The FreeBSD Foundation has recently made an important announcement regarding the implementation of support for Reproducible builds. This implementation aims to ensure that the distributed binaries are built from the provided source code and do not contain any hidden changes. In addition, it has been revealed that FreeBSD can now be built in unprivileged environments that do not require root rights. This move will enhance the security of the infrastructure for building FreeBSD releases, reduce the attack surface on the build environment, and simplify the organization of automated builds.
Previously, root rights were necessary during the build phase to create device files, set access rights, and mount additional file systems. However, changes have been made to replace these actions with operations that do not require root rights. These changes have been added to the experimental branch of FreeBSD and will eventually be transferred to the branch on which the FreeBSD 15.0 release is based. In addition to building a release from source code, artifacts such as ISO images for creating installation and boot Flash drives, system images for virtual machines, and cloud platforms can now also be created without root rights.
Reproducible builds play a crucial role in ensuring the identity of binary files generated from source code in different assembly environments. Individuals can now verify that the distributed binary files are indeed built from the provided source codes, without solely relying on trust in the project’s assembly infrastructure. This measure helps prevent the compromise of the compiler or assembly tools, which could potentially lead to the insertion of hidden vulnerabilities.
When creating reproducible builds, various factors such as exact matching of dependencies, use of unchanged composition and versions of assembly tools, identical set of options and default settings, maintaining the file assembly order, and disabling the compiler from adding non-persistent service information are taken into consideration. Build reproducibility may also be influenced by bugs and race conditions in the tooling.