Lead Image © jaroonrat vitoosuwan , 123RF.com

Lead Image © jaroonrat vitoosuwan , 123RF.com

Verifying packages with Debian's ReproducibleBuilds

Identical Build

Article from ADMIN 27/2015
By
Debian's ReproducibleBuilds project helps you determine whether a binary package was actually built from the associated source code.

Open source software offers a big security benefit: Unlike proprietary software, anyone can view the source code, so in theory you know what you are installing. However, the overwhelming majority of users install prebuilt software packages provided by their Linux distributors. These users rely on system developers and package maintainers to ensure that the binary packages do not contain malicious code that deviates from the official source code.

The Debian ReproducibleBuilds project helps you verify that the package matches the source code and that no flaws have been introduced (Figure 1) [1].

Figure 1: If the build system is compromised, the binary package produced by it in the ReproducibleBuilds system has a different hash value (red entry).

Attack Scenarios

As a popular Linux distribution, Debian distributes its own software to a large number of users worldwide. The customers are not only private users, but also organizations, research institutions, and companies. This complex and decentralized software distribution system creates opportunities for attackers to foist malicious code onto

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus