dc13 - 1.0


Day DebConf day 5 (2013-08-15)
Room BoF room 1
Start time 11:30
Duration 00:45
ID 1063
Event type bof
Track QA
Language en

Byte-for-byte identical reproducible builds?

Protecting Debian from targeted attacks

The Bitcoin client and the upcoming Tor Browser Bundle 3.0 series are using a build system that produces “deterministic builds” — packages which are byte-for-byte identical no matter who actually builds them, or what hardware they use. The idea is that current popular software development practices simply cannot survive targeted attacks of the scale and scope that we are seeing today. With “deterministic builds”, any individual can use an anonymity network to download publicly signed and audited source code and reproduce the builds exactly, without being subject to such targeted attacks. If they notice any differences, they can alert the public builders/signers, hopefully anonymously.

Is such ideas applicable to Debian? To what extent? What would be the first stones to pave the way toward reproducible builds of Debian packages?