How Debian and other open-source projects are making software more trustworthy

Hint: Reproducible builds.

debian
Credit: Luis Fernando Pienda Mahecha via Creative Commons

Open-source software is especially trustworthy compared to closed-source software because you can see the source code of the program you’re running.

Or can you?

You probably aren’t compiling all your software from source—you’re getting packages provided by your Linux distribution. But how do you know those binary packages were actually compiled from that source code and weren’t tampered with?

Why you should care

There’s typically been no way to actually check that a binary was compiled from some source code. Even compiling that application a second time and comparing the two binaries wouldn’t work, as you’d need to reproduce the exact build environment and ensure the source code didn’t pull in changing information, such as current date and time. But Debian and other free software projects are charging ahead with “reproducible builds,” allowing anyone to compile a piece of software from source and confirm the binary package they get matches the one being offered for download.

Want to stay up to date on Linux, BSD, Chrome OS, and the rest of the World Beyond Windows? Bookmark the World Beyond Windows column page or follow our RSS feed.

The reproducible builds (or “deterministic builds”) provide a complete chain of trust from a binary all the way back to the source code. This helps confirm that no attacker—whether it’s a government agency, a group of black-hat hackers, or one person with access to a free software project’s servers—have compromised the system to produce packages with backdoors.

How much progress have they made?

Debian’s reproducible builds project is making a lot of headway here. In a recent talk at the Chaos Communication Camp, Debian developer Jérémy Bobbio (aka Lunar), explained Debian’s progress and the rationale here. (Here’s the full text of the talk.)

debian reproducible builds progress

Debian's reproducible builds progress.

More than 83 percent of Debian’s packages are now reproducible. That’s over 18,000 packages, with the results visible on reproducible.debian.net. The team believes reproducible builds should become the norm across the entire free software ecosystem and has information about for developers explaining how to make software reproducible.

Bitcoin and Tor are already reproducible, which is no surprise as these are two projects where trust is key and tampering would be particularly dangerous. There are efforts underway to make theCoreboot free software BIOS replacement, the OpenWrt router firmware, FreeBSD, NetBSD, and even Fedora reproducible.

This isn’t a sexy new feature, but it is a big security improvement in an age where increasingly sophisticated attackers and various governments want to insert backdoors into the software we use. It’s something only free software can do—letting you confirm a binary program was compiled from specific source code that you can actually see. With closed source software, all you can do is confirm a program is identical to the one being offered by the developer.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.