o
⬋ ⬊ December 2023 in Reproducible Builds
o o
⬊ ⬋ https://reproducible-builds.org/reports/2023-12/
o
Welcome to the December 2023 report from the Reproducible Builds [0]
project! In these reports we outline the most important things that we
have been up to over the past month. As a rather rapid recap, whilst
anyone may inspect the source code of free software for malicious flaws,
almost all software is distributed to end users as pre-compiled binaries
(more info: [1]).
[0] https://reproducible-builds.org
[1] https://reproducible-builds.org/#why-does-it-matter
§
"Reproducible Builds: Increasing the Integrity of Software Supply
Chains" awarded IEEE Software "Best Paper" award
-
In February 2022, we announced in these reports [2] that a paper written
by Chris Lamb [3] and Stefano Zacchiroli [4] was now available in the
March/April 2022 issue of IEEE Software [5]. Titled "Reproducible
Builds: Increasing the Integrity of Software Supply Chains" [6]
(PDF [7]).
This month, however, IEEE Software [8] announced that this paper has won
their Best Paper award [9] for 2022.
[2] https://reproducible-builds.org/reports/2023-02/
[3] https://chris-lamb.co.uk
[4] https://upsilon.cc/~zack/
[5] https://ieeexplore.ieee.org/abstract/document/9403390
[6] https://arxiv.org/abs/2104.06020
[7] https://arxiv.org/pdf/2104.06020
[8] https://www.computer.org/csdl/magazine/so
[9] https://twitter.com/ieeesoftware/status/1736684911690436868
§
Reproducibility to affect package migration policy in Debian
In a post summarising the activities of the Debian Release Team [10] at
a recent in-person Debian event in Cambridge, UK [11], Paul Gevers
announced a change to the way packages are "migrated" into the staging
area for the next stable Debian release based on its
reproducibility status:
> The folks from the Reproducibility Project have come a long way since
they started working on it 10 years ago, and we believe it's time for
the next step in Debian. Several weeks ago, we enabled a migration
policy in our migration software that checks for regression in
reproducibility. At this moment, that is presented as just for info, but
we intend to change that to delays in the not so distant future. We
eventually want all packages to be reproducible. To stimulate
maintainers to make their packages reproducible now, we'll soon start to
apply a bounty [speedup] for reproducible builds, like we've done with
passing autopkgtests [12] for years. We'll reduce the bounty for
successful autopkgtests at that moment in time.
[10] https://wiki.debian.org/Teams/ReleaseTeam
[11] https://wiki.debian.org/DebianEvents/gb/2023/MiniDebConfCambridge
[12] https://people.debian.org/~eriberto/README.package-tests.html
§
Speranza: "Usable, privacy-friendly software signing"
-
Kelsey Merrill, Karen Sollins, Santiago Torres-Arias and Zachary Newman
have developed a new system called Speranza, which is aimed at
reassuring software consumers that the product they are getting has not
been tampered with and is coming directly from a source they trust. A
write-up on TechXplore.com [13] goes into some more details:
> "What we have done," explains Sollins, "is to develop, prove correct,
and demonstrate the viability of an approach that allows the [software]
maintainers to remain anonymous." Preserving anonymity is obviously
important, given that almost everyone—software developers included—value
their confidentiality. This new approach, Sollins adds, "simultaneously
allows [software] users to have confidence that the maintainers are, in
fact, legitimate maintainers and, furthermore, that the code being
downloaded is, in fact, the correct code of that maintainer." [14]
The corresponding paper [15] is published on the arXiv [16] preprint
server in various formats, and the announcement has also been covered in
MIT News [17].
[13]
https://techxplore.com/news/2023-12-boosting-faith-authenticity-source-software.html
[14]
https://techxplore.com/news/2023-12-boosting-faith-authenticity-source-software.html
[15] https://arxiv.org/abs/2305.06463
[16] https://arxiv.org/
[17]
https://news.mit.edu/2023/speranza-boosting-faith-authenticity-open-source-software-1211
§
Nondeterministic Git bundles
Paul Baecher [18] published an interesting blog post on "Reproducible
git bundles" [19]. For those who are not familiar with them, Git bundles
are used for the "offline" transfer of Git objects without an active
server sitting on
