Reproducible Builds for Debian
How can we enable multiple parties to verify that a binary package has been produced untampered from a given source in a distribution like Debian?
With free software, anyone can inspect the source code for malicious flaws. But most distributions provide binary packages to their users. We would like them to be able to verify that no flaws are introduced during the build process. The idea of “deterministic” or “reproducible” builds is to enable anyone to reproduce a byte-for-byte identical binary packages from a given source.
A research effort started last summer towards reproducible builds for Debian. After several small tweaks to core Debian tools, a massive rebuild in September reached 24% of builds resulting in identical binaries out of 5000+ source packages. The process uncovered challenges about both the reproducibility of the build environment and about the build processes themselves. We will review them, along with possible solutions and what remains to be done.
|Jérémy Bobbio (Lunar)|