The Linux Foundation’s Core Infrastructure Initiative (CII) is renewing its financial support for a project that ensures binaries produced from open source software projects are free of tampering.
The Reproducible Builds Project provides tools and best practices to software projects to ensure that the binaries generated by a compilation process are identical each time and can be matched to the source code used to build them.
Among the big attractions of free and open source software is its promise of auditability—that you’ll always have access to the underlying code and won’t be impeded from determining if the code has back doors. But for most users, there’s no guarantee that the binaries they run are actually derived from the source code. Reproducible builds are intended to provide such a guarantee.
The CII began funding the Reproducible Builds Project in June 2015. Back then the project focused on ensuring the Debian Linux distribution could provide verified binaries, as a guarantee to its user base that its software was free of outside tampering.
Since then a slew of free software projects have climbed on board to provide reproducible builds for their user bases. Some are for Linux distributions, such as Arch Linux, Fedora, and OpenSuse; while others include members of the BSD operating system family, such as NetBSD and FreeBSD. Yet other software projects are infrastructure of one kind or another: Bitcoin, the Tor Browser, the Coreboot project, the OpenWRT router software project, and the Baserock OS-building platform.
Most of the benefits of reproducible builds are aimed at end users, but the CII says the technique is a boon to developers as well, citing benefits like “detecting corrupted build environments” and “reducing time-to-detection of a build host compromise.”
Worries about corrupted build environments were taken more seriously after the Linux Mint site was hacked and its default ISO replaced with one that had been tampered with. Similar fears came to the fore after a 2003 incident in which the Free Software Foundation’s software repository servers were compromised. No evidence surfaced that the source code housed on those servers, which include the GNU C language library, had been tampered with, but the possibility alone was ominous.
Other software projects are also striving to make reproducible builds easier to pull off. Bazel, a Google open source project, is a build system that Google has adopted internally for many of its projects. Some of Bazel’s features, like its minimal build language, are designed to make it easier to create reproducible builds by minimizing the number of variables that go into any given build process.