Debian is on its way to becoming what could be the first operating system to prove the origin of its binaries, technologist Micah Lee says.
The feat will allow anyone to independently confirm that Debian binaries were built from a reported source package.
So far a project team devoted to confirming the reproducibility of builds has knocked off 83 percent of source packages within the main archive of the unstable distribution.
The effort will not be completed in time for the release of the next major Debian release, codenamed Jessie, but could see reproducible builds a feature for the following stable release dubbed Stretch.
“The team developed the tool debbindiff to provide in-depth detailed diffs of binary packages,” Debian said in a report note.
“Packages are then built twice onjenkins.debian.net, and reproducibility results are reported on the Debian Package Tracker.
The [reproducibility] team is considering submitting a proposal to make reproducible builds a release goal for Stretch, the next stable release after Jessie.”
Reproducibility is important according technologists Mike Perry and Seth Schoen because it can help close transparency gaps that exist in the provenance of binaries. They point to the need for reproducibility in a November talk at Mozilla. That talk included the following statement:
“We often speak as if open source software can't contain backdoors or malware because its source code is 'published', rendering any potentially malicious code visible. But real-world software release processes have major transparency gaps that aren't addressed by most existing open source development practices. The biggest such gap is that compilation and packaging processes aren't reproducible. Trying to recreate these processes typically yields a different result. That means users can't directly verify that the binary releases they download and use were actually created from the purportedly corresponding source trees.
Worse, the Tor and Electronic Frontiers boffins say, those releasing can not assure that a compromise in their infrastructure has not introduced a tiny and all-but undetectable flaw into a binary version. ®