Les Builds Reproductibles sont préconisés pour le niveau 4 de SLSA, pour atteindre le plus haut niveau de confiance sur un logiciel. Un tel niveau semble totalement inaccessible pour un projet normal.
En réalité, la plupart des distributions Linux ont implémenté les Builds Reproductibles ces 10 dernières années. Et depuis 5 ans, cela a été appliqué à de nombreux projets Open Source Java avec succès : plus de 2000 releases vérifiées reproductibles ont été publiées sur Maven Central par 500 projets, et ces chiffres ne cessent de croître.
Dans cette session, nous démistyfierons les pratiques pour les Builds Reproductibles telles qu'elles ont été éprouvées et améliorées sur le terrain. Nous expliquerons les outils utiles pour améliorer vos builds Maven et vérifier qu'ils sont réellement reproductibles : vous verrez, ce travail est riche d'enseignements utiles bien au delà de la sécurité.
Attention: si vous dormez pendant la session, vous aurez une sale note au quizz final permettant de vérifier les compétences acquises...
2. DEVOXX FRANCE 2024
About Me: Hervé Boutemy
● Java, since 1.0-beta
● CI, DevOps
● Enterprise Architecture
● DevSecOps
● Solutions Architect
● Software Supply Chain
3. DEVOXX FRANCE 2024
● SBOM: CycloneDX
SPDX
● Reproducible Builds for the JVM:
○ discovered in Devoxx FR 2016 (post-processing)
○ actively working since January 2019 (Maven built-in)
● Maven PMC Member
● ASF Member
About Me: Hervé Boutemy
4. DEVOXX FRANCE 2024
agenda
/ AGENDA 1. Reproducible Builds
what? why? how?
2. Reproducible Builds with Maven
- rebuild and check binaries
- configure your Maven build
3. Quiz
to be or not to be (Reproducible)
6. DEVOXX FRANCE 2024
input source code
builder
output binaries
rebuilder
same output binaries (bit for bit)
a set of software development practices
that create an independently-verifiable
path from source to binary code
https://reproducible-builds.org/ (since 2013)
reference
reference
7. DEVOXX FRANCE 2024
Why does it matter?
● reproducible-builds.org:
“allow verification that no vulnerabilities or backdoors have been introduced during the compilation
process”
● my own return on experience
○ you have the source code of an OSS project, but are you really able to rebuild?
■ is it the real Git commit? is “Build successful” message sufficient?
○ are you sure nothing from your build environment leaked into output binaries?
■ found username, hostname, path to current directory, private key passphrase, …
○ permits build efficiency from build cache
● When you outsource a new development
○ “of course”, in addition to binaires, they deliver source code + build instructions…
○ how do you audit? Just think you’re getting the expected binaries if you follow instructions?
8. DEVOXX FRANCE 2024
How?
● reproducible-build.org:
3. objective: rebuild and validate that the output matches the original build.
2. requirement: the build environment should either be recorded or pre-defined = build specification.
1. prerequisite: the build system needs to be made entirely deterministic.
For example, the current date and time must not be recorded and output always has to be written in
the same order.
9. Reproducible Builds for Maven
2.
Practice
/ 2. rebuild and check binaries
/ 1. configure Maven build
15. DEVOXX FRANCE 2024
What If a Difference is Found?
1. Where is the difference?
2.
2. What is the difference? https://diffoscope.org/
16. DEVOXX FRANCE 2024
What If a Difference is Found?
1. Where is the difference?
2.
2. What is the difference? https://diffoscope.org/
3. Why? How to Fix?
17. Reproducible Builds for Maven
2.
Practice
/ 2. rebuild and check binaries
/ 1. configure Maven build
18. DEVOXX FRANCE 2024
Reproducible Builds for Maven (since 03-2020)
https://maven.apache.org/guides/mini/guide-reproducible-builds.html
1. Enable Reproducible Builds:
2. Check plugins known to require upgrade: mvn artifact:check-buildplan
= https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
(necessary updates, but perhaps not sufficient…)
19. DEVOXX FRANCE 2024
Manual Checking for Reproducible Builds
2. after release pushed to Maven Central:
mvn -Papache-release -Dgpg.skip clean verify artifact:compare
or during release candidate review, or if release published somewhere else:
mvn -Papache-release -Dgpg.skip clean verify artifact:compare
-Dreference.repo=https://repository.apache.org/content/repositories/staging/
1. during SNAPSHOT development:
Check locally if you get the same result twice
mvn clean install
mvn clean verify artifact:compare
ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment
impact
29. DEVOXX FRANCE 2024
1. Enable Reproducible Builds: artifact:check-buildplan
2. Audit your Binaries: artifact:compare
3. Look at issues: diffoscope
4. Fix what brings additional value
3. Audit and report at scale: copy reproducible-central and adapt to your local repository
./rebuild.sh <path/to/...>/<project>-<version>.buildspec
With Maven: Just do It!