Never Mind the Checkboxes, Here's Reproducible Builds!
338 | Sat 02 Aug 10:45 a.m.–11:30 a.m.
Presented by
-
Vagrant Cascadian
https://www.aikidev.net
Vagrant strives to make Reproducible Builds a best practices reality for everyone. Vagrant discovered free software late last millenia and has been contributing to free software since the beginning of this millenia. A long-time Debian Developer and contributor to Guix, tinkering with ARM and RISC-V systems. At Portland's Free Geek, Vagrant dove into life as a free software developer, rebuilding electronic waste with FOSS, modifying or developing new software as needed. That led to exciting work helping coordinate LTSP development shared between several different operating systems. That sense of open collaboration has been a life-long habit. Vagrant contrasts spending too much time on computers with bicycle commuting, aikido and a DIY solar hobby.
Vagrant Cascadian
https://www.aikidev.net
Abstract
There are numerous policy compliance and regulatory processes being developed that target software development... but do they solve actual problems? Does it improve the quality of software? Do Software Bill of Materials (SBOMs) actually give you the information necessary to verify how a given software artifact was built? What is the goal of all these compliance checklists anyways... or more importantly, what *should* the goals be? If a software object is signed, who should be trusted to sign it, and can they be trusted ... forever?
Could you imagine a world with many bureaucratic compliance checks being replaced with verifiable processes performed by arbitrary third parties?
Let me introduce you to Reproducible Builds, a set of best practices which allow you to verify that software artifacts were built from the source code, allowing auditing for license compliance, providing security benefits, and remove the need to trust arbitrary software vendors.
There are numerous policy compliance and regulatory processes being developed that target software development... but do they solve actual problems? Does it improve the quality of software? Do Software Bill of Materials (SBOMs) actually give you the information necessary to verify how a given software artifact was built? What is the goal of all these compliance checklists anyways... or more importantly, what *should* the goals be? If a software object is signed, who should be trusted to sign it, and can they be trusted ... forever? Could you imagine a world with many bureaucratic compliance checks being replaced with verifiable processes performed by arbitrary third parties? Let me introduce you to Reproducible Builds, a set of best practices which allow you to verify that software artifacts were built from the source code, allowing auditing for license compliance, providing security benefits, and remove the need to trust arbitrary software vendors.