CISPA
Browse
- No file added yet -

It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security

Download (235.39 kB)
conference contribution
posted on 2023-11-29, 18:24 authored by Marcel Fourné, dominik.wermke, William Enck, Sascha FahlSascha Fahl, Yasemin Acar
The 2020 Solarwinds attack was a tipping point that caused a heightened awareness about the security of the software supply chain and in particular the large amount of trust placed in build systems. Reproducible Builds (R-Bs) provide a strong foundation to build defenses for arbitrary attacks against build systems by ensuring that given the same source code, build environment, and build instructions, bitwise-identical artifacts are created. Unfortunately, much of the software industry believes R-Bs are too far out of reach for most projects. The goal of this paper is to help identify a path for R-Bs to become a commonplace property. To this end, we conducted a series of 24 semi-structured expert interviews with participants from the Reproducible-Builds.org project, and iterated on our questions with the reproducible builds community. We identified a range of motivations that can encourage open source developers to strive for R-Bs, including indicators of quality, security benefits, and more efficient caching of artifacts. We identify experiences that help and hinder adoption, which heavily include communication with upstream projects. We conclude with recommendations on how to better integrate R-Bs with the efforts of the open source and free software community.

History

Preferred Citation

Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl and Yasemin Acar. It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security. In: IEEE Symposium on Security and Privacy (S&P). 2023.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date

2023-04-28

Open Access Type

  • Green

BibTeX

@inproceedings{cispa_all_3933, title = "It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security", author = "Fourné, Marcel and Wermke, Dominik and Enck, William and Fahl, Sascha and Acar, Yasemin", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2023", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC