<!DOCTYPE html> <html lang="en" dir="ltr"> <head> <meta charset="utf-8"> <title>Reproducible Builds &mdash; a set of software development practices that create an independently-verifiable path from source to binary code</title> <link rel="stylesheet" href="/assets/styles/main.css?1732354105"> <link rel="shortcut icon" type="image/png" href="/assets/images/favicon.png"/> <link href="/assets/fonts/overpass.css" rel="stylesheet"> <link href="/assets/fonts/overpass-mono.css" rel="stylesheet"> <link rel="stylesheet" href="/assets/static/open-iconic-bootstrap.css" /> <link rel="stylesheet" href="/assets/static/bootstrap.min.css"> <link rel="alternate" type="application/rss+xml" title="Reproducible Builds - Posts" href="https://reproducible-builds.org/feed.xml" /> <link rel="alternate" type="application/rss+xml" title="Reproducible Builds - All News" href="https://reproducible-builds.org/blog/index.rss" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="twitter:card" content="summary"> <meta name="twitter:site" content="@ReproBuilds"> <meta name="twitter:title" content="Reproducible Builds"> <meta name="twitter:description" content="Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code."> <meta name="twitter:image" content="https://reproducible-builds.org/images/logos/rb-logo-only.png"> </head> <body> <nav class="navbar navbar-expand-lg navbar-light sticky-top rb-navbar__top"> <a class="navbar-brand" href="/"> <img src="/assets/images/logo-text-white.png" height="30" width="auto" alt=""></img> </a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button> <div class="collapse navbar-collapse " id="navbarSupportedContent"> <ul class="navbar-nav mr-auto display-xs"> <li class="nav-item"> <a class="nav-link" href="/">Home</a> </li> <li class="nav-item"> <a class="nav-link" href="/news/">News</a> </li> <li class="nav-item"> <a class="nav-link" href="/docs/">Docs</a> </li> <li class="nav-item"> <a class="nav-link" href="/success-stories/">Success stories</a> </li> <li class="nav-item"> <a class="nav-link" href="/tools/">Tools</a> </li> <li class="nav-item"> <a class="nav-link" href="/who/">Who is involved?</a> </li> <li class="nav-item"> <a class="nav-link" href="/resources/">Talks</a> </li> <li class="nav-item"> <a class="nav-link" href="/events/">Events</a> </li> <li class="nav-item"> <a class="nav-link" href="/citests/">CI tests</a> </li> <li class="nav-item"> <a class="nav-link" href="/contribute/">Contribute</a> </li> </ul> </div> </nav> <div class="container"> <div class="row h-100"> <main role="main" class="content-scroll p-3 p-md-5"> <div class="hero mb-4"> <div class="container text-center"> <div class="col-sm-8 offset-sm-2"> <a href="/"> <img class="mb-4 img-fluid" src="/assets/images/logo-text-white.png" alt="Reproducible Builds" /> </a> <p class="lead mt-5 pt-5 pb-5"> <strong>Reproducible builds</strong> are a set of software development practices that create an independently-verifiable path from source to binary&nbsp;code. <small class="d-none d-sm-inline"> (<a href="/docs/definition/">more</a>) </small> </p> </div> </div> </div> <p class="text-center nav-btn"> <a class="btn btn-outline-primary m-2" href="/news/">News</a><a class="btn btn-outline-primary m-2" href="/docs/">Docs</a><a class="btn btn-outline-primary m-2" href="/success-stories/">Success stories</a><a class="btn btn-outline-primary m-2" href="/tools/">Tools</a><a class="btn btn-outline-primary m-2" href="/who/">Who is involved?</a><a class="btn btn-outline-primary m-2" href="/resources/">Talks</a><a class="btn btn-outline-primary m-2" href="/events/">Events</a><a class="btn btn-outline-primary m-2" href="/citests/">CI tests</a><a class="btn btn-outline-primary m-2" href="/contribute/">Contribute</a> </p> <h2 id="why-does-it-matter">Why does it matter?</h2> <p>Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond.</p> <p>This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence.</p> <p>This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime.</p> <p>Whilst individual developers are a natural target, it additionally encourages attacks on build infrastructure as a successful attack would provide access to a large number of downstream computer systems. By modifying the generated binaries here instead of modifying the upstream source code, illicit changes are essentially invisible to its original authors and users alike.</p> <p>The motivation behind the <strong>Reproducible Builds</strong> project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.</p> <p>This ability to notice if a developer or build system has been compromised then prevents such threats or attacks occurring in the first place, as any compromise can be quickly detected. As a result, front-liners cannot be threatened/coerced into exploiting or exposing their colleagues.</p> <p><a href="/who/projects/">Several free software projects</a> already, or will soon, provide reproducible builds.</p> <h2 id="how">How?</h2> <p>First, the <strong>build system</strong> needs to be made entirely deterministic: transforming a given source must always create the same result. For example, the current date and time must not be recorded and output always has to be written in the same order.</p> <p>Second, the set of tools used to perform the build and more generally the <strong>build environment</strong> should either be recorded or pre-defined.</p> <p>Third, users should be given a way to recreate a close enough build environment, perform the build process, and <strong>validate</strong> that the output matches the original build.</p> <p>Learn more about <a href="/docs">how to make your software build reproducibly…</a></p> <h2 id="recent-monthly-reports">Recent monthly reports</h2> <ul class="list-unstyled"> <li> <span class="text-muted">Nov 10, 2024</span>: <a href="/reports/2024-10/">Reproducible Builds in October 2024</a> </li> <li> <span class="text-muted">Oct 7, 2024</span>: <a href="/reports/2024-09/">Reproducible Builds in September 2024</a> </li> <li> <span class="text-muted">Sep 4, 2024</span>: <a href="/reports/2024-08/">Reproducible Builds in August 2024</a> </li> </ul> <p>(<a href="/news/">See all reports…</a>)</p> <h2 id="recent-news">Recent news</h2> <ul class="list-unstyled"> <li> <span class="text-muted">Nov 14, 2024</span>: <a href="/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/">Reproducible Builds mourns the passing of Lunar</a> </li> <li> <span class="text-muted">Sep 29, 2024</span>: <a href="/news/2024/09/29/supporter-spotlight-kees-cook/">Supporter spotlight: Kees Cook on Linux kernel security</a> </li> <li> <span class="text-muted">Feb 8, 2024</span>: <a href="/news/2024/02/08/reproducible-builds-at-fosdem-2024/">Reproducible Builds at FOSDEM 2024</a> </li> </ul> <p>(<a href="/news/">See all…</a>)</p> <h2 id="sponsors">Sponsors</h2> <p>We are proud to be <a href="/sponsors/">sponsored by</a>:</p> <div class="row bg-light p-md-4 p-sm-2 pt-5 pb-5"> <div class="col-xs-12 col-sm-6 mb-6 mx-auto"> <div class="card h-100 text-center justify-content-center"> <a href="https://www.opentech.fund/" name="Open Technology Fund"> <img class="p-5 w-100 sponsor-img-platinum" src="/assets/images/sponsors/opentechfund.svg" alt="Open Technology Fund" /> </a> </div> </div> <div class="col-xs-12 col-sm-6 mb-6 mx-auto"> <div class="card h-100 text-center justify-content-center"> <a href="https://sovereigntechfund.de/" name="Sovereign Tech Found"> <img class="p-5 w-100 sponsor-img-platinum" src="/assets/images/sponsors/STF-black.svg" alt="Sovereign Tech Found" /> </a> </div> </div> </div> <p><br /></p> <p class="text-center nav-btn"> <a class="btn btn-outline-primary m-2" href="/news/">News</a><a class="btn btn-outline-primary m-2" href="/docs/">Docs</a><a class="btn btn-outline-primary m-2" href="/success-stories/">Success stories</a><a class="btn btn-outline-primary m-2" href="/tools/">Tools</a><a class="btn btn-outline-primary m-2" href="/who/">Who is involved?</a><a class="btn btn-outline-primary m-2" href="/resources/">Talks</a><a class="btn btn-outline-primary m-2" href="/events/">Events</a><a class="btn btn-outline-primary m-2" href="/citests/">CI tests</a><a class="btn btn-outline-primary m-2" href="/contribute/">Contribute</a> </p> <div class="row footer"> <div class="col-12 p-0"> <p class="mt-5 mb-5"> <span class="text-muted small d-none d-sm-block"> Follow us on Twitter <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a>, Mastodon <a href="https://fosstodon.org/@reproducible_builds">@reproducible_builds@fosstodon.org</a> &amp; <a href="https://reddit.com/r/reproduciblebuilds">Reddit</a> and please consider <a href="/sponsor/">making a donation</a>. &bull; Content licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/" class="rb-link" target="_blank">CC BY-SA 4.0</a>, style licensed under <a href="https://opensource.org/licenses/MIT" class="rb-link" title="MIT" target="_blank">MIT</a>. Templates and styles based on the <a href="https://styleguide.torproject.org/" target="_blank">Tor Styleguide</a>. Logos and trademarks belong to their respective owners. &bull; Patches for this website welcome <a href="https://salsa.debian.org/reproducible-builds/reproducible-website">via our Git repository</a> (<a href="/contribute/salsa/">instructions</a>) or via <a href="https://lists.reproducible-builds.org/listinfo/rb-general">our mailing list</a>. &bull; <a href="/who/">Full contact info</a> </span> </p> <p class="d-none d-md-block float-left"> <a href="https://sfconservancy.org"><img src="/assets/images/footer/conservancy.png" height="66" width="auto" alt="Conservancy Logo"/></a> </p> <p class="text-center float-md-right"> <a href="/"><img src="/images/logos/rb.svg" height="45" width="auto" alt="Reproducible Builds Logo"/></a> </p> </div> </div> </main> </div> </div> </div> <script src="/assets/javascript/jquery-3.3.1.slim.min.js"></script> <script src="/assets/javascript/bootstrap.min.js"></script> <script type="text/javascript" src="/assets/javascript/index.js"></script> </body> </html>