Level of Knowledge: Beginner
- Why do we need Reproducible Builds?
- Provides confidence to the consumer of high quality binaries
- Secure Supply Chains
- How does a reproducible OpenJDK build achieve this?
- Open source binary validation
- System Bill of Materials (SBOM)
- We know exactly what was used to build a binary
- Eclipse Adoptium leveraging standards for secure supply chains
- CycloneDX SBOM
- Secure Software Development Framework
- Reproducible builds at Eclipse Adoptium today
- Describe the OpenJDK binaries available today that are fully reproducible
- The work done to achieve reproducible builds
- Upstream contributions to OpenJDK to enable deterministic binaries
- List contributions...
- Describe the challenges of deterministic OpenJDK builds
- Timestamps
- Resource ordering
- Debug symbol information
- Challenges of signing
- Build and source paths
- Build environment information
- Tooling and dependency information
References:
- Useful reproducible build online references