About Reproducible Builds
Reproducible Builds is a set of software development practices that create an independently-verifiable path from source to binary code. It allows users to verify that no flaws have been introduced during the build process by reproducing byte-for-byte identical binary packages from a given source. This helps to ensure the security of the ‘supply chains’ used in open source software—preventing attacks targeting the complex systems that build shared digital infrastructure.
Audit Description
OTF’s Security Lab partner Security Research Labs conducted a “whitebox” audit (a form of testing in which auditors have complete knowledge of the item being tested) of the Reproducible Builds code and documentation between October and December 2024. The audit included threat modeling, security design coverage checks, implementation baseline checks, and remediation support. Auditors assessed the codebase for resilience against hacking, with key areas including differential report formats, common client web attacks, command injection, privilege management, hidden modifications in the build process, and attack vectors that could enable denials of service. The testing approach combined manual code inspection and static analysis.
Scope
The audit focused on three core Reproducible Builds tools: diffoscope, a Python application that unpacks archives of files and directories and transforms their binary formats into human-readable form in order to compare them; strip-nondeterminism, a Perl program that improves reproducibility by stripping out “non-deterministic” information such as timestamps or other elements introduced during packaging; and reprotest, a Python application that builds source code multiple times in various environments in order to to test reproducibility.
Findings
Auditors did not uncover any “high-” or “critical-severity” issues. They did detect three “medium-severity” vulnerabilities:
- Undetected modification in ELF binary: The diffoscope function skipped certain sections of ELF binary files (a standard format for executable and linkable files). Because these file sections are skipped (e.g., sections that begin with “.debug” or “.zdebug”), certain differences could go undetected in ELF files, even after a binary comparison. This could result in undetected modifications that allow for malicious behavior or hidden backdoors.
- XML parsing via old versions of Python’s xml.minidom is vulnerable to XEE attacks: When the diffoscope function parses XML DOM content, it relies on the standard Python library xml.minidom in some scenarios. Documented vulnerabilities in Python can lead to excessive parsing times in some cases, which could in turn cause timeouts or crashes and thus a DOS attack vector for some systems.
- Calls to subprocess.check can lead to crashes of diffoscope: When the diffoscope function needs to compare complex file formats and archives, it uses the Python subprocess module to call external programs (such as xz or apktool). Because of how these functions handle errors, diffoscope can crash if subprocess exits unsuccessfully. Attackers could use malicious files to trigger such an abnormal exit, effectively crashing diffoscope. In addition, simple forms of argument injection could trigger unexpected return codes.
In addition to these three “medium-severity” risks, Security Research Labs also identified one vulnerability flagged as “informational,” related to uses of custom CSS in the HTML outputs of diffoscope differential reports.
Remediation
Auditors confirmed that the Reproducible Builds team fixed the vulnerability to XML parsing (a “medium-level” issue), as well as the “informational-level” issue. The team acknowledged and accepted the risk of the other vulnerabilities.