Verifying packages with Debian's ReproducibleBuilds

Identical Build

Conclusions

Thus far Debian's ReproducibleBuilds project is a success story: As of February 13, 2015, reproducible builds worked for 83.5 percent of all packages (Figure 2) [20]. The new build type will probably also be a release target for Debian 9 – all designed to make Debian that little bit more secure.

Figure 2: In February 2015, the number of packages that could be reproducibly built reached an interim high.

Infos

  1. ReproducibleBuilds in Debian: https://wiki.debian.org/ReproducibleBuilds
  2. OpenSSH bug: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0083
  3. Move on ReproducibleBuilds from 31C3: https://www.youtube.com/watch?v=5pAen7beYNc
  4. Origins of ReproducibleBuilds: https://lists.debian.org/debian-devel/2007/09/msg00746.html
  5. Tor using ReproducibleBuilds: https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
  6. Problems with ReproducibleBuilds: https://reproducible.debian.net/index_issues.html
  7. Doxygen: http://www.stack.nl/~dimitri/doxygen/
  8. Latex: http://www.latex-project.org
  9. Problems with preprocessor macros in C++: https://wiki.debian.org/Reproducible-Builds/TimestampsFromCPPMacros
  10. Enhanced toolchain: http://reproducible.alioth.debian.org/debian
  11. Buildinfo specification: https://wiki.debian.org/ReproducibleBuilds/BuildinfoSpecification
  12. Debian's Snapshot package archive: http://snapshot.debian.org
  13. Pbuilder: http://pbuilder.alioth.debian.org
  14. debbindiff: https://tracker.debian.org/pkg/debbindiff
  15. Continuous integration platform: https://jenkins.debian.net/
  16. Jenkins statistics: https://reproducible.debian.net/reproducible.html
  17. Buildd: http://buildd.debian.org
  18. Keynote at FOSDEM: http://ftp.heanet.ie/mirrors/fosdem-video/2015/main_track-miscellaneous/Stretching_out_for_trustworthy_reproducible_builds_by_Holger_and_Lunar.mp4
  19. Trusting-Trust attacks: https://www.schneier.com/blog/archives/2006/01/countering_trus.html
  20. Project status update from February 2015: https://lists.debian.org/debian-devel-announce/2015/02/msg00007.html

The Author

Daniel Stender http://www.danielstender.com/entwicklerblog/ has focused on Debian on the desktop since 2002. He officially maintains various packages pertaining to Python libraries, document analysis, OCR, and media production.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus