Software build reproducibility is the ability to use independent build machines to compile bit-identical binaries from program source code. In this talk, we will discuss the motivation for and the technical details behind software build reproducibility. We will describe the technical mechanisms used by the Tor Project to produce
reproducible builds of the Tor Browser, and also introduce the early efforts of both F-Droid and Debian to achieve these same build integrity properties on a more wide-scale basis.
For the past several years, we've been seeing a steady increase in the weaponization, stockpiling, and the use of software exploits by many parties. In particular, there are an increasing number of vectors to "bridge the air gap" and exploit even disconnected machines. Software build systems make a worrisome target for these types of exploits, as they provide a stepping stone to compromise very large numbers of machines.
To underscore this point, we will demonstrate a simple Linux rootkit that is capable of infecting the compilation process while otherwise leaving no traces on the machine.
We will discuss a powerful solution to this problem: Build Reproducibility. We will focus on the build system used by The Tor Project to build Tor Browser - our Firefox-based browser. We will also touch upon current work by Debian, as well as by F-Droid and the Guardian Project for Android.