Reproducible Builds: Increasing the Integrity of Software Supply Chains
This addresses security risks in software supply chains for users and developers of Free and Open Source Software, though it is incremental as it builds on existing reproducibility concepts.
The paper tackles the problem of verifying that compiled binaries correspond to their original source code to increase trust in software supply chains, and demonstrates the approach through making the Debian Linux distribution reproducible, highlighting its affinity with quality assurance.
Although it is possible to increase confidence in Free and Open Source Software (FOSS) by reviewing its source code, trusting code is not the same as trusting its executable counterparts. These are typically built and distributed by third-party vendors, with severe security consequences if their supply chains are compromised. In this paper, we present reproducible builds, an approach that can determine whether generated binaries correspond with their original source code. We first define the problem, and then provide insight into the challenges of making real-world software build in a "reproducible" manner-this is, when every build generates bit-for-bit identical results. Through the experience of the Reproducible Builds project making the Debian Linux distribution reproducible, we also describe the affinity between reproducibility and quality assurance (QA).