dc13

DebConf13

Welcome to our feedback system. It collects feedback so that we have a chance to know what you think about the events of this conference.

Byte-for-byte identical reproducible builds?

Protecting Debian from targeted attacks

The Bitcoin client and the upcoming Tor Browser Bundle 3.0 series are using a build system that produces “deterministic builds” — packages which are byte-for-byte identical no matter who actually builds them, or what hardware they use. The idea is that current popular software development practices simply cannot survive targeted attacks of the scale and scope that we are seeing today. With “deterministic builds”, any individual can use an anonymity network to download publicly signed and audited source code and reproduce the builds exactly, without being subject to such targeted attacks. If they notice any differences, they can alert the public builders/signers, hopefully anonymously.

Is such ideas applicable to Debian? To what extent? What would be the first stones to pave the way toward reproducible builds of Debian packages?

My rating

Please answer up to five questions regarding you and your personal perception of the event under discussion. If you don't know an answer to a particular question, just leave it as it is.

-- - o + ++
My opinion

If you have anything particular to say about this event feel free to do so. Criticism, suggestions for improvement or other notes are very welcome.