logo
allArticlesConferencesPresentations

What Makes A Build Reproducible?

Conference:  SupplyChainSecurityCon 2022

2022-06-21

Authors:   Rose Judge, Joshua Lock

Summary

The presentation discusses the importance of reproducibility in software development pipelines and infrastructure for better security and transparency. It provides three levels of reproducibility and their supply chain security implications.
  • Reproducibility in software development pipelines and infrastructure is crucial for better security and transparency
  • There are three levels of reproducibility: unscripted builds, repeatable builds, and rebuildable builds
  • Rebuildable builds control all explicit inputs for a build and can produce an equivalent artifact that can be reproduced at any future point in time
  • Achieving reproducible builds requires engineering effort and long-term storage, which can be costly for some organizations
The speaker mentions that achieving reproducible builds today takes engineering effort and long-term storage, which can be costly for some organizations. However, applying consistent and reliable reproducibility principles to software development pipelines and infrastructure is not just good for the software but also for the entire ecosystem. It provides transparency and makes it harder for bad actors to hide, and it provides an audit trail that makes it easy to spot malicious actors when they attempt to intervene.

Abstract

Truly reproducible builds are an essential part of securing the software supply chain. They ensure that software vendors know exactly what’s being shipped and can quickly pinpoint vulnerable components and remediate fixes in light of a vulnerability or exploit. For open source projects, they allow our users to verify that the built artifacts match the source code in the repository. Reproducible builds also enable software vendors to confidently ship code without having to assess and verify third party dependency build process trustworthiness. The term “reproducible builds”, however, is overloaded with definitions and expectations for behavior. So what exactly makes a build reproducible? There’s at least three ways to define it: 1) Deterministic build process; 2) Artifacts that can be recreated; and 3) Binary, or bit-for-bit, reproducible. For each of these common definitions of “reproducible build” this talk will propose an alternative term and explore the supply chain security implications of the definition. We hope this talk will motivate audience members to work towards reproducible builds but at least should help understand why reproducible builds matter.
Materials:
Slides
Tags:
build process
software
supply chain
trustworthiness

Post a comment

Related work

Zero Trust Supply Chains with Project Sigstore and SPIFFE

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Jake Sanders, Andres Vega
2022-10-26

Kubernetes Supply Chain Security: The Software Factory

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Andrew Martin
2021-10-13

Spicing up Container Image Security with SLSA & GUAC

Conference:  Cloud Native SecurityCon North America 2023
Authors: Ian Lewis

Picking Lockfiles: Attacking & Defending Your Supply Chain

Conference:  BlackHat USA 2021
Authors:
2021-11-11

How SIG Release Cooks Trustworthy Artifacts From Raw Source Code

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Carlos Panato, Jeremy Rickard, Sascha Grunert, Adolfo García Veytia
2022-10-26

Securing Self-Hosted GitHub Actions with Kubernetes and Actions-Runner-Controller

Conference:  Cloud Native SecurityCon North America 2023
Authors: Natalie Somersall