Reproducible Builds and Insights from an Independent Verifier for Arch Linux
dc.contributor.author | Drexel, Joshua | |
dc.contributor.author | Hänggi, Esther | |
dc.contributor.author | Veiga, Iyán Méndez | |
dc.contributor.editor | Wendzel, Steffen | |
dc.contributor.editor | Wressnegger, Christian | |
dc.contributor.editor | Hartmann, Laura | |
dc.contributor.editor | Freiling, Felix | |
dc.contributor.editor | Armknecht, Frederik | |
dc.contributor.editor | Reinfelder, Lena | |
dc.date.accessioned | 2024-04-19T12:54:03Z | |
dc.date.available | 2024-04-19T12:54:03Z | |
dc.date.issued | 2024 | |
dc.description.abstract | Supply chain attacks have emerged as a prominent cybersecurity threat in recent years. Reproducible and bootstrappable builds have the potential to reduce such attacks significantly. In combination with independent, exhaustive and periodic source code audits, these measures can effectively eradicate compromises in the building process. In this paper we introduce both concepts, we analyze the achievements over the last ten years and explain the remaining challenges. We contribute to the reproducible builds effort by setting up a rebuilder and verifier instance to test the reproducibility of Arch Linux packages. Using the results from this instance, we uncover an unnoticed and security-relevant packaging issue affecting 16 packages related to Certbot, the recommended software to install TLS certificates from Let’s Encrypt, making them unreproducible. Additionally, we find the root cause of unreproduciblity in the source code of fwupd, a critical software used to update device firmware on Linux devices, and submit an upstream patch to fix it. | en |
dc.identifier.doi | 10.18420/sicherheit2024_016 | |
dc.identifier.isbn | 978-3-88579-739-5 | |
dc.identifier.pissn | 1617-5468 | |
dc.identifier.uri | https://dl.gi.de/handle/20.500.12116/43956 | |
dc.language.iso | en | |
dc.publisher | Gesellschaft für Informatik e.V. | |
dc.relation.ispartof | Sicherheit 2024 | |
dc.relation.ispartofseries | Lecture Notes in Informatics (LNI) - Proceedings Volume P-345 | |
dc.subject | Reproducible Builds | |
dc.subject | Supply Chain Security | |
dc.subject | FOSS | |
dc.subject | Arch Linux | |
dc.title | Reproducible Builds and Insights from an Independent Verifier for Arch Linux | en |
dc.type | Text/Conference Paper | |
gi.citation.endPage | 257 | |
gi.citation.publisherPlace | Bonn | |
gi.citation.startPage | 243 | |
gi.conference.date | 09.-11.04.2024 | |
gi.conference.location | Worms | |
gi.conference.sessiontitle | Full Paper Session 7 – Netzwerk- und Softwaresicherheit |
Dateien
Originalbündel
1 - 1 von 1