anders_arnholm
Chris Lamb - Debian
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or "compiled") packages to end users.
The motivation behind "reproducible" builds is to allow verification that no flaws have been introduced during this compilation process by promising identical binary packages are always generated from a given source. This prevents against the installation of backdoor-introducing malware on developers' machines - an attacker would need to simultaneously infect or blackmail all developers attempting to reproduce the build.
This talk will focus heavily on how exactly software can fail to be reproducible, the tools, tests and specifications we have written to fix and diagnose issues, as well as the many amusing "fails" in upstream's code that have been unearthed by this process. In addition, you will learn what to avoid in your own software as well as the future efforts in the Reproducible Builds arena.
Chris Lamb is a freelance computer programmer who is the author of dozens of free projects and contributor to 100s of others. Currently holding the position of Debian Project Leader, Chris has been involved in the Debian GNU/Linux project since 2007. He is currently highly active in the Reproducible Builds project where he has been awarded a grant from the Core Infrastructure Initiative to fund his work in this area. In his spare time Chris is an avid classical musician.
Chris Lamb - Debian
Reproducible builds
Whilst anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or "compiled") packages to end users.
The motivation behind "reproducible" builds is to allow verification that no flaws have been introduced during this compilation process by promising identical binary packages are always generated from a given source. This prevents against the installation of backdoor-introducing malware on developers' machines - an attacker would need to simultaneously infect or blackmail all developers attempting to reproduce the build.
This talk will focus heavily on how exactly software can fail to be reproducible, the tools, tests and specifications we have written to fix and diagnose issues, as well as the many amusing "fails" in upstream's code that have been unearthed by this process. In addition, you will learn what to avoid in your own software as well as the future efforts in the Reproducible Builds arena.
Chris Lamb is a freelance computer programmer who is the author of dozens of free projects and contributor to 100s of others. Currently holding the position of Debian Project Leader, Chris has been involved in the Debian GNU/Linux project since 2007. He is currently highly active in the Reproducible Builds project where he has been awarded a grant from the Core Infrastructure Initiative to fund his work in this area. In his spare time Chris is an avid classical musician.