What is Reproducible Builds?
A software build process that guarantees anyone can independently verify that the compiled binary exactly matches the published source code.
Reproducible builds close the gap between "the source code is open" and "the binary you download matches the source code."
The Problem
- Open-source code can be reviewed, but how do you know the download matches?
- The build process could introduce backdoors not in the source
- Timestamps, build paths, and compiler differences create non-reproducible builds by default
How It Works
- Build process is fully documented and deterministic
- Anyone can follow the same steps and get byte-for-byte identical output
- Multiple parties build independently and compare results
- If they match, the binary provably corresponds to the source
Projects with Reproducible Builds
- Tor Browser: Fully reproducible
- Signal: Android app is reproducible
- Tails: Reproducible ISOs
- Bitcoin Core: Reproducible builds via Guix
- F-Droid: Working toward reproducible builds for all apps
Why It Matters
Without reproducible builds, open source provides a false sense of security. You can read the code, but you can't verify that the code you read is what you're running.
Related Terms
Open Source
Software whose source code is made freely available for anyone to view, modify, and distribute. In privacy tools, open source allows independent security researchers to verify that the software does what it claims and contains no backdoors or hidden surveillance capabilities.
Supply Chain Attack
An attack that compromises a target by infiltrating a trusted supplier, vendor, or software dependency in their supply chain.
Supply Chain Transparency
The ability to verify the origin, integrity, and security of every component in a technology product, from hardware manufacturing to software dependencies.
Have more questions?
Use our guided flow to get the right next privacy step for Reproducible Builds.
Open Guided Flow