<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style data-premailer="ignore" type="text/css">

a { color: #1068bf; }

</style>

<style>img {

max-width: 100%; height: auto;

}

body {

font-size: 0.875rem;

}

body {

-webkit-text-shadow: rgba(255,255,255,0.01) 0 0 1px;

}

body {

font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Noto Sans", Ubuntu, Cantarell, "Helvetica Neue", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: inherit;

}

</style>

</head>

<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,0.01) 0 0 1px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Noto Sans", Ubuntu, Cantarell, "Helvetica Neue", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";'>

<div class="content">

<h3 style="margin-top: 20px; margin-bottom: 10px;">

Vagrant Cascadian pushed to branch master at <a href="https://salsa.debian.org/reproducible-builds/reproducible-website" style="color: #1068bf;">Reproducible Builds / reproducible-website</a>

</h3>

<h4 style="margin-top: 10px; margin-bottom: 10px;">

Commits:

</h4>

<ul>

<li>

<strong style="font-weight: bold;"><a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/12ce43eeac7d6e223cd9e7714f870dd91f01dfdd" style="color: #1068bf;">12ce43ee</a></strong>

<div>

<span> by Vagrant Cascadian </span> <i> at 2022-10-05T15:16:00-07:00 </i>

</div>

<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: #fafafa; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dbdbdb;'>2022-09: Fix David A. Wheeler's name.

</pre>

</li>

<li>

<strong style="font-weight: bold;"><a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f3df1f54ac91e07e3362163e70211ca239837ab4" style="color: #1068bf;">f3df1f54</a></strong>

<div>

<span> by Vagrant Cascadian </span> <i> at 2022-10-05T15:17:02-07:00 </i>

</div>

<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: #fafafa; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dbdbdb;'>2022-09: Drop needless "however", fix a couple typos.

</pre>

</li>

</ul>

<h4 style="margin-top: 10px; margin-bottom: 10px;">

1 changed file:

</h4>

<ul>

<li class="file-stats">

<a href="#43cdce09a5486536728bfcd242c8d248da6b3bad" style="color: #1068bf;">

_reports/2022-09.md

</a>

</li>

</ul>

<h4 style="margin-top: 10px; margin-bottom: 10px;">

Changes:

</h4>

<li id="43cdce09a5486536728bfcd242c8d248da6b3bad">

<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/33474f9f7c550b41ca88c9206dfe9d5df71be707...f3df1f54ac91e07e3362163e70211ca239837ab4#43cdce09a5486536728bfcd242c8d248da6b3bad" style="color: #1068bf;"><strong style="font-weight: bold;">_reports/2022-09.md</strong></a>

<hr style="overflow: hidden; border: 1px solid #e1e1e1;">

<table class="code white" style="border-spacing: 0; border-collapse: collapse; width: auto; font-family: monospace; font-size: 90%;" bgcolor="#fff" width="100%" cellpadding="0" cellspacing="0">

<tr class="line_holder match" style="line-height: 1.6;">

<td class="diff-line-num unfold js-unfold old_line" data-linenumber="14" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">...</td>

<td class="diff-line-num unfold js-unfold new_line" data-linenumber="14" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">...</td>

<td class="line_content match" style="color: rgba(0,0,0,0.3); padding: inherit;" bgcolor="#fafafa">@@ -14,7 +14,7 @@ Welcome to the September 2022 report from the [Reproducible Builds]({{ "/" | rel</td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="14" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

14

</td>

<td class="new_line diff-line-num" data-linenumber="14" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

14

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC14" class="line" lang="markdown"></span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="15" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

15

</td>

<td class="new_line diff-line-num" data-linenumber="15" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

15

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC15" class="line" lang="markdown"><span class="p">[</span><span class="nv" style="color: #008080;">![</span><span class="p">](</span><span class="sx" style="color: #d14;">{{</span> <span class="nn" style="color: #555;">"/images/reports/2022-09/nsa.png#right"</span> | relative_url }})](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/)</span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="16" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

16

</td>

<td class="new_line diff-line-num" data-linenumber="16" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

16

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC16" class="line" lang="markdown"></span>

</pre></td>

</tr>

<tr class="line_holder old" style="line-height: 1.6;">

<td class="old_line diff-line-num old" data-linenumber="17" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: inherit;" align="right" bgcolor="#f9d7dc">

17

</td>

<td class="new_line diff-line-num old" data-linenumber="17" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: inherit;" align="right" bgcolor="#f9d7dc">

</td>

<td class="line_content old" style="padding: inherit;" bgcolor="#fbe9eb"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'>-<span id="LC17" class="line" lang="markdown">David Wheeler reported to us that the US National Security Agency (<span class="p">[</span><span class="nv" style="color: #008080;">NSA</span><span class="p">](</span><span class="sx" style="color: #d14;">https://en.wikipedia.org/wiki/National_Security_Agency</span><span class="p">)</span>), Cybersecurity and Infrastructure Security Agency (<span class="p">[</span><span class="nv" style="color: #008080;">CISA</span><span class="p">](</span><span class="sx" style="color: #d14;">https://en.wikipedia.org/wiki/Cybersecurity_and_Infrastructure_Security_Agency</span><span class="p">)</span>) and the Office of the Director of National Intelligence (<span class="p">[</span><span class="nv" style="color: #008080;">ODNI</span><span class="p">](</span><span class="sx" style="color: #d14;">https://en.wikipedia.org/wiki/Director_of_National_Intelligence</span><span class="p">)</span>) have released a document called <span class="p">[</span><span class="nv" style="color: #008080;">*Securing the Software Supply Chain: Recommended Practices Guide for Developers*</span><span class="p">](</span><span class="sx" style="color: #d14;">https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF</span><span class="p">)</span> <span class="p">(</span><span class="sx" style="color: #d14;">PDF</span><span class="p">)</span>.</span>

</pre></td>

</tr>

<tr class="line_holder new" style="line-height: 1.6;">

<td class="old_line diff-line-num new" data-linenumber="18" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: inherit;" align="right" bgcolor="#ddfbe6">

</td>

<td class="new_line diff-line-num new" data-linenumber="17" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: inherit;" align="right" bgcolor="#ddfbe6">

17

</td>

<td class="line_content new" style="padding: inherit;" bgcolor="#ecfdf0"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'>+<span id="LC17" class="line" lang="markdown">David <span class="idiff left right addition" style="background-color: #c7f0d2;">A. </span>Wheeler reported to us that the US National Security Agency (<span class="p">[</span><span class="nv" style="color: #008080;">NSA</span><span class="p">](</span><span class="sx" style="color: #d14;">https://en.wikipedia.org/wiki/National_Security_Agency</span><span class="p">)</span>), Cybersecurity and Infrastructure Security Agency (<span class="p">[</span><span class="nv" style="color: #008080;">CISA</span><span class="p">](</span><span class="sx" style="color: #d14;">https://en.wikipedia.org/wiki/Cybersecurity_and_Infrastructure_Security_Agency</span><span class="p">)</span>) and the Office of the Director of National Intelligence (<span class="p">[</span><span class="nv" style="color: #008080;">ODNI</span><span class="p">](</span><span class="sx" style="color: #d14;">https://en.wikipedia.org/wiki/Director_of_National_Intelligence</span><span class="p">)</span>) have released a document called <span class="p">[</span><span class="nv" style="color: #008080;">*Securing the Software Supply Chain: Recommended Practices Guide for Developers*</span><span class="p">](</span><span class="sx" style="color: #d14;">https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF</span><span class="p">)</span> <span class="p">(</span><span class="sx" style="color: #d14;">PDF</span><span class="p">)</span>.</span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="18" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

18

</td>

<td class="new_line diff-line-num" data-linenumber="18" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

18

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC18" class="line" lang="markdown"></span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="19" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

19

</td>

<td class="new_line diff-line-num" data-linenumber="19" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

19

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC19" class="line" lang="markdown">As David <span class="p">[</span><span class="nv" style="color: #008080;">remarked in his post to our mailing list</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lists.reproducible-builds.org/pipermail/rb-general/2022-September/002684.html</span><span class="p">)</span>, it "<span class="ge" style="font-style: italic;">*expressly*</span> recommends having reproducible builds as part of 'advanced' recommended mitigations". The publication of this document has been accompanied <span class="p">[</span><span class="nv" style="color: #008080;">by a press release</span><span class="p">](</span><span class="sx" style="color: #d14;">https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/</span><span class="p">)</span>.</span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="20" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

20

</td>

<td class="new_line diff-line-num" data-linenumber="20" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

20

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC20" class="line" lang="markdown"></span>

</pre></td>

</tr>

<tr class="line_holder match" style="line-height: 1.6;">

<td class="diff-line-num unfold js-unfold old_line" data-linenumber="30" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">...</td>

<td class="diff-line-num unfold js-unfold new_line" data-linenumber="30" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">...</td>

<td class="line_content match" style="color: rgba(0,0,0,0.3); padding: inherit;" bgcolor="#fafafa">@@ -30,9 +30,9 @@ More details can be found in the `README.md` file [within the code repository](h</td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="30" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

30

</td>

<td class="new_line diff-line-num" data-linenumber="30" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

30

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC30" class="line" lang="markdown"></span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="31" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

31

</td>

<td class="new_line diff-line-num" data-linenumber="31" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

31

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC31" class="line" lang="markdown"><span class="p">[</span><span class="nv" style="color: #008080;">![</span><span class="p">](</span><span class="sx" style="color: #d14;">{{</span> <span class="nn" style="color: #555;">"/images/reports/2022-09/bestpractice.png#right"</span> | relative_url }})](https://bestpractices.coreinfrastructure.org/en)</span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="32" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

32

</td>

<td class="new_line diff-line-num" data-linenumber="32" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

32

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC32" class="line" lang="markdown"></span>

</pre></td>

</tr>

<tr class="line_holder old" style="line-height: 1.6;">

<td class="old_line diff-line-num old" data-linenumber="33" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: inherit;" align="right" bgcolor="#f9d7dc">

33

</td>

<td class="new_line diff-line-num old" data-linenumber="33" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: inherit;" align="right" bgcolor="#f9d7dc">

</td>

<td class="line_content old" style="padding: inherit;" bgcolor="#fbe9eb"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'>-<span id="LC33" class="line" lang="markdown">David Wheeler also pointed out that there are some potential upcoming changes to the <span class="p">[</span><span class="nv" style="color: #008080;">OpenSSF Best Practices</span><span class="p">](</span><span class="sx" style="color: #d14;">https://bestpractices.coreinfrastructure.org/en</span><span class="p">)</span> badge for open source software in relation to reproducibility. Whilst the badge programme has <span class="p">[</span><span class="nv" style="color: #008080;">three certification levels</span><span class="p">](</span><span class="sx" style="color: #d14;">https://bestpractices.coreinfrastructure.org/en/criteria</span><span class="p">)</span> <span class="p">(</span><span class="sx" style="color: #d14;">"passing",</span> <span class="nn" style="color: #555;">"silver"</span> and "gold"), the "gold" level includes the criterion that "The project MUST have a reproducible build".</span>

</pre></td>

</tr>

<tr class="line_holder new" style="line-height: 1.6;">

<td class="old_line diff-line-num new" data-linenumber="34" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: inherit;" align="right" bgcolor="#ddfbe6">

</td>

<td class="new_line diff-line-num new" data-linenumber="33" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: inherit;" align="right" bgcolor="#ddfbe6">

33

</td>

<td class="line_content new" style="padding: inherit;" bgcolor="#ecfdf0"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'>+<span id="LC33" class="line" lang="markdown">David <span class="idiff left right addition" style="background-color: #c7f0d2;">A. </span>Wheeler also pointed out that there are some potential upcoming changes to the <span class="p">[</span><span class="nv" style="color: #008080;">OpenSSF Best Practices</span><span class="p">](</span><span class="sx" style="color: #d14;">https://bestpractices.coreinfrastructure.org/en</span><span class="p">)</span> badge for open source software in relation to reproducibility. Whilst the badge programme has <span class="p">[</span><span class="nv" style="color: #008080;">three certification levels</span><span class="p">](</span><span class="sx" style="color: #d14;">https://bestpractices.coreinfrastructure.org/en/criteria</span><span class="p">)</span> <span class="p">(</span><span class="sx" style="color: #d14;">"passing",</span> <span class="nn" style="color: #555;">"silver"</span> and "gold"), the "gold" level includes the criterion that "The project MUST have a reproducible build".</span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="34" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

34

</td>

<td class="new_line diff-line-num" data-linenumber="34" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

34

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC34" class="line" lang="markdown"></span>

</pre></td>

</tr>

<tr class="line_holder old" style="line-height: 1.6;">

<td class="old_line diff-line-num old" data-linenumber="35" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: inherit;" align="right" bgcolor="#f9d7dc">

35

</td>

<td class="new_line diff-line-num old" data-linenumber="35" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: inherit;" align="right" bgcolor="#f9d7dc">

</td>

<td class="line_content old" style="padding: inherit;" bgcolor="#fbe9eb"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'>-<span id="LC35" class="line" lang="markdown"><span class="idiff left deletion" style="background-color: #fac5cd;">However, </span><span class="p">[</span><span class="nv" style="color: #008080;">David reported</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lists.reproducible-builds.org/pipermail/rb-general/2022-September/002696.html</span><span class="p">)</span> that some projects have argued that this reproducibility criterion should be slightly relaxed as outlined in an <span class="p">[</span><span class="nv" style="color: #008080;">issue on the `best-practices-badge`</span><span class="p">](</span><span class="sx" style="color: #d14;">https://github.com/coreinfrastructure/best-practices-badge/issues/1865</span><span class="p">)</span> GitHub project. Essentially, though, the claim is that the reproducibility requirement doesn't make sense for projects that do not release built software, and that timestamp differences by <span class="ge" style="font-style: italic;">*themselves*</span> don't necessarily indicate malicious changes. Numerous pragm<span class="idiff right deletion" style="background-color: #fac5cd;">i</span>tic problems around excluding timestamps we raised in the discussion of the issue.</span>

</pre></td>

</tr>

<tr class="line_holder new" style="line-height: 1.6;">

<td class="old_line diff-line-num new" data-linenumber="36" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: inherit;" align="right" bgcolor="#ddfbe6">

</td>

<td class="new_line diff-line-num new" data-linenumber="35" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: inherit;" align="right" bgcolor="#ddfbe6">

35

</td>

<td class="line_content new" style="padding: inherit;" bgcolor="#ecfdf0"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'>+<span id="LC35" class="line" lang="markdown"><span class="p">[</span><span class="nv" style="color: #008080;">David reported</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lists.reproducible-builds.org/pipermail/rb-general/2022-September/002696.html</span><span class="p">)</span> that some projects have argued that this reproducibility criterion should be slightly relaxed as outlined in an <span class="p">[</span><span class="nv" style="color: #008080;">issue on the `best-practices-badge`</span><span class="p">](</span><span class="sx" style="color: #d14;">https://github.com/coreinfrastructure/best-practices-badge/issues/1865</span><span class="p">)</span> GitHub project. Essentially, though, the claim is that the reproducibility requirement doesn't make sense for projects that do not release built software, and that timestamp differences by <span class="ge" style="font-style: italic;">*themselves*</span> don't necessarily indicate malicious changes. Numerous pragm<span class="idiff left addition" style="background-color: #c7f0d2;">a</span>tic problems around excluding timestamps we<span class="idiff right addition" style="background-color: #c7f0d2;">re</span> raised in the discussion of the issue.</span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="36" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

36

</td>

<td class="new_line diff-line-num" data-linenumber="36" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

36

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC36" class="line" lang="markdown"></span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="37" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

37

</td>

<td class="new_line diff-line-num" data-linenumber="37" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

37

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC37" class="line" lang="markdown"><span class="p">---</span></span>

</pre></td>

</tr>

<tr class="line_holder" style="line-height: 1.6;">

<td class="old_line diff-line-num" data-linenumber="38" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

38

</td>

<td class="new_line diff-line-num" data-linenumber="38" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: inherit;" align="right" bgcolor="#fafafa">

38

</td>

<td class="line_content" style="padding: inherit;"><pre style='display: block; font-size: 0.8125rem; color: #303030; position: relative; font-family: "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; word-break: break-all; word-wrap: break-word; background-color: inherit; border-radius: 2px; margin: 0; padding: 0; border: inherit solid #dbdbdb;'> <span id="LC38" class="line" lang="markdown"></span>

</pre></td>

</tr>

</table>

<br>

</li>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/33474f9f7c550b41ca88c9206dfe9d5df71be707...f3df1f54ac91e07e3362163e70211ca239837ab4" style="color: #1068bf;">View it on GitLab</a>..

<br>

You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://salsa.debian.org" style="color: #1068bf;">salsa.debian.org</a>. <a href="https://salsa.debian.org/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link" style="color: #1068bf;">Manage all notifications</a> · <a href="https://salsa.debian.org/help" target="_blank" rel="noopener noreferrer" class="help-link" style="color: #1068bf;">Help</a>

</p>

</div>

</body>

</html>