Very glad to receive
#IEEESoftware best paper award (for year 2022) for "Reproducible Builds: Increasing the Integrity of Software Supply Chains" with C. Lamb
https://ieeexplore.ieee.org/document/9403390 (
#OpenAccess preprint also available). I hope it will help to spread the word even more about the importance of
#ReproducibleBuilds among both researchers and practitioners.
Reproducible Builds: Increasing the Integrity of Software Supply Chains
Although it is possible to increase confidence in free and open source software by reviewing its source code, trusting code is not the same as trusting its executable counterparts. This article examines reproducible builds, an approach that can determine whether generated binaries correspond to the original source code.
In an upcoming #IEEESoftware paper with Chris Lamb, we describe the #ReproducibleBuilds approach to increase the integrity of [#opensource] software #SupplyChains and how that worked out for #Debian.
#openaccess preprint: https://arxiv.org/abs/2104.06020
#FreeSoftware #FOSS #ReproBuilds
Reproducible Builds: Increasing the Integrity of Software Supply Chains
Although it is possible to increase confidence in Free and Open Source
Software (FOSS) by reviewing its source code, trusting code is not the same as
trusting its executable counterparts. These are typically built and distributed
by third-party vendors, with severe security consequences if their supply
chains are compromised. In this paper, we present reproducible builds, an
approach that can determine whether generated binaries correspond with their
original source code. We first define the problem, and then provide insight
into the challenges of making real-world software build in a "reproducible"
manner-this is, when every build generates bit-for-bit identical results.
Through the experience of the Reproducible Builds project making the Debian
Linux distribution reproducible, we also describe the affinity between
reproducibility and quality assurance (QA).
Stefano Zacchiroli