Thursday, January 24, 2019

NetBSD hits 100% reproducibility in builds

Reproducible builds enable anyone to reproduce bit by bit identical binary packages from a given source, so that anyone can verify that a given binary derived from the source it was said to be derived.

Example variables:

  • env LANG
  • env PATH
  • kernel version
  • datetime
  • CPU type

The idea that open source software is unlikely to contain malware because you can see the source code yourself has been a consistent marketing point for years. […] The flaw in this thought process of course is that 99.99% of us are not compiling the source ourselves. […] Unfortunately it’s not that easy with most software. Different compilers, different compiler flags, different build environments, and in some cases straight up non-deterministic parts of the build process leave artifacts everywhere to the point that it’s very likely that every single build is different. This then allows us to close the trust gap because we can now verify that other people are getting the same binary as is in the distro/vendor package and see that it has not been modified.