Reproducible Builds

Founded in 2015, the Reproducible Builds project focuses on safeguarding open source software supply chains. Its objective is to prevent attacks on the complex systems that comprise the digital infrastructure underpinning modern society. By assisting thousands of free and open source software (FOSS) projects, the Reproducible Builds initiative ensures the resilience of their build systems against potential attacks and tampering. Noteworthy successes include improving the security of projects like Tails, a free operating system used by journalists in high-profile investigations.

Reproducible Builds addresses an urgent problem in the integrity of digital infrastructure today — although security experts can analyze the source code of FOSS projects, almost all the software that we actually use is assembled by a complex network of third parties. Actors with bad intentions can compromise thousands of systems by tampering with software after it is initially written but before it reaches end-users’ computers, phones, or other devices. This can be achieved by manipulating app stores and other software repositories, or by hacking the build systems that convert human-readable source code into binary computer code.

In the long term, the project aims to establish reproducible builds as a de facto methodological requirement for software development and distribution. Just as using a distributed revision control system was once considered pioneering and is now standard practice, the team intends the same for reproducible builds.

In recent years, there has been a marked increase in software supply chain attacks, and Reproducible Builds is playing a crucial defensive role by offering a framework and tools for FOSS projects to validate the integrity of their code from source code to binary on users' devices.

However, the project's impact extends beyond individual software projects to contribute to the overall security of millions of users globally. The same techniques can reveal the backdoors inserted by compromising build farms (groups of servers that prepare and compile software components so it can be used), package repositories, or even developers' own laptops. Reproducible Builds’ framework and tools can even uncover when organizations or individuals have been compelled to make changes via blackmail or government order. The users of a number of high-profile projects, such as Tor, Tails, and Debian, are more secure today because of their work.

The Sovereign Tech Fund is commissioning work in several areas to improve the long-term sustainability of this important initiative on software supply chain security, focusing on the maintenance of critical tooling as well as the research and continued development of Reproducible Builds’ architecture. The team is targeting a fully reproducible computing platform with the Debian Linux operating system as an example of fully-reproducible large and complex software project.

• Develop a reliable archive snapshot service for accessing software packages based on version numbers.
• Enhance 'diffoscope' tool capabilities, addressing outstanding feature requests like comparing kernel module signatures in order to provide comprehensive insights into non-reproducibility issues.
• Improve the reproducibility of the Debian Installer, merging code and systematic testing post-Debian 12.0 release.
• Organize online sprints to clear the backlog of reproducibility-related patches and ensure ongoing improvement of software projects.
• Extend the functionality of the testing framework to accommodate new components and properly test elements like the Debian Installer.
• Develop reproducible 'package rebuilders' to confirm the consistency of official build servers, ensuring they have not been compromised.
• Conduct an interview series with project supporters to showcase their contributions and ideas within the reproducible builds community.