Presented by

  • Vagrant Cascadian

    Vagrant Cascadian

    Vagrant strives to make Reproducible Builds a best practices reality for everyone. Vagrant discovered free software late last millenia and has been contributing to free software since the beginning of this millenia. A long-time Debian Developer and contributor to Guix, tinkering with ARM and RISC-V systems. At Portland's Free Geek, Vagrant dove into life as a free software developer, rebuilding electronic waste with FOSS, modifying or developing new software as needed. That led to exciting work helping coordinate LTSP development shared between several different operating systems. That sense of open collaboration has been a life-long habit. Vagrant contrasts spending too much time on computers with bicycle commuting, aikido and a DIY solar hobby.


Corrupted build environments can deliver compromised cryptographically signed binaries. Several exploits in in critical supply chains have been demonstrated in recent years, proving that this is not just theoretical. The most well secured build environments are still single points of failure when they fail. In 1984, Ken Thompson presented "Reflections on trusting trust" which described an attack on a build toolchain that would be impossible to detect through source code review ... in the decades since, what has been done to actually mitigate these types of attacks? Work in the Reproducible Builds and Bootstrappable Builds communities has been progressing steadily in recent years, and can be used to significantly reduce the risks of "Trusting Trust" and other supply chain attacks, by making it possible to independently review not only the end result, but the entire toolchain used to build a given artifact. This talk will focus on the state of the art from several angles in related Free and Open Source Software projects, what works, current challenges and future plans for building trustworthy toolchains you do not need to trust.