Over the past year, software engineers have lived through the shock of infiltrated or intentionally broken NPM packages, supply chain attacks, long-unnoticed backdoors, and more. This has created a firestorm of activity around how to securely build software. Many organizations, from the Linux Foundation to the United States government, are calling for and building new practices and regulations, and one of the primary threads is around “reproducible builds.”
It’s one thing to talk about reproducible builds and how they strengthen software supply chain security, but it’s quite another to effectively configure a reproducible build. Concrete steps for specific languages are a far larger topic than can be covered in a single blog post, but today we’ll be talking about some guiding principles when designing reproducible builds.