i-probably-didnt-backdoor-this: Reproducible Builds for upstreams

kpcyrd kpcyrd at rxv.cc
Thu Aug 19 23:16:29 UTC 2021


I uploaded a github repo that distributes a Hello World in various
formats (ELF binary, Docker image, 3rd party(!) Arch Linux package) and
documented every file and command needed to reproduce the artifacts


I'm not very confident with the reproducible docker image yet, but the
rest should be ok. I'm planning to combine this with the reproducible Alpine
Raspberry Pi images me and other people have been working on.

The target audiences are:

- Individual open source developers who're publishing on their own
  instead of through a distro.
- The users of said open source developers, who might be non-technical.
  The first section is not really related to reproducible builds,
  instead it's describing controls that can be implemented with
  pen-and-paper that are then built on top of with reproducible builds.

Although most/all the techniques described there aren't novel, I still
think it's important to have them documented and some form of consensus
that these controls are effective (within a casual opensource-dev/user
relationship threat-model).

If you are aware of similar resources (specifically hands-on "how to
verify our release artifacts" or even "this is how you implement this
for your own project") you're welcome to submit a pull request on the
"Similar work" section.


More information about the rb-general mailing list