SupplyChainSecurityCon 2022

Truly reproducible builds are an essential part of securing the software supply chain. They ensure that software vendors know exactly what’s being shipped and can quickly pinpoint vulnerable components and remediate fixes in light of a vulnerability or exploit. For open source projects, they allow our users to verify that the built artifacts match the source code in the repository. Reproducible builds also enable software vendors to confidently ship code without having to assess and verify third party dependency build process trustworthiness. The term “reproducible builds”, however, is overloaded with definitions and expectations for behavior. So what exactly makes a build reproducible? There’s at least three ways to define it: 1) Deterministic build process; 2) Artifacts that can be recreated; and 3) Binary, or bit-for-bit, reproducible. For each of these common definitions of “reproducible build” this talk will propose an alternative term and explore the supply chain security implications of the definition. We hope this talk will motivate audience members to work towards reproducible builds but at least should help understand why reproducible builds matter.

Dates

Author

Conferences

Tags

What Makes A Build Reproducible?

tldr - powered by Generative AI