September 7, 2015.
"You need two compilers," Lunar explained, "with one that you somehow trust. Then you build the compiler under test twice, once with each compiler, and then you use the compilers that you just built to build the compiler under test again.
"If the output is the same, then no backdoors," he added. "But for this scheme to work, you need to be able to compare that both build outputs are the same. And that’s exactly what we are enabling when having reproducible builds."
According to Lunar, 83 percent of Debian packages are now built reproducibly, and more join the party every day.
"If we look at the code and the binary gets owned because some system somewhere has been compromised, and we don't know about it, then we're doomed," Lunar told the audience.
"Reproducible builds should become the norm. Let's make this the default for all software we produce."