Reproducible Builds: Increasing the Integrity of Software Supply Chains

TL;DR

Reproducible builds enable verification that software binaries match their source code, enhancing supply chain security and quality assurance in open source software distribution.

Contribution

This paper introduces the concept of reproducible builds, discusses challenges in achieving bit-for-bit identical software builds, and shares practical insights from the Debian Linux project.

Findings

Reproducible builds improve trust in software supply chains.

Achieving reproducibility involves overcoming complex build environment challenges.

Reproducibility correlates with higher software quality assurance.

Abstract

Although it is possible to increase confidence in Free and Open Source Software (FOSS) by reviewing its source code, trusting code is not the same as trusting its executable counterparts. These are typically built and distributed by third-party vendors, with severe security consequences if their supply chains are compromised. In this paper, we present reproducible builds, an approach that can determine whether generated binaries correspond with their original source code. We first define the problem, and then provide insight into the challenges of making real-world software build in a "reproducible" manner-this is, when every build generates bit-for-bit identical results. Through the experience of the Reproducible Builds project making the Debian Linux distribution reproducible, we also describe the affinity between reproducibility and quality assurance (QA).