TY - GEN

T1 - It's like flossing your teeth

T2 - 44th IEEE Symposium on Security and Privacy, SP 2023

AU - Fourné, Marcel

AU - Wermke, Dominik

AU - Enck, William

AU - Fahl, Sascha

AU - Acar, Yasemin

N1 - Funding Information: This work is supported in part by NSF grants CNS-2206865 and CNS-2207008. Any findings and opinions expressed in this material are those of the authors and do not necessarily reflect the view of funding agencies. We want to thank all interviewees for their participation and appreciate the valuable time that they have generously given. We also want to thank the anonymous reviewers for their valuable feedback.

PY - 2023

Y1 - 2023

N2 - The 2020 Solarwinds attack was a tipping point that caused a heightened awareness about the security of the software supply chain and in particular the large amount of trust placed in build systems. Reproducible Builds (R-Bs) provide a strong foundation to build defenses for arbitrary attacks against build systems by ensuring that given the same source code, build environment, and build instructions, bitwise-identical artifacts are created. Unfortunately, much of the software industry believes R-Bs are too far out of reach for most projects. The goal of this paper is to help identify a path for R-Bs to become a commonplace property.To this end, we conducted a series of 24 semi-structured expert interviews with participants from the Reproducible-Builds.org project, finding that self-effective work by highly motivated developers and collaborative communication with upstream projects are key contributors to R-Bs. We identified a range of motivations that can encourage open source developers to strive for R-Bs, including indicators of quality, security benefits, and more efficient caching of artifacts. We also identify experiences that help and hinder adoption, which often revolves around communication with upstream projects. We conclude with recommendations on how to better integrate R-Bs with the efforts of the open source and free software community.

AB - The 2020 Solarwinds attack was a tipping point that caused a heightened awareness about the security of the software supply chain and in particular the large amount of trust placed in build systems. Reproducible Builds (R-Bs) provide a strong foundation to build defenses for arbitrary attacks against build systems by ensuring that given the same source code, build environment, and build instructions, bitwise-identical artifacts are created. Unfortunately, much of the software industry believes R-Bs are too far out of reach for most projects. The goal of this paper is to help identify a path for R-Bs to become a commonplace property.To this end, we conducted a series of 24 semi-structured expert interviews with participants from the Reproducible-Builds.org project, finding that self-effective work by highly motivated developers and collaborative communication with upstream projects are key contributors to R-Bs. We identified a range of motivations that can encourage open source developers to strive for R-Bs, including indicators of quality, security benefits, and more efficient caching of artifacts. We also identify experiences that help and hinder adoption, which often revolves around communication with upstream projects. We conclude with recommendations on how to better integrate R-Bs with the efforts of the open source and free software community.

KW - Systems-Security

KW - Usable-Security-and-Privacy

UR - http://www.scopus.com/inward/record.url?scp=85166473775&partnerID=8YFLogxK

U2 - 10.1109/SP46215.2023.10179320

DO - 10.1109/SP46215.2023.10179320

M3 - Conference contribution

AN - SCOPUS:85166473775

SN - 978-1-6654-9337-6

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 1527

EP - 1544

BT - Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 22 May 2023 through 25 May 2023

ER -