How Debian and other open-source projects are making software more trustworthy

Why you should care

There’s typically been no way to actually check that a binary was compiled from some source code. Even compiling that application a second time and comparing the two binaries wouldn’t work, as you’d need to reproduce the exact build environment and ensure the source code didn’t pull in changing information, such as current date and time. But Debian and other free software projects are charging ahead with “reproducible builds,” allowing anyone to compile a piece of software from source and confirm the binary package they get matches the one being offered for download.

Want to stay up to date on Linux, BSD, Chrome OS, and the rest of the World Beyond Windows? Bookmark the World Beyond Windows column page or follow our RSS feed.

The reproducible builds (or “deterministic builds”) provide a complete chain of trust from a binary all the way back to the source code. This helps confirm that no attacker—whether it’s a government agency, a group of black-hat hackers, or one person with access to a free software project’s servers—have compromised the system to produce packages with backdoors.