Why and How of Reproducible Builds: Distrusting Our Own Infrastructure for Safer Software Releases

From the EFF and Tor Project:

Seth Schoen, Senior Staff Technologist, EFF
Mike Perry, Tor Browser Technical Lead, Tor Project

We often speak as if open source software can't contain backdoors or malware because its source code is "published", rendering any potentially malicious code visible. But real-world software release processes have major transparency gaps that aren't addressed by most existing open source development practices. The biggest such gap is that compilation and packaging processes aren't reproducible. Trying to recreate these processes typically yields a different result. That means users can't directly verify that the binary releases they download and use were actually created from the purportedly corresponding source trees.

Maybe worse, neither can the people making the releases: various compromises in their infrastructure or processes could produce an undetected, tiny, and malicious difference between source and binary versions -- constituting a vulnerability that will never be detected by source code auditing alone.

We are technical staff members at the Electronic Frontier Foundation and the Tor Project who find this situation worrying. We'll try to demonstrate how attacks on software development infrastructure could be easy, cheap, and catastrophic. We'll consider why software development organizations need to worry about this issue and what they can do about it. One of us (Mike) has addressed this problem in the release process of Tor Browser, one of the most-used Firefox-derived browsers; as a result of this work, third parties can and do meaningfully double-check whether released binary and source packages correspond.

Start time:
Duration: 1 hour 33 minutes
Channel: Main

Tags: tor, firefox, EFF, open source, security, build

Views since archived: 3,190

Small (640x380) Big (896x504)

WebM (HD) , Mpeg4 (HD)
To download, right-click and select "Save Link As..."


Loading comments. Please wait…

You must be signed in to post comments.