Research paper tests how many Arch Linux packages are reproducible

“Reproducible builds” is a way to ensure that the source code for any software and the binary code resulting from building that source code are matched byte-for-byte; that is, no one tampered with the software during the build phase to add malicious code or other changes to it.

Reproducible builds are important to mitigate what’s known today as “supply-chain attacks”; attacks that are not directly aimed at the target system but rather at a sub-software, library or dependency that is part of that system.

Just because you read the source code for an open source software on GitHub it doesn’t mean that the binary package you download and install on your operating system is 100% originating from that source code. A middleman in the build phase could interfere with that package sometimes without anyone knowing, and add malicious codes or scripts to user systems.

Many years ago, mainstream Linux distributions started the effort of making all of their packages marked as reproducible builds. That is, anyone who builds the source code for any package in their distribution will get the exact same binary package from that source code, allowing independent verifiers and auditors to make sure the supply chain is safe and secure. Today, most Linux distributions stand at above a 90% rate for reproducible builds, and you can track their progress from this website:

Leave a Comment