What Makes A Build Reproducible?

The presentation discusses the importance of reproducibility in software development pipelines and infrastructure for better security and transparency. It provides three levels of reproducibility and their supply chain security implications.

• Reproducibility in software development pipelines and infrastructure is crucial for better security and transparency
• There are three levels of reproducibility: unscripted builds, repeatable builds, and rebuildable builds
• Rebuildable builds control all explicit inputs for a build and can produce an equivalent artifact that can be reproduced at any future point in time
• Achieving reproducible builds requires engineering effort and long-term storage, which can be costly for some organizations

The speaker mentions that achieving reproducible builds today takes engineering effort and long-term storage, which can be costly for some organizations. However, applying consistent and reliable reproducibility principles to software development pipelines and infrastructure is not just good for the software but also for the entire ecosystem. It provides transparency and makes it harder for bad actors to hide, and it provides an audit trail that makes it easy to spot malicious actors when they attempt to intervene.

Truly reproducible builds are an essential part of securing the software supply chain. They ensure that software vendors know exactly what’s being shipped and can quickly pinpoint vulnerable components and remediate fixes in light of a vulnerability or exploit. For open source projects, they allow our users to verify that the built artifacts match the source code in the repository. Reproducible builds also enable software vendors to confidently ship code without having to assess and verify third party dependency build process trustworthiness. The term “reproducible builds”, however, is overloaded with definitions and expectations for behavior. So what exactly makes a build reproducible? There’s at least three ways to define it: 1) Deterministic build process; 2) Artifacts that can be recreated; and 3) Binary, or bit-for-bit, reproducible. For each of these common definitions of “reproducible build” this talk will propose an alternative term and explore the supply chain security implications of the definition. We hope this talk will motivate audience members to work towards reproducible builds but at least should help understand why reproducible builds matter.