June 21-24, 2022
Austin, Texas, USA + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central Daylight Time (UTC -5). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Tuesday, June 21 • 4:55pm - 5:35pm
What Makes A Build Reproducible? - Rose Judge & Joshua Lock, VMware

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Truly reproducible builds are an essential part of securing the software supply chain. They ensure that software vendors know exactly what’s being shipped and can quickly pinpoint vulnerable components and remediate fixes in light of a vulnerability or exploit. For open source projects, they allow our users to verify that the built artifacts match the source code in the repository. Reproducible builds also enable software vendors to confidently ship code without having to assess and verify third party dependency build process trustworthiness. The term “reproducible builds”, however, is overloaded with definitions and expectations for behavior. So what exactly makes a build reproducible? There’s at least three ways to define it: 1) Deterministic build process; 2) Artifacts that can be recreated; and 3) Binary, or bit-for-bit, reproducible. For each of these common definitions of “reproducible build” this talk will propose an alternative term and explore the supply chain security implications of the definition. We hope this talk will motivate audience members to work towards reproducible builds but at least should help understand why reproducible builds matter.

avatar for Rose Judge

Rose Judge

Senior Open Source Engineer, VMware
Rose Judge is a Senior Open Source Engineer at VMware where she co-maintains Tern, an open source container inspection tool that helps users make better decisions for their container supply chain. She previously spent five years packaging and debugging custom Linux Operating Systems... Read More →
avatar for Joshua Lock

Joshua Lock

Staff Open Source Engineer, VMware
Joshua has spent most of his career as a software engineer working on open source in the software supply chain and secure software delivery space. In his role as the security domain lead at the VMware Open Source Technology Center, he contributes to upstream secure software supply... Read More →

Tuesday June 21, 2022 4:55pm - 5:35pm CDT
Room 203/204 (Level 2)