Linux Foundation Back Reproducible Builds Effort for Secure Software

Building software securely requires a verifiable method of reproduction and that is why the Linux Foundation's Core Infrastructure Initiative is supporting the Reproducible Builds Project.

In an effort to help open-source software developers build more secure software, the Linux Foundation is doubling down on its efforts to help the reproducible builds project. Among the most basic and often most difficult aspects of software development is making sure that the software end-users get is the same software that developers actually built.

"Reproducible builds are a set of software development practices that create a verifiable path from human readable source code to the binary code used by computers," the Reproducible Builds project explains.

Without the promise of a verified reproducible build, security can potentially be compromised, as the binary code might not be the same as the original developer intended. The Reproducible Builds project benefits from the support of the Linux Foundation's Core Infrastructure Initiative (CII).

CII was founded in the aftermath of the open-source Heartbleed SSL vulnerability in 2014, as a way to help provide resources and direction in a bid to secure open-source code.

CII has raised over $5.5 million from financial backers including Adobe, Bloomberg, Hewlett-Packard, VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco.

In June 2015, CII announced its initial support for the Reproducible Builds effort, providing the project with $200,000 in funding. Now CII is committing to renewing its support for Reproducible Build with an additional $225,000.

"The first chunk of funding helped deliver reproducibility-related debugging tools such as diffoscope," Nicko van Someren, CTO of the Linux Foundation, told eWEEK.

The diffoscope open-source tool provides developers with an in-depth comparison of files, archives and directories. Van Someren added that CII's initial support of Reproducible Builds also enabled the project to spend significant time investing in a reliable and flexible framework for testing the reproducibility of software packages within Debian and other operating systems.

"Using this framework, combined with efforts from the rest of the Reproducible Builds Project, has resulted in 91 percent of the packages within the testing Debian distribution becoming reproducible," Van Someren said.

With the renewed support for Reproducible Builds, Van Someren said that in addition to enabling the project to 'double-down' on the previous efforts, his expectation is that new tools will also be built. Additionally the plan is to rework the documentation for upstream open-source projects as well as to experiment and ultimately deliver tools to end-users.

"For example, users may wish to forbid installation of packages on their system that are not reproducible," he said.

While the ability to have reproducible builds is an important component of ensuring secure software, the delivery mechanism by which software gets to users also needs to be secure. In January 2016, the popular open-source Drupal content management system (CMS), used by among others notable deployments, came under criticism for not providing a secure update mechanism.

The challenge in that case, as with many others, is that the software wasn't always being delivered over an HTTPS encrypted link.

CII is working to also help improve security in the area of secure software delivery in several ways. One of those ways is through the Let’s Encrypt project, which is an effort to provide free SSL/TLS certificates for websites. Van Someren noted that Let's Encrypt helps developers in setting up HTTPS servers and getting certificates as simply as possible. Let's Encrypt is operated as a Linux Foundation Collaborative Project.

CII also has a Best Practices Badge for Open Source Projects.

"One of the requirements for achieving the badge is for the project to be in control of a HTTPS server from which the project can be downloaded," Van Someren said. "So far 45 projects have been awarded a badge, with more than 200 in process of obtaining one."

In addition to renewing funding for the Reproducible Builds project, CII also recently renewed funding for The Fuzzing Project, False-Positive-Free Testing Project, OpenSSL, OpenSSH, Network Time and Best Practices Badging Projects. The CII is also likely to expand its supported projects roster with more than 20 projects currently in the process of submitting applications.

"The CII Steering Committee will of course assess these once they have been submitted and will award funds as budget allows," Van Someren said. "Our total grant budget is $1.6 million annually."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.