A presentation at Indy.Code() in in Indianapolis, IN, USA by Brian Demers
Security and Productivity Pick Two with Reproducible Builds Brian Demers Open Source Developer BrianDemers bdemers
@BrianDemers | bdemers
Who is this guy? @BrianDemers | bdemers
source: Silicon Valley @BrianDemers | bdemers
VS @BrianDemers | bdemers
VS @BrianDemers | bdemers
Developer Productivity Engineering @BrianDemers | bdemers
Topics • • • Reproducible Builds • What is it? • Why should you care? Developer productivity • How are these related? • Build Cache Tips & Tricks @BrianDemers | bdemers
Source Build Build Verify reproducible-builds.org @BrianDemers | bdemers
Source Build Build Verify @BrianDemers | bdemers
03ba204e50d126e4… data @BrianDemers | bdemers hash function
How did we get here? @BrianDemers | bdemers
Old way (META-INF/MANIFEST.MF) Manifest-Version: 1.0 Archiver-Version: Plexus Archiver Created-By: Apache Maven Built-By: jdcasey Build-Jdk: 1.4.2_09 Extension-Name: maven-core Specification-Title: Maven is a project development management and com prehension tool. Based on the concept of a project object model: buil ds, dependency management, documentation creation, site publication, and distribution publication are all controlled from the declarative file. Maven can be extended by plugins to utilise a number of other d evelopment tools for reporting or the build process. Specification-Vendor: Apache Software Foundation Implementation-Vendor: Apache Software Foundation Implementation-Title: maven-core Implementation-Version: 2.0.1 @BrianDemers | bdemers
New Way (META-INF/MANIFEST.MF) Manifest-Version: 1.0 Created-By: Maven JAR Plugin 3.3.0 Build-Jdk-Spec: 17 Specification-Title: Maven Core Specification-Version: 3.9 Specification-Vendor: The Apache Software Foundation Implementation-Title: Maven Core Implementation-Version: 3.9.4 Implementation-Vendor: The Apache Software Foundation @BrianDemers | bdemers
@BrianDemers | bdemers
@BrianDemers | bdemers
Reproducible builds for security • Binaries are not tampered with • Build system not comprimised • Prevent backdoors • Supply Chain attacks @BrianDemers | bdemers
Compromised Toolchain $ cp evil-compiler /usr/bin/compiler $ unzip evil.zip -d /src/project extracting @BrianDemers | bdemers ../../etc/passwd
Who should care? • Open Source Projects • Distributions • Companies • Users
Shouldn’t All Builds be Reproducible? @BrianDemers | bdemers
📆 Dates ⏰ • Current date/time • Time Zone • Locale/Format • Dates in versions
File Dates $ ls -alh target/scim-core-1.0.0-SNAPSHOT.jar -rw-r—r— bdemers staff 56K Jul 27 12:32:43 2023 @BrianDemers | bdemers
Dates in Archives (zip, tar, jar, etc) Archive: target/scim-core-1.0.0-SNAPSHOT.jar Date Time Name ————— ———-04-05-2023 08:23 META-INF/MANIFEST.MF 04-05-2023 08:23 META-INF/DEPENDENCIES 04-05-2023 08:23 META-INF/LICENSE 04-05-2023 08:23 META-INF/NOTICE 04-05-2023 08:23 META-INF/beans.xml 04-05-2023 08:23 META-INF/maven/org.apache.directory.scim/scim-core/pom.xml 04-05-2023 08:23 META-INF/maven/org.apache.directory.scim/scim-core/pom.properties 04-05-2023 08:23 org/apache/directory/scim/core/repository/PatchHandler.class 04-05-2023 08:23 org/apache/directory/scim/core/repository/Repository.class 04-05-2023 08:23 org/apache/directory/scim/core/repository/UpdateRequest.class … @BrianDemers | bdemers
Random bits xkcd.com/221 @BrianDemers | bdemers
OS & Environment • File Encoding • OS • Tool Versions • File Paths • Locales • .DS_Store @BrianDemers | bdemers Save the Environment
xkcd.com/1834 File Input / Output Order • Hash Maps / Dictionaries • • Serialized data File order in archives
@BrianDemers | bdemers
How to Verify? $ shasum -a 256 AAA-file.zip 80da7adf80a819db609ac6862931dc6c1cc04bf4c8ba292446021aa805aa3bfa $ shasum -a 256 BBB-file.zip 80da7adf80a819db609ac6862931dc6c1cc04bf4c8ba292446021aa805aa3bfa @BrianDemers | bdemers
Diffoscope @BrianDemers | bdemers
How to get started? @BrianDemers | bdemers
Record how to rebuild groupId=org.apache.commons artifactId=commons-numbers-parent display=${groupId}:${artifactId} version=1.1 gitRepo=https://github.com/apache/commons-numbers.git gitTag=rel/commons-numbers-${version} tool=mvn jdk=8 newline=lf command=”mvn -Prelease clean package -DskipTests-Dmaven.javadoc.skip \ -Dgpg.skip -Dcommons.release.dryRun -Dcommons.release.isDistModule=false” buildinfo=target/${artifactId}-${version}.buildinfo @BrianDemers | bdemers
Other Beni ts Quality • Debugging • Smaller deltas in releases • Cacheable fi • B s u n o
Think about a Docker builds @BrianDemers | bdemers
Build Caching ⬢ Ccache < 2002 ⬢ Introduced to the Java world by Gradle in 2017 ⬢ caches, not mutually exclusive: ○ Can support both user local and remote caching for distributed teams @BrianDemers | bdemers A dependency cache caches fully compiled dependencies ○ Used by leading technology companies like Google and Facebook ⬢ Build caches are complementary to dependency Maven has an open source build cache too ⬢ ⬢ A build cache accelerates building a single source repository ○ A build cache caches build actions (e.g. Gradle tasks or Maven goals)
What is a Build Cache? Inputs ● Gradle Tasks ● Maven Goal Executions Outputs When the inputs have not changed, the output can be reused from a previous run.
Cache Key/Value Calculation The cacheKey for Gradle Tasks/Maven Goals is based on the Inputs: cacheKey(javaCompile) = hash(sourceFiles, jdk version, classpath, compiler args) The cacheEntry contains the output: cacheEntry[cacheKey(javaCompile)] = fileTree(classFiles) For more information, see: https://docs.gradle.org/current/userguide/build_cache.html
When not using the build cache, with Maven any change will require a full build. For Gradle this is the case when doing clean builds and switching between branches.
Changing an public method in the export-api module
Changing an implementation detail of a method in the service module
Remote Build Cache ⬢ Shared among different machines ⬢ Speeds up development for the whole team ⬢ Reuses build results among CI agents/jobs and individual developers
source: https://www.cshl.edu/quiz/brain-interrupted/ @BrianDemers | bdemers
Code Wait Time for Local Build Code Debug Build Failure Lunch Code Wait Time for Local Build Sprint Waiting time for CI Build Investigate/Fix Flaky Tests @BrianDemers | bdemers
The anatomy of fast feedback cycles PRODUCTIVITY Less idle/ wait time Less context switching More focused developers QUALITY FASTER FEEDBACK CYCLES KEY: New behavior More frequent builds Earlier quality checks Fewer downstream incidents Smaller change sets Few merge conflicts Effect More efficient troubleshooting KEY BENEFIT @BrianDemers | bdemers Faster MTTR
Developer Productivity Engineering (DPE) @BrianDemers | bdemers
@BrianDemers | bdemers
Progression of Productivity @BrianDemers | bdemers
The Future Dwurban, CC BY-SA 4.0 https://commons.wikimedia.org/w/index.php?curid=116834907 @BrianDemers | bdemers
Other Ways to Speed up Builds • Update your build tool • Break project into modules • Predictive Test Selection • Test Distribution
@BrianDemers | bdemers
@BrianDemers | bdemers
Questions? Thank You! Slides, Links & Free Swag @BrianDemers | bdemers
Reproducible builds are crucial for ensuring software integrity but can be challenging to achieve. On the other hand, build caches provide a way to speed up builds by reusing previously-built artifacts and dependencies.
This talk will explore how reproducible builds and build caches can work together to create a more efficient, secure, and enjoyable development workflow. We will discuss the benefits and challenges of reproducible builds and build caches and provide practical tips for implementation.
HINT: If a build is reproducible, it’s also cacheable!
Attendees will come away with a solid understanding of reproducible builds and build caches and how to implement them to achieve faster, more reliable, and more secure software builds.
