The popularity and widespread use of open source software across the world has formed the basis for many important innovations in computing, but has also raised important questions: Who writes the software I am using, how is it built, and should I trust that it will do what it claims? Answering these questions becomes increasingly complex as the number of permutations of use rises. There are ongoing efforts to put more rigor around supply chain security, to begin as an industry to answer the average 742% increase in software supply chain attacks over the last 3 years.
One important aspect of software supply chain security is achieving reproducible builds of dependent software. Reproducible builds are achieved by a set of software development practices that create an independently verifiable path from source to binary code. This entails knowing the source and provenance of all dependencies, and requires a build process that can be repeated at will to produce the exact same output each time. When multiple independent organizations are able to produce the same output, consumer confidence in the result is much higher. A malicious actor seeking to alter this result would have to subvert every independent organization's processes in the same way such that each organization produces the same bad output, which can be very costly and unlikely to succeed. This makes reproducible builds a key capability in building trust in software, and Java and the JDK are no different.
Adoptium’s journey
Adoptium has been on this journey for the last few years, and has recently achieved reproducible builds for Java version 21 and version 22 across Linux, Windows and Mac. In addition to achieving reproducibility, AQAvit (the test suite used for quality assurance) has added regular and full automated verification tests that are run against every build, enabling regular reporting of regressions or other unexpected changes. Added to this set of regularly run tests is a new reproducibility test which will ensure that the ability to reproduce the Temurin OpenJDK binaries produced by Adoptium is maintained.
Reproducibility also enables comparability, where intentional variations (e.g., vendor identification strings) or updates to build systems can be accounted for when comparing two builds. This ensures a vendor build is functionally identical to a given upstream release, and no unexpected changes have been introduced. This is very important for vendors like Red Hat that wish to provide commercial support of OpenJDK.
Software supply chain security entails more than just reproducible builds, however. Source code threats, dependency threats, and distribution threats can occur at different stages of software production outside of a reproducible build system for a single component. A cross-organization, vendor-neutral steering group has developed a set of guidelines (called Supply-chain Levels for Software Artifacts, or SLSA) for supply chain security to attempt to address these kinds of threats. Adoptium has worked toward compliance with these SLSA guidelines, using much of the work done to achieve reproducibility to satisfy SLSA Level 3 compliance. In addition to SLSA, Adoptium also follows guidance from the Secure Software Development Framework (SSDF) as a basis for its secure development activities. With SSDF, Adoptium improves the software development lifecycle security of its deliverables, and with SLSA provides a concrete measure of compliance.
The future
Achieving reproducible builds provides an important benefit to open source projects looking to increase consumer confidence. Over 30 projects are currently working on providing reproducible builds, and reproducibility is being considered as a requirement for a future SLSA Level 4 compliance.
With Adoptium, the plan is to continue to ensure reproducibility for Temurin builds on the platforms that have achieved reproducibility: JDK 21 and later on Linux (x64, aarch64, ppc64le, s390x), Mac (x64 & aarch64), and Windows (x64). Depending on demand, additional platforms (e.g., AIX) may be considered in the future. Older versions of Java require significantly more work to achieve, so for now the project will focus on JDK 21 and beyond.
Understanding how consumers can benefit from reproducibility is equally as important as providing the capability itself, so the project is looking at ways to provide an informed opinion on how to consume the artifacts (binary distributions and SBOMs with a recipe for reproducibility) and best practices for further securing the supply chain, above and beyond simply consuming and verifying reproducible builds.
Summary
Red Hat believes strongly that open source innovation is critical to the success not only of Red Hat but also the communities it serves, including Adoptium. Java is a large community with many moving parts, with contributions every day from Red Hat, IBM, and many other Java community members.
With the ability to reproduce builds consistently and accurately, both Red Hat customers and the OpenJDK community benefit from truly open development, with the assurance that what runs in production is exactly what is supposed to run, no more, no less. This is critical to reducing risk in supply chain attacks and continuing the innovation that keeps Java one of the most vibrant and active communities across the world.
Last updated: July 9, 2024