How can we enable multiple parties to verify that a binary package has been produced untampered from a given source in a distribution like Debian?
With free software, anyone can inspect the source code for malicious flaws. But most distributions provide binary packages to their users. We would like them to be able to verify that no flaws are introduced during the build process. The idea of “deterministic” or “reproducible” builds is to enable anyone to reproduce a byte-for-byte identical binary packages from a given source.
Last year at DebConf13, a last minute BoF kicked off the effort. The last large scale experiment on 5151 source packages yield 62% of them producing matching binaries after a couple changes to the toolchain. A pretty encouraging result!
The presentation will explain why we need reproducible builds, what has been done over the past yeast, the problems that have been identified so far and possible solutions.
A subsequent BoF will allow interested parties to discuss solutions to some hard problems that were found during this first year of research.