The Linux Foundation's Core Infrastructure Initiative Renews Funding for Reproducible Builds Project
The Linux Foundation | 11 November 2016
Grant Helps Fund New Developers Working on Debian GNU/Linux and FreeBSD to Improve Software Security and Control
SAN FRANCISCO, November 11, 2016 — The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation that enables technology companies, industry stakeholders and developers to collaboratively identify, fund and improve the security of critical open source projects, today announced continued financial support for the Reproducible Builds Project.
The grant extends the contribution to include Debian developers Chris Lamb, Mattia Rizzolo, Ximin Luo, and Vagrant Cascadian, as well as extending funding for Holger Levsen. Furthermore, this contribution adds support for Ed Maste, working with FreeBSD.
While anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or compiled) packages to end users. The motivation behind “reproducible” builds is to allow verification that no flaws have been introduced during the compilation process by endeavouring that identical binary packages are generated from a given source. This prevents the installation of backdoor-introducing malware on developers’ machines as an attacker would need to simultaneously infect all developers attempting to reproduce the build.
“Ensuring that no flaws are introduced during the build process greatly improves software security and control,” said Lamb. “Our work has already made significant progress in Debian GNU/Linux, and we are making our tools available for Fedora, Guix, Ubuntu, OpenWrt and other distributions. Support from CII will allow us to expand our efforts to work on longer-term commitments such as upstream patches requiring significant technical and time investment, as well as work on the infrastructure required to make Reproducible Builds both meaningful and approachable for end-users.”
Technical advantages of a reproducible build include removing unsafe behavior, such as downloading third-party code from the internet, detecting corrupted build environments, reducing time-to-detection of a build host compromise, as well as numerous other debugging and testing advantages.
Last year CII funded Levsen and Jérémy Bobbio’s efforts to eliminate unneeded variations from the build processes of thousands of free software projects. They also delivered new tools to understand the source of these differences and an infrastructure update to allow developers to independently verify the authenticity of binary distributions. Their efforts, combined with those from the rest of the Reproducible Builds Project, have resulted in 91% of the packages within the Debian testing distribution becoming reproducible.
About The Core Infrastructure Initiative
CII is a multimillion-dollar project that funds and supports critical elements of the global information infrastructure. It is organized by The Linux Foundation and supported by Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, Microsoft, NetApp, NEC, Qualcomm, RackSpace, salesforce.com, and VMware. Moving beyond funding projects, CII is introducing preemptive tools and programs to help the open source ecosystem and the companies who support it deploy secure coding practices. For a full list of CII grantees, please visit: https://www.coreinfrastructure.org/grantshttps://www.coreinfrastructure.org/grants.
About The Linux Foundation
The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.
# # #
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
Media Contact
Sarah Conway
The Linux Foundation
978-578-5300
sconway@linuxfoundation.org
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.