Reproducible Builds:Break a log, good things come in trees

Abstract

This thesis investigates how transparency log overlays can provide additional security guarantees for rebuilders building Debian packages. In Reproducible Builds it is important to have a set of independent and distributed systems building packages to make sure they have not been tampered with. By putting BUILDINFO files and in-toto link metadata on a proof-of-concept rebuilder transparency log we are capable of detecting tampering of the published logs despite the current scaling problems. This gives users and companies additional security guarantees in the software supply chain for Debian packages.