Reproducible Builds and Insights from an Independent Verifier for Arch Linux

TL;DR

This paper discusses the importance of reproducible builds for cybersecurity, presents a verifier for Arch Linux packages, uncovers security issues, and contributes fixes to improve software integrity.

Contribution

It introduces a reproducible build verification setup for Arch Linux, uncovers security-relevant unreproducibility issues, and submits upstream patches to fix them.

Findings

Uncovered unreproducible packages affecting TLS certificates

Identified root cause of unreproducibility in fwupd source code

Contributed upstream fix for critical software issue

Abstract

Supply chain attacks have emerged as a prominent cybersecurity threat in recent years. Reproducible and bootstrappable builds have the potential to reduce such attacks significantly. In combination with independent, exhaustive and periodic source code audits, these measures can effectively eradicate compromises in the building process. In this paper we introduce both concepts, we analyze the achievements over the last ten years and explain the remaining challenges. We contribute to the reproducible builds effort by setting up a rebuilder and verifier instance to test the reproducibility of Arch Linux packages. Using the results from this instance, we uncover an unnoticed and security-relevant packaging issue affecting 16 packages related to Certbot, the recommended software to install TLS certificates from Let's Encrypt, making them unreproducible. Additionally, we find the root cause of unreproduciblity in the source code of fwupd, a critical software used to update device firmware on Linux devices, and submit an upstream patch to fix it.