dc13 - 1.0
DebConf13
| Speakers | |
|---|---|
|
Lunar |
| Schedule | |
|---|---|
| Day | DebConf day 5 (2013-08-15) |
| Room | BoF room 1 |
| Start time | 11:30 |
| Duration | 00:45 |
| Info | |
| ID | 1063 |
| Event type | bof |
| Track | QA |
| Language | en |
| Feedback | |
|---|---|
|
Did you attend this event? Give Feedback |
Byte-for-byte identical reproducible builds?
Protecting Debian from targeted attacks
The Bitcoin client and the upcoming Tor Browser Bundle 3.0 series are using a build system that produces “deterministic builds” — packages which are byte-for-byte identical no matter who actually builds them, or what hardware they use. The idea is that current popular software development practices simply cannot survive targeted attacks of the scale and scope that we are seeing today. With “deterministic builds”, any individual can use an anonymity network to download publicly signed and audited source code and reproduce the builds exactly, without being subject to such targeted attacks. If they notice any differences, they can alert the public builders/signers, hopefully anonymously.
Is such ideas applicable to Debian? To what extent? What would be the first stones to pave the way toward reproducible builds of Debian packages?