"“Aided by the efforts of the Reproducible Builds project, we've decided it's time to say that Debian must ship reproducible packages,” wrote ReleaseTeam member Paul Gevers. “Since yesterday, we have enabled our migration software to block migration of new packages that can't be reproduced or existing packages (in testing) that regress in reproducibility.”"
"It should be possible to reproduce, byte for byte, every build of every package in Debian. The Wikipedia article also has a good clear explanation, and introduces a helpful synonym: deterministic compilation. In other words, if you use the same version of the same compiler with the same options, then every time you compile an identical set of source files, the process ought to result in an identical set of binary files."
"Reproducible builds in Debian have been a long time coming: The Register first reported on Debian's efforts in this direction way back in 2015. It's not an easy task, but it's a useful security measure. The idea is to ensure that binaries have not been tampered with - for instance, modified to insert malware. It permits an additional verification"
Debian’s release process added a goal of deterministic package compilation. Reproducible packages are intended to be built so that the same source and build inputs produce identical binary outputs. Debian enabled migration tooling to prevent new packages that cannot be reproduced and to stop existing packages in testing that regress in reproducibility. The approach is supported by the Reproducible Builds project and aligns with broader industry efforts such as FreeBSD’s reproducible build promises. Reproducible builds act as an additional security measure by helping verify that distributed binaries have not been tampered with, including the insertion of malware, and by enabling independent verification of build outputs.
#debian #reproducible-builds #deterministic-compilation #software-supply-chain-security #release-engineering
Read at theregister
Unable to calculate read time
Collection
[
|
...
]