Loading…
June 21-24, 2022
Austin, Texas, USA + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Central Daylight Time (UTC -5). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Tuesday, June 21 • 4:55pm - 5:35pm
What Makes A Build Reproducible? - Rose Judge & Joshua Lock, VMware

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Feedback form is now closed.
Truly reproducible builds are an essential part of securing the software supply chain. They ensure that software vendors know exactly what’s being shipped and can quickly pinpoint vulnerable components and remediate fixes in light of a vulnerability or exploit. For open source projects, they allow our users to verify that the built artifacts match the source code in the repository. Reproducible builds also enable software vendors to confidently ship code without having to assess and verify third party dependency build process trustworthiness. The term “reproducible builds”, however, is overloaded with definitions and expectations for behavior. So what exactly makes a build reproducible? There’s at least three ways to define it: 1) Deterministic build process; 2) Artifacts that can be recreated; and 3) Binary, or bit-for-bit, reproducible. For each of these common definitions of “reproducible build” this talk will propose an alternative term and explore the supply chain security implications of the definition. We hope this talk will motivate audience members to work towards reproducible builds but at least should help understand why reproducible builds matter.
Speakers
avatar for Rose Judge

Rose Judge

Senior Open Source Engineer, VMware
Rose Judge is a Senior Open Source Engineer at VMware where she co-maintains Tern, an open source container inspection tool that generates container SBOMs. Additionally, she is a member of the SPDX Steering Committee and chair of the Linux Foundation’s Automating Compliance Tooling... Read More →
avatar for Joshua Lock

Joshua Lock

Distinguished Engineer, Verizon
Joshua is Open Source Architect in Verizon's Open Source Program Office, where he leads efforts to improve consistency around how Verizon uses open source. As part of his work at Verizon he works upstream on software supply chain security standards and tools; he is a steering committee... Read More →

What Makes a Build Reproducible pdf
Tuesday June 21, 2022 4:55pm - 5:35pm CDT
Room 203/204 (Level 2)
  SupplyChainSecurityCon, Simplifying Verified Reproducible Builds