Debian is working on a new project named “reproducible builds” with the stated goal – It should be possible to reproduce, byte for byte, every build of every package in Debian. This essentially means that a binary can be tracked back to its source package, repository and even the build. Additionally, any binary changed in an installation can be detected adding to the security of the distribution.
Debian can become the first OS to prove the origin of its official binaries.
The project has a tentative specification for a new control file (*.buildinfo) that records the build environment at the time of writing. It has also developed an experimental toolchain that can perform reproducible builds for many source packages. Packages are built twice on jenkins.debian.net, and tested for results. The process can detect problems related to timestamps, file ordering, CPU usage, and (pseudo-)randomness. Builds of 83% of the source packages are reproducible now. Reproducible build guide for package maintainers can be found here.
debbindiff is a tool (currently available in Jessie testing and unstable repos) being developed to detect and understand the changes between packages generated by two builds of the same Debian package. It can be scripted through error codes, and an HTML report can be produced with the detected differences. Here’s a sample usage:
$ debbindiff --html $output_file b1/*.changes b2/*.changes
The next goals of the project are:
- Identify more common problems
- Get toolchain changes integrated post Jessie release
- Start a campaign to get developers to fix their packages
- Get .buildinfo files in the archive
- Require matching binary packages from devs and a build before accepting the package. Could initially be opt-in.