Decentralized Validation of Reproducible Builds : A protocol for collaborative and decentralized validation of package reproducibility

Abstract: As the threat of supply-chain attacks grows, the need for techniques to protect software integrity likewise increases. The concept of reproducible builds is one such protection. By ensuring that a package can be rebuilt in the exact same way every time, reproducible builds allow users to notice when a package has changed even though its source code stays the same. Thus, the knowledge of which packages are reproducible and therefore easier to trust is a crucial part of this protection mechanism. Current strategies for validating and distributing this information rely on the work of a small number of individual entities with limited coordination in-between them, leading to user confusion because of the lack of a central authority. This work describes a protocol for decentralized coordination and validation of package reproducibility based on hidden votes to limit collusion and a reward scheme to ensure collaboration. The protocol uses the Hyperledger Fabric blockchain as supporting infrastructure, gaining the benefits of high availability, integrity of results and decision traceability from its decentralized nature. To test the protocol, a formal specification was written in TLA+ and validated through model checking. The results showed that, at least for the tested networks, the protocol produces valid results and enforces collaboration between users. Next steps for the project would be to build a functional prototype of the system to test its performance characteristics as well as studying the system actor assumptions made in the protocol design.