I was just in Athens for the “Reproducible Builds Summit“, an Aspiration-run meeting focused on the issues of getting all software builds to be reproducible. This means that anyone starting with the same source code can build the exact same binary, bit-for-bit. At first glance, it sounds like this horrible, arcane detail, which it is really. But it provides tons on real benefits that can save lots of time. And in terms of programming, it can actually be quite fun, like doing a puzzle or sudoku, since there is a very clear point where you have “won”.
Here are some examples of real benefits:
- makes it easy to ensure no malware was inserted into software during the build process (e.g. the XCodeGhost malware we just saw)
- provides a QA tool to make sure that changes in the source code of a project produce only the expected results
- allows F-Droid to use the developer’s APK signature while still verifying that apps build from 100% free software
- make it possible to optimize and profile build processes while guaranteeing the results are exactly the same
- for large projects, it can greatly speed up the build process (think rebuilding Gmail)
Represented there was: Debian, Google, FreeBSD, Fedora, F-Droid,
Homebrew, MacPorts, NetBSD, Arch Linux, Coreboot, OpenWRT, and a bunch of other
projects like an automotive Linux distro called Baserock, the Guix package manager, a Linux distro called NixOS, Haskell hackers, etc.
The organizers are already planning a second meeting, probably in April in Western Europe, and are looking to get more projects involved. Lots of people were talking about how it would be great to get some Android ROM developers involved. So if you are a contributor to CyanogenMod, Copperhead, OmniROM, Replicant, Blackphone, etc. and would be interested in attending, please let us know!