Reproducible Builds in the Scala ecosystem
Deterministic builds for software written in Scala
While open source components can be audited through their open version history, there is no guarantee that any binaries that are distributed actually correspond to those sources. The technique to validate this is known as "Reproducible Builds": by building the same code on independent infrastructure and verifying the results are identical, you can verify the binary artifacts have not been tampered with. This is useful both for project members who want to verify no malware was inserted via their CI system or developer build machine, and for 'external' auditors who can independently verify the project as a whole is not compromised.
This project intends to improve Reproducible Builds for software written in the Scala language, which typically use the 'sbt' build tool. It will do so by making improvements to the sbt-reproducible-builds sbt plugin and other toolchain components such as sbt plugins and the Scala compiler, so that projects will be reproducible 'out of the box' as much as possible.
- The project's own website: https://github.com/raboof/sbt-reproducible-builds
This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI).
