Open-source software is especially trustworthy compared to closed-source software because you can see the source code of the program you’re running.
Or can you?
You probably aren’t compiling all your software from source—you’re getting packages provided by your Linux distribution. But how do you know those binary packages were actually compiled from that source code and weren’t tampered with?
Why you should care
There’s typically been no way to actually check that a binary was compiled from some source code. Even compiling that application a second time and comparing the two binaries wouldn’t work, as you’d need to reproduce the exact build environment and ensure the source code didn’t pull in changing information, such as current date and time. But Debian and other free software projects are charging ahead with “reproducible builds,” allowing anyone to compile a piece of software from source and confirm the binary package they get matches the one being offered for download.
The reproducible builds (or “deterministic builds”) provide a complete chain of trust from a binary all the way back to the source code. This helps confirm that no attacker—whether it’s a government agency, a group of black-hat hackers, or one person with access to a free software project’s servers—have compromised the system to produce packages with backdoors.
How much progress have they made?
Debian’s reproducible builds project is making a lot of headway here. In a recent talk at the Chaos Communication Camp, Debian developer Jérémy Bobbio (aka Lunar), explained Debian’s progress and the rationale here. (Here’s the full text of the talk.)
More than 83 percent of Debian’s packages are now reproducible. That’s over 18,000 packages, with the results visible on reproducible.debian.net. The team believes reproducible builds should become the norm across the entire free software ecosystem and has information about for developers explaining how to make software reproducible.
Bitcoin and Tor are already reproducible, which is no surprise as these are two projects where trust is key and tampering would be particularly dangerous. There are efforts underway to make theCoreboot free software BIOS replacement, the OpenWrt router firmware, FreeBSD, NetBSD, and even Fedora reproducible.
This isn’t a sexy new feature, but it is a big security improvement in an age where increasingly sophisticated attackers and various governments want to insert backdoors into the software we use. It’s something only free software can do—letting you confirm a binary program was compiled from specific source code that you can actually see. With closed source software, all you can do is confirm a program is identical to the one being offered by the developer.