From SIPB Cluedumps
|Date: November 30, 2016, at 7:30 PM|
|Presenters: Valerie Young|
|Notes: Presentation slides|
| Abstract: We trust FOSS software because we can read the source code. Or, at least, we trust FOSS software because we trust the community who reads and writes the source code. But users do not download source code and compile programs themselves, they download binaries. Binaries can be exploited in many ways, from a compromised developer to a compromised compiler, and without reproducible builds, we are not capable of independently verifying that a given binary came from the publicly available source code.
"'Reproducible builds?'" you might ask in confusion, "Are you implying the compilation of software is not deterministic?" Turns out, yes!
"Reproducible Builds" is the umbrella term for the wide FOSS effort to make the build chain of all software deterministic and transparent. In this talk, I will give a brief history of the reproducible builds effort from Tor's original success to the ongoing work of the Debian community to create an entirely reproducible operating system. You will leave with a clear understanding of the nuances and challenges of achieving reproducible builds and a clear vision for the exciting future where reproducible builds are the norm.
|Bio: Valerie Young is a Debian contributor and secretary for the board of directors of Software in the Public Interest. She studied physics and computer science at Boston University, worked at athenahealth for a few years, and is presently on vacation between paying jobs to chill and write free software.|