Reproducible Builds is one of the important features in recent Open Source Software based development and delivery especially from security perspective. It ensures that identical binaries are always generated from a specific source code. If binaries built and released by certain open projects reproducible, users can verify that such pre-built binaries are generated by trusted ways. This results in that supply chain the binaries are included becomes secure in terms of ensuring no malicious code is injected into the binaries during its build process. Reproducible Builds project is the central community to define such necessity of Reproducible Builds and discuss how it can be technically achieved independent from any specific projects.

CIP Core WG provides reference images which consist of Debian binary packages and some additional components to adjust system configurations for target devices / use cases. Because CIP Core reference images are intended to be installed into some embedded devices which are listed as CIP reference H/W to be tested regularly, they are generated as ready-to-install disk image, which consist of bootloader, kernel, and root filesystem. Considering the situations where CIP users would use such base image as is or make their own customizations on top of it then release for their projects, there should be demands to make such “whole CIP Core image” reproducible.

In addition to the security aspect above, reproducible image significantly helps developers or users to focus on essential changes in practical situations like below:

• Functional differences between multiple (released) images is clarified by excluding as many non essential changes as possible
• Delta update image size is minimized in situations where users update devices by only applying “delta” from old to new image

Based on the background above, CIP defines our goals of Reproducible Builds activities as below:

• Make CIP Core “images” reproducible
  • Typically their format is disk image that is ready-to-install
• Regularly check the reproducibility of CIP Core image using CI

It is well known that many Linux distributors also have the same goal and regularly working to make their images reproducible. CIP will try to resolve all technical issues to achieve the goals above by checking the existing solutions among the communities, raising some discussions with related upstream projects to find better ways to resolve issues, and make our results open in the Reproducible Builds community to share such solutions, technical methods, or know-how.

By a lot of effort in the community so far, most Debian packages are now reproducible. More concrete situation (i.e. the number of reproducible packages) can be checked in the test results in Reproducible Builds project. On top of this, it's required to make other parts of CIP's reference image reproducible. Here are several examples CIP needs to care:

• Files that are added or modified by post install processes of individual Debian package
• Custom packages that are built along with the CIP image
  • Kernel, SWUpdate, custom data to configure systems, etc.
• Time-stamp information in various data
• Metadata of partition and filesystem

All technical activities to resolve reproducible issues like above are handled in the image generation tool of CIP Core: isar-cip-core. The Reproducible-Builds label is used to track all reproducibility issues in CIP Core.

The CI jobs are implemented to verify reproducibility of CIP Core images for individual targets. The goal is to make all jobs passing and confirm it regularly against every update in Debian package, extra packages that are installed in the image, and isar-cip-core recipes.