Please keep in mind that history is written by the winners. Let's just hope for not too much betrayal.

Tell the tale

The idea of reproducible builds is not very new. In Debian world, it was mentioned first in 2000, and then more explicitly in 2007 on debian-devel: “I think it would be really cool if the Debian policy required that packages could be rebuild bit-identical from source.” The reactions were unfortunately not really enthusiastic both times.

The interest on reproducible builds picked up again with Bitcoin. Users of bitcoins needed a way to trust that they were not downloading corrupted software. Initial versions of Gitian were written in 201 to solve the problem. It drives builds using virtual machines and Git.

The global surveillance disclosures in 2013 raised the interest even further. Mike Perry worked on making the Tor Browser build reproducibly in fear of a “malware that attacks the software development and build processes themselves to distribute copies of itself to tens or even hundreds of millions of machines in a single, officially signed, instantaneous update”.

The success of making such a large piece of software build reproducibly proved that it was feasible for other projects. This prompted Lunar to organize a discussion at DebConf13. Even scheduled at the last minute, there was still about thirty attendees who were very much interested, amongst them members of the technical committee and a few other core teams. Minutes are available.

After some more research during the conference, the initial wiki page was created.

To be continued…

Archive wide rebuilds

Presentations

Include: Nothing found for "^= Presentations ="!

Got a spare moment? Please migrate this to our new webpages

With free software, anyone can inspect the source code for malicious flaws. But Debian provide binary packages to its users. The idea of “deterministic” or “reproducible” builds is to empower anyone to verify that no flaws have been introduced during the build process by reproducing byte-for-byte identical binary packages from a given source.

More information about reproducible builds in general are available at reproducible-builds.org.

Contents

Publicity

This section lists URLs, people, and dates for when other people have publicly expressed interest, or shared information about, the project.

Contributors