Reproducible builds: Fulfilling the original promise of free software

Whilst anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or "compiled") packages to end users.

The motivation behind "reproducible" builds is to allow verification that no flaws have been introduced during this compilation process by promising identical binary packages are always generated from a given source.

This prevents against the installation of backdoor-introducing malware on developers' machines - an attacker would need to simultaneously infect or blackmail all developers attempting to reproduce the build.

This talk will focus heavily on how exactly software can fail to be reproducible, the tools, tests & specifications we have written to fix & diagnose issues, as well as the many amusing "fails" in upstream's code that have been unearthed by this process. In addition, you will learn what to avoid in your own software as well as the future efforts in the Reproducible Builds arena.

Day 2 (10th June) 11:30 AM - 12:00 PM
Function Room 1 and 2
English (English Slides)
For Coders and Tech Audiences with General Knowledge and Skills.
Very little. The difference between source code and binary code, the existence of hackers, etc.


Photo of Chris Lamb

Chris Lamb Chris

I am a polyglot freelance computer programmer who is the author of dozens of free projects and contributor to 100s of others. I've been an official Debian Developer since 2008 and am currently highly active in the Reproducible Builds project where I have been awarded a grant from the Core Infrastructure Initiative to fund my work in this area. In my spare time I'm an avid classical musician.

Nationality: United Kingdom
Community: Debian