Reproducible builds: Two years in the trenches…
Friday 10:40 a.m.–11:25 a.m.
Target audience: Developer
Whilst anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or "compiled") packages to end users.
The motivation behind "reproducible" builds is to allow verification that no flaws have been introduced during this compilation process by promising identical binary packages are always generated from a given source.
This prevents against the installation of backdoor-introducing malware on developers' machines - an attacker would need to simultaneously infect or blackmail all developers attempting to reproduce the build.
This talk will focus heavily on how exactly software can fail to be reproducible, the tools, tests & specifications we have written to fix & diagnose issues, as well as the many amusing "fails" in upstream's code that have been unearthed by this process. In addition, you will learn what to avoid in your own software as well as the future efforts in the Reproducible Builds arena.
I am a polyglot freelance computer programmer who is the author of dozens of free projects and contributor to 100s of others. I've been an official Debian Developer since 2008 and am currently highly active in the Reproducible Builds project where I have been awarded a grant from the Core Infrastructure Initiative to fund my work in this area. In my spare time I'm an avid classical musician and Ironman triathlete.