Reproducible builds

Logo of the Software Freedom Conservancy's Reproducible Builds project

Reproducible builds, also known as deterministic compilation, is a process of compiling software which ensures the resulting binary code can be reproduced. Source code compiled using deterministic compilation will always output the same binary.[1][2][3]

Reproducible builds can act as part of a chain of trust;[1] the source code can be signed, and deterministic compilation can prove that the binary was compiled from trusted source code. Verified reproducible builds provide a strong countermeasure against attacks where binaries do not match their source code, e.g., because an attacker has inserted malicious code into a binary. This is a relevant attack; attackers sometimes attack binaries but not the source code, e.g., because they can only change the distributed binary or to evade detection since it is the source code that developers normally review and modify. In a survey of 17 experts, reproducible builds had a very high utility rating from 58.8% participants, but also a high-cost rating from 70.6%.[4] Various efforts are being made to modify software development tools to reduce these costs.

  1. ^ a b "reproducible-builds.org". reproducible-builds.org. Archived from the original on 20 May 2016. Retrieved 22 August 2016. Reproducible builds are a set of software development practices which create a verifiable path from human readable source code to the binary code used by computers....build system needs to be made entirely deterministic: transforming a given source must always create the same result.
  2. ^ Lamb, Chris; Zacchiroli, Stefano (March 2022). "Reproducible Builds: Increasing the Integrity of Software Supply Chains". IEEE Software. 39 (2): 62–70. arXiv:2104.06020. doi:10.1109/MS.2021.3073045. S2CID 233219473. Retrieved 26 March 2023.
  3. ^ Ratliff, Emily (4 April 2016). "Establishing Correspondence Between an Application and its Source Code | SecurityWeek.com". www.securityweek.com. SecurityWeek. Archived from the original on 20 September 2016. Retrieved 22 August 2016.
  4. ^ Ladisa, Piergiorgio; Plate, Henrik; Martinez, Matias; Barais, Olivier (19 April 2022). "Taxonomy of Attacks on Open-Source Software Supply Chains". arxiv.org. arXiv:2204.04008. doi:10.1109/SP46215.2023.00010 (inactive 1 November 2024).{{cite journal}}: CS1 maint: DOI inactive as of November 2024 (link)