Commit d369f299 authored by Mark Lodato's avatar Mark Lodato
Browse files

Rewrite the reproducible section.

- Better explain the difference between "reproducible" and "verified
  reproducible".
- Clarify that reproducible is required unless there is a justification.
parent fdcd336d
...@@ -179,25 +179,34 @@ more, see [Threats, Risks, and Mitigations in the Open Source Ecosystem]. ...@@ -179,25 +179,34 @@ more, see [Threats, Risks, and Mitigations in the Open Source Ecosystem].
### What about reproducible builds? ### What about reproducible builds?
[Reproducible](https://reproducible-builds.org) and hermetic builds When talking about [reproducible builds](https://reproducible-builds.org)
[provide](https://reproducible-builds.org/docs/buy-in/) builds, there are two related but distinct concepts: "reproducible" and
"verified reproducible."
"Reproducible" means that repeating the build with the same inputs results in
bit-for-bit identical output. This property
[provides](https://reproducible-builds.org/docs/buy-in/)
[many](https://wiki.debian.org/ReproducibleBuilds/About) [many](https://wiki.debian.org/ReproducibleBuilds/About)
[benefits](https://static.googleusercontent.com/media/sre.google/en//static/pdf/building_secure_and_reliable_systems.pdf#page=357), [benefits](https://static.googleusercontent.com/media/sre.google/en//static/pdf/building_secure_and_reliable_systems.pdf#page=357),
including easier debugging, more confident cherry-pick releases, better build including easier debugging, more confident cherry-pick releases, better build
caching and storage efficiency, and accurate dependency tracking. For these caching and storage efficiency, and accurate dependency tracking.
reasons, we require reproducibility and hermeticity at SLSA 3 by default.
For these reasons, SLSA 3 [requires](#proposed-slsa-definitions) reproducible
In terms of security, _verified_ reproducible builds are often builds unless there is a justification why the build cannot be made
reproducible.
[Example](https://lists.reproducible-builds.org/pipermail/rb-general/2021-January/002177.html)
justifications include profile-guided optimizations or code signing that
invalidates hashes. Note that there is no actual reproduction, just a claim that
reproduction is possible.
"Verified reproducible" means using two or more independent build systems to
corroborate the provenance of a build. In this way, one can create an overall
system that is more trustworthy than any of the individual components. This is
often
[suggested](https://www.linuxfoundation.org/en/blog/preventing-supply-chain-attacks-like-solarwinds/) [suggested](https://www.linuxfoundation.org/en/blog/preventing-supply-chain-attacks-like-solarwinds/)
as a solution to supply chain integrity. The idea is that a system of as a solution to supply chain integrity. Indeed, this is one option to secure
independent reproducers all run the same build commands on the same inputs and build steps of a supply chain. When designed correctly, such a system can
report the same output. A consumer can gain confidence in an artifact's satisfy all of the SLSA build requirements.
provenance by querying multiple rebuilders, assuming that not all of the
rebuilders have been compromised.
Indeed, this is one option to secure build steps of a supply chain. When
designed correctly, such a system satisfies all of the build requirements listed
below.
That said, verified reproducible builds are not a complete solution to supply That said, verified reproducible builds are not a complete solution to supply
chain integrity, nor are they practical in all cases: chain integrity, nor are they practical in all cases:
...@@ -209,17 +218,14 @@ chain integrity, nor are they practical in all cases: ...@@ -209,17 +218,14 @@ chain integrity, nor are they practical in all cases:
and that software has a vulnerability that can be triggered by sending a and that software has a vulnerability that can be triggered by sending a
build request, then an attacker can compromise all rebuilders, violating the build request, then an attacker can compromise all rebuilders, violating the
assumption above. assumption above.
* Some builds cannot easily be made reproducible, * Some builds cannot easily be made reproducible, as noted above.
[such as](https://lists.reproducible-builds.org/pipermail/rb-general/2021-January/002177.html)
profile-guided optimizations or code signing that invalidates hashes.
* Closed-source reproducible builds require the code owner to either grant * Closed-source reproducible builds require the code owner to either grant
source access to multiple independent rebuilders, which is unacceptable in source access to multiple independent rebuilders, which is unacceptable in
many cases, or develop multiple, independent in-house rebuilders, which is many cases, or develop multiple, independent in-house rebuilders, which is
likely prohibitively expensive. likely prohibitively expensive.
For these reasons, we do not strictly require reproducible builds as part of Therefore, SLSA does not require verified reproducible builds directly. Instead,
SLSA. Instead, we only _recommend_ reproducibility at SLSA 3 and allow verified verified reproducible builds are one option for implementing the requirements.
reproducible builds as one option for meeting the build requirements.
For more on reproducibility, see For more on reproducibility, see
[Hermetic, Reproducible, or Verifiable?](https://sre.google/static/pdf/building_secure_and_reliable_systems.pdf#page=357) [Hermetic, Reproducible, or Verifiable?](https://sre.google/static/pdf/building_secure_and_reliable_systems.pdf#page=357)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment