Software:Reproducible builds

From HandWiki
Revision as of 03:52, 8 December 2020 by imported>WikiEd2 (add)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Reproducible Builds logo.svg

Reproducible builds, also known as deterministic compilation, is a process of compiling software which ensures the resulting binary code can be reproduced. Source code compiled using deterministic compilation will always output the same binary.[1][2]

Reproducible builds can act as part of a chain of trust;[1] the source code can be signed, and deterministic compilation can prove that the binary was compiled from trusted source code.

Methods

For the compilation process to be deterministic, the input to the compiler must be the same, regardless of the build environment used. This typically involves normalizing variables that may change, such as order of input files, timestamps, locales, and paths.

Additionally, the compilers must not introduce non-determinism themselves. This sometimes happens when using hash tables with a random hash seed value. It can also happen when using the address of variables because that varies from address space layout randomization (ASLR).

Build systems, such as Bazel and Gitian,[3] can be used to automate deterministic build processes.

History

One of the older[4] projects to promote reproducible builds is the Bitcoin project with Gitian. Later, in 2013, the Tor (anonymity network) project started using Gitian for their reproducible builds.[5] Then Debian: by July 2017 more than 90% of the packages in the repository have been proven to build reproducibly.[6]

In November 2018, the Reproducible Builds project joined the Software Freedom Conservancy.[7]

F-droid uses reproducible builds to provide a guarantee that the distributed APKs use the claimed free source code.[8]

References

  1. 1.0 1.1 "reproducible-builds.org". https://reproducible-builds.org. "Reproducible builds are a set of software development practices which create a verifiable path from human readable source code to the binary code used by computers....build system needs to be made entirely deterministic: transforming a given source must always create the same result." 
  2. Ratliff, Emily (4 April 2016). "Establishing Correspondence Between an Application and its Source Code | SecurityWeek.com". SecurityWeek. http://www.securityweek.com/establishing-correspondence-between-application-and-its-source-code. 
  3. "Gitian: a secure software distribution method" (in en). https://gitian.org/. 
  4. "LICENSE-file of the Gitian-Project". https://github.com/devrandom/gitian-builder/blob/master/LICENSE. 
  5. Deterministic Builds Part Two: Technical Details. October 04, 2013
  6. "Linux-Distributionen: Mehr als 90 Prozent der Debian-Pakete reproduzierbar - Golem.de" (in de-DE). 2017-07-24. https://www.golem.de/news/linux-distributionen-mehr-als-90-prozent-der-debian-pakete-reproduzierbar-1707-129094.html. 
  7. "Reproducible Builds joins the Software Freedom Conservancy". https://reproducible-builds.org/news/2018/11/08/reproducible-builds-joins-software-freedom-concervancy/. 
  8. "Reproducible Builds". F-Droid. https://f-droid.org/docs/Reproducible_Builds/. 

External links



Retrieved from "https://handwiki.org/wiki/index.php?title=Software:Reproducible_builds&oldid=374402"