Debian Reproducible Builds to Detect Spyware
Debian has been getting a lot of attention the last couple of days for Jérémy Bobbio's work on Reproducible Builds. Bobbio has been working on this idea and implementation for a couple of years now, but after a presentation at Chaos Communication Camp last month it's come back into focus. In other Debian news, updates 8.2 and 7.9 were released.
Vice.com today said it was the "revelation that the CIA compromised Apple developers' build process, thus enabling the government to insert backdoors at compile time without developers realizing" that motivated Debian and Jérémy Bobbio to conceive of Reproducible Builds to insure package integrity. That and other examples prompted Bobbio to say, "We are not talking about hypothetical attacks here! So, even if we trust our developers we would still totally get owned." He said, "We need to be able to get reasonable confidence that a given binary was indeed produced using its supposed source." That's where Reproducible Builds come in. "The idea of Reproducible Builds is to empower anyone to verify that no flaws have been introduced during the build process by reproducing byte-for-byte identical binary packages from a given source." Right now about 84% of Testing x86_64 consists of Reproducible Builds, 83% of Unstable, and 79% of Experimental. But in order to work, these and other branches must get to 100% and contributors are encouraged to participate.
The Debian project announced the releases of updates 7.9 and 8.2 Saturday. 7.9 is a security bug fix for those still using the old stable branch and 8.2 is a security and serious bug fix for users of 8.x. The installer has been updated for Seagate DockStar devices as well. Neither of these are considered new releases and, as usual, current users are encouraged to update via APT.
The Debian Project News was posted for the period ending September 2, 2015. Highlights include the biggest DebConf ever, new FreedomBox release, and eight new developers and 10 maintainers were welcomed. 680 packages are orphaned and 181 are up for adoption.