1

I found an article on The Register of the UK about the reproducible builds in Debian. I couldn't understand much from it. Could anyone simply this for me, please? Here's the link: Reproducible Builds

Gilles 'SO- stop being evil'
  • 829,060
  • It means debian can prove that the binaries you have are actually compiled from the sources published by debian. What is the confusion? – Milind Dumbare Mar 08 '15 at 18:52
  • So how come it's one-of-a-kind? –  Mar 08 '15 at 18:57
  • 3
    Because no one else gives you source code and grantees that the binary you have is actually built from that source code. Though you have source code open. You cant really be sure that the binaries are not built from compromised sources. – Milind Dumbare Mar 08 '15 at 18:58

2 Answers2

6

The canonical starting point for understanding all this is Ken Thompson's Reflections on Trusting Trust, where he demonstrates that you can't ever really trust a system not to have back doors, even if you rebuild from source.

The reproducible builds initiative in Debian aims to help provide trust guarantees to users in spite of this. Imagine you're running a security audit on a system like Debian: you read through the source code and make sure it meets your requirements. But when you use a system like Debian, you don't use the source code; you use binaries provided by the distribution. How can you be sure that the binaries actually match the source code you've audited?

As it stands you can't: the computers used to build the binaries might have been compromised, or perhaps even the package maintainer uploaded a compromised binary which didn't match the source code.

With reproducible builds, the binaries come with enough information that you can take the published source code, rebuild the binaries and obtain byte-for-byte identical binaries to those published in the archives. This proves that the source code does match the binaries, so the results of your analysis of the source code can be applied to the binaries too, as long as you can say the same of all the other binaries which contribute to build the binaries you're analysing. This means you need to be able to reproducibly build the compiler, the libraries etc. that are involved; and so you need to be able to reproducibly build the complete distribution, which is what Debian reproducible builds aims for.

user1133275
  • 5,574
Stephen Kitt
  • 434,908
1

This means Debian will guarantee that the Debian binary packages you have are from the sources exactly and not from some other code. They will keep info about the binaries in the package trackers.

When you get the binary packages on Linux distributions you can not be really sure if the binaries are from source code that is released by the distribution.

Milind Dumbare
  • 886
  • And how would that make a difference? –  Mar 08 '15 at 19:06
  • 1
    The source code could of been modified before being used to make the binaries - so lots of nasty stuff could of been added... – Wilf Mar 09 '15 at 07:23