The Reproducible Builds Project

Description

Reproducible Builds project's mission is to ensure the security of the 'supply chains' used in open source software — that is, preventing attacks targeting the complex systems that build our shared digital infrastructure. Lot 1: Since 2015, the Reproducible Builds project has helped thousands of FOSS projects ensure that no compromises to their build systems can occur. This includes Tails (https://tails.boum.org/), a free operating system used by journalists collaborating on WikiLeaks, the Pegasus project, and the Panama papers. On a deeper level, the project addresses a key problem in the integrity of our digital infrastructure: although security experts can analyse the source code of FOSS projects, almost all the software that we actually use is assembled by a complex network of third-parties. Because of this, bad actors can compromise thousands of systems by tampering with software after it was initially written —but before it reaches end-user systems. This can be achieved by manipulating app stores and other software repositories, or by hacking the build systems that convert human-readable source code into computer code. To address this critical 'missing piece', the Reproducible Builds project provides a framework and set of tools so that software projects can verify the link from the original source code to the actual binary code running on users' devices. With Reproducible Builds, FOSS projects are able to mathematically prove that no supply-chain compromises have occurred. The project can reveal the injection of backdoors introduced by compromising build farms, package repositories, developers' laptops and so on. But it can also uncover when organisations or individuals have been compelled to make changes via blackmail or government order. The users of a number of high-profile projects such as Tor, Tails and Debian are much more secure today because of this work. More generally, FOSS is an increasingly vital resource in virtually all industries, so ensuring the integrity of open source projects increases the integrity of our entire digital infrastructure in general. By investing in the Reproducible Builds project, the STF Is contributing to the security and long term maintainance of critical FOSS components, as well as a newer and safer software development paradigm, therefore working towards its mission of securing the FOSS ecosystem. The Project is divided into seven main-activites: 1. Development of reliable archive snapshot service 2. Diffoscope improvements 3.Interview Series 4. Reproducibility of the Debian installer 5. Debian NMU (Non-Maintainer Upload) campaign 6. Testing framework 7. Package rebuilders