builds is a technique that can be used to secure the software delivery pipeline.

For open source software, they even allow independently auditing published binaries, removing a single point of trust from the distribution process. This can be used by individual projects or even complete Linux distributions.

The software delivery pipeline is an increasingly popular attack vector: even when your project source code is known-good (audited), an attacker can inject malware by gaining access to the machine used to build (and sign) the binaries.

Reproducible Builds provides a mechanism to counter such attacks: by building the same source code on independently-administered machines and comparing their outcome.

Several Linux distributions (Debian, Arch, openSUSE, NixOS, OpenWrt, ...) are working towards using Reproducible Builds to make their binary packages independently verifiable, but also individual projects use it to verify their deliverables. This talk will give an overview of progress, results and next steps.

Open Source fanatic, active in the Reproducible Builds project (in particular on NixOS and the JVM), maintaining the Notion window manager, administering the LinuxMusicians forum, regular at Hack42, working on Akka for Lightbend.