Grant: Reproducible Builds – Deterministic Protection Against Attacks in Free Software
Date of Grant: July 24, 2020
Grant Amount: $75,000
Reproducible Builds develops a set of software development practices that create an independently-verifiable path from source to binary code. This grant supports their efforts in ensuring the long-term heath of our technological ecosystem.
The project is fiscally sponsored by the Software Freedom Conservancy, a not-for-profit charity that helps promote, improve, develop, and defend Free, Libre, and Open Source Software (FLOSS) projects.
About the Reproducible Builds project
One of the original promises of open source software was that peer review would result in greater end-user security and stability of our digital ecosystem. However, although it is theoretically possible to inspect and build the original source code in order to avoid maliciously-inserted flaws, almost all software today is distributed in prepackaged form.
This disconnect allows third-parties to compromise systems by injecting code into seemingly secure software during the build process, as well as by manipulating copies distributed from ‘app stores’ and other package repositories.
To address this, ‘Reproducible builds’ are a set of software development practices, ideas and tools that create an independently-verifiable path from the original source code, all the way to what is actually running on our machines. Reproducible builds can reveal the injection of backdoors introduced by the hacking of developers’ own computers, build servers and package
repositories, but can also expose where volunteers or companies have been coerced into making changes via blackmail, government order, and so on.
A world without reproducible builds is a world where our digital infrastructure cannot be trusted and where online communities are slower to grow, collaborate less and are increasingly fragile. Without reproducible builds, we leave space for greater encroachments on our liberties both by individuals as well as powerful, unaccountable actors such as governments, large corporations and autocratic regimes.
The Reproducible Builds project began as a project within the Debian community, but is now working with many crucial and well-known free software projects such as Coreboot, openSUSE, OpenWrt, Tails, GNU Guix, bootstrappable.org, FreeBSD, Arch Linux, Tor, and many others. It is now an entirely Linux distribution independent effort, and serves as the central clearing house for all matters related to securing build systems and software supply chains of all kinds.
For more about the Reproducible Builds project, please see their website at: https://reproducible-builds.org/