Jérémy Bobbio (Lunar)

With free software, anyone can inspect the source code for malicious flaws. But Debian provide binary packages to its users. The idea of “deterministic” or “reproducible” builds is to empower anyone to verify that no flaws have been introduced during the build process by reproducing byte-for-byte identical binary packages from a given source.

This talk will explain the current status of the Debian Reproducible Builds project, how this is relevant for the complete free software eco system and how you can contribute.

see https://wiki.debian.org/ReproducibleBuilds and https://reproducible.debian.net

How can we enable multiple parties to verify that a binary package has been produced untampered from a given source in a distribution like Debian?

With free software, anyone can inspect the source code for malicious flaws. But most distributions provide binary packages to their users. We would like them to be able to verify that no flaws are introduced during the build process. The idea of “deterministic” or “reproducible” builds is to enable anyone to reproduce a byte-for-byte identical binary packages from a given source.

A research effort started last summer towards reproducible builds for Debian. After several small tweaks to core Debian tools, a massive rebuild in September reached 24% of builds resulting in identical binaries out of 5000+ source packages. The process uncovered challenges about both the reproducibility of the build environment and about the build processes themselves. We will review them, along with possible solutions and what remains to be done.