Reproducible builds in Debian and everywhere

Speaker(s) : Lunar (Debian)

  • Language : Anglais
  • Level : Confirmed
  • Nature : Conference
  • Date : Monday 6 July 2015
  • Schedule : 16h20
  • Duration : 40 minutes
  • Place : 202

Video :

Free software gives us the possibility to verify its behavior by looking at the source code. However, what we use most often are distributed binaries. How can we make sure they have actually been made from the source code they claim to be made from? When builds are “deterministic” or “reproducible”, anyone can recreate a byte-for-byte identical result, preventing hard to detect compromises.

The effort has been on-going in Debian for the past two years. Last Spring, experiments enabled more than 18,000 source packages ( 80% of the total) to be built reproducibly. Although the team has already identified and fixed many problems, quite some work remains to be done in Debian… and in the whole free software world.

Lunar first played with electronic communications with phone-hooked terminals at the age of 10. He has never stopped working on DIY server projects since. Despite being critical of the social impacts of the digital world, he still believes the holes in computer surveillance nets are big enough to create opportunities for collective empowerment. A Debian user since 2002, he became an official Developer in 2007. Reproducible builds are now his main focus in Debian. He is also involved in the Tor project and maintains several packages related to Tor.

Slides (PDF - 2.6 Mb)