Securing the Software Supply Chain
Protecting the Digital Supply Chain describes in great detail the issues of having a secure software supply chain and how to solve them. At Purism we address the entire secure supply chain from hardware, firmware, kernel, software, and applications. Utilizing the ability to independently verify the compilation of software, it is trivial to cryptographically verify that the software being installed has not been compromised. To properly trust the software has not been compromised on the servers that ship software it is best security practice to verify the integrity of the software produced by the build servers. Reproducible Builds, as part of PureOS, allows third-party security verification that the compilation from source code into binary matches those of other third-party published hashes, as well as Purism’s own published source code and matching published hashes.
Reproducible Build in PureOS
PureOS utilizes the best practices of Reproducible Builds and as you can see from the chart below address the bulk of software already, with 100% software repository as the goal.
| Target | Status |
| Base Operating System | 100% |
| Base Operating System Installation Image | 90% |
| Coreboot | 100% |
| PureBoot | 100% |
| U-Boot | 100% |
| Linux Kernel | 100% |
| Entire Software Repository | 70% |
Source Code is Required in a Secure Software Supply Chain
Proprietary software—where you do not have access to the entirety of the source code—cannot publicly reproduce nor verify that the compilation isn’t compromised. Partially available source code that includes a binary driver also fails as it has unknown parts that get added, therefore compromising the software in total. Fully Free Software with all the source code available is the only way to cryptographically guarantee that the software shipped from the build servers to a device match and has not been compromised, thus offering a secure software supply chain.
Trust but Verify
Most proprietary software companies try to tout security through marketing terminology, but if the source code is not released it cannot be verified. If you cannot verify the source code, it is a mystery, and therefore cannot be properly trusted—no matter how shiny the pamphlet saying it is secure is. Proper security requires verification, reproducible builds offers cryptographic independent verification thus offers the best possible secure software supply chain.
