<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">All:</div><div class=""><br class=""></div><div class="">There’s been a recently-revealed attack on the SolarWinds product “Orion", a Network Management System (NMS). This software is widely used and thus this attack is extremely concerning.</div><div class=""><br class=""></div><div class="">According to SANS, "SolarWinds has published limited information in which they state they believe the build environment was compromised.” <a href="https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/" class="">https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/</a></div><br class="">Let me restate this: it appears that the *source code* wasn’t compromised, and the *distribution* system wasn’t compromised. Instead, the *build system* was compromised. This is *EXACTLY* the kind of attack that is countered by reproducible builds. Thus, the recent SolarWinds subversion is a very good argument for why it’s important to have reproducible builds (and to verify builds using reproducible builds).<div class=""><br class=""></div><div class="">I’ve read a number of articles about SolarWinds, and none of them mention reproducible builds, even though reproducible builds is clearly a countermeasure to this problem. Perhaps journalists will eventually learn about reproducible builds; that would be nice!</div><div class=""><div class=""><br class=""></div><div class="">--- David A. Wheeler</div><div class=""><br class=""></div></div><div class="">PS: Here are some articles about the attack on SolarWinds:</div><div class=""><a href="https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/" class="">https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/</a></div><div class=""><a href="https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html" class="">https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html</a></div><div class=""><a href="https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html" class="">https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html</a></div><div class=""><a href="https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now" class="">https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now</a></div><div class=""><a href="https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/" class="">https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/</a></div><div class=""><br class=""></div></body></html>