Logo des Repositoriums
 

Reproducible Builds and Insights from an Independent Verifier for Arch Linux

dc.contributor.authorDrexel, Joshua
dc.contributor.authorHänggi, Esther
dc.contributor.authorVeiga, Iyán Méndez
dc.contributor.editorWendzel, Steffen
dc.contributor.editorWressnegger, Christian
dc.contributor.editorHartmann, Laura
dc.contributor.editorFreiling, Felix
dc.contributor.editorArmknecht, Frederik
dc.contributor.editorReinfelder, Lena
dc.date.accessioned2024-04-19T12:54:03Z
dc.date.available2024-04-19T12:54:03Z
dc.date.issued2024
dc.description.abstractSupply chain attacks have emerged as a prominent cybersecurity threat in recent years. Reproducible and bootstrappable builds have the potential to reduce such attacks significantly. In combination with independent, exhaustive and periodic source code audits, these measures can effectively eradicate compromises in the building process. In this paper we introduce both concepts, we analyze the achievements over the last ten years and explain the remaining challenges. We contribute to the reproducible builds effort by setting up a rebuilder and verifier instance to test the reproducibility of Arch Linux packages. Using the results from this instance, we uncover an unnoticed and security-relevant packaging issue affecting 16 packages related to Certbot, the recommended software to install TLS certificates from Let’s Encrypt, making them unreproducible. Additionally, we find the root cause of unreproduciblity in the source code of fwupd, a critical software used to update device firmware on Linux devices, and submit an upstream patch to fix it.en
dc.identifier.doi10.18420/sicherheit2024_016
dc.identifier.isbn978-3-88579-739-5
dc.identifier.pissn1617-5468
dc.identifier.urihttps://dl.gi.de/handle/20.500.12116/43956
dc.language.isoen
dc.publisherGesellschaft für Informatik e.V.
dc.relation.ispartofSicherheit 2024
dc.relation.ispartofseriesLecture Notes in Informatics (LNI) - Proceedings Volume P-345
dc.subjectReproducible Builds
dc.subjectSupply Chain Security
dc.subjectFOSS
dc.subjectArch Linux
dc.titleReproducible Builds and Insights from an Independent Verifier for Arch Linuxen
dc.typeText/Conference Paper
gi.citation.endPage257
gi.citation.publisherPlaceBonn
gi.citation.startPage243
gi.conference.date09.-11.04.2024
gi.conference.locationWorms
gi.conference.sessiontitleFull Paper Session 7 – Netzwerk- und Softwaresicherheit

Dateien

Originalbündel
1 - 1 von 1
Lade...
Vorschaubild
Name:
A7-3.pdf
Größe:
333.51 KB
Format:
Adobe Portable Document Format