E.2.6 Reproducible builds

Control Details

Objective

Provide a mechanism to confirm that no malicious backdoor injections have taken place during the build process.

Definition

Follow recommended security practices to deploy, operate, and maintain tools and toolchains, including the reproducible build steps whereby identical input artifacts are rebuilt from source in a trusted build environment, non-determinism is eliminated, and the results can be cryptographically attested to be the same output in a bit-for-bit comparison.

Assessment Questions

1. Describe your stance on reproducible builds, e.g. do you practice reproducible builds on different protected environments and compare bit-for-bit results?

Reference sources

1. S2C2F REB-1
2. CNCF-SSC BP-V Validate build artifacts through verifiably reproducible builds BP-V Recommendations for Reproducible Builds