Secure Software Supply Chain with Reproducible Builds

Securing the Software Supply Chain

Protecting the Digital Supply Chain describes in great detail the issues of having a secure software supply chain and how to solve them. At Purism we address the entire secure supply chain from hardware, firmware, kernel, software, and applications. Utilizing the ability to independently verify the compilation of software, it is trivial to cryptographically verify that the software being installed has not been compromised. To properly trust the software has not been compromised on the servers that ship software it is best security practice to verify the integrity of the software produced by the build servers. Reproducible Builds, as part of PureOS, allows third-party security verification that the compilation from source code into binary matches those of other third-party published hashes, as well as Purism’s own published source code and matching published hashes.

Reproducible Build in PureOS

PureOS utilizes the best practices of Reproducible Builds and as you can see from the chart below address the bulk of software already, with 100% software repository as the goal.

TargetStatus
Base Operating System100%
Base Operating System Installation Image90%
Coreboot100%
PureBoot100%
U-Boot100%
Linux Kernel100%
Entire Software Repository70%

Source Code is Required in a Secure Software Supply Chain

Proprietary software—where you do not have access to the entirety of the source code—cannot publicly reproduce nor verify that the compilation isn’t compromised. Partially available source code that includes a binary driver also fails as it has unknown parts that get added, therefore compromising the software in total. Fully Free Software with all the source code available is the only way to cryptographically guarantee that the software shipped from the build servers to a device match and has not been compromised, thus offering a secure software supply chain.

Trust but Verify

Most proprietary software companies try to tout security through marketing terminology, but if the source code is not released it cannot be verified. If you cannot verify the source code, it is a mystery, and therefore cannot be properly trusted—no matter how shiny the pamphlet saying it is secure is. Proper security requires verification, reproducible builds offers cryptographic independent verification thus offers the best possible secure software supply chain.

Our Products

We believe people should have secure devices that protect them rather than exploit them. To that purpose, we provide everything you need in a convenient hardware and software product. We offer high-quality hardware and software with a focus on privacy, security, and freedom.