<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 22, 2020 at 4:58 AM David A. Wheeler <<a href="mailto:dwheeler@dwheeler.com">dwheeler@dwheeler.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;"><br><div><br><blockquote type="cite"><div>On Dec 21, 2020, at 1:58 PM, Santiago Torres-Arias <<a href="mailto:santiago@archlinux.org" target="_blank">santiago@archlinux.org</a>> wrote:</div><div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">I agree that we need more visibility on the reprobuilds aspect of this</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">compromise.</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"></div></blockquote><div><br></div><div>I don’t think it’s visible to *reporters* though.</div></div></div></blockquote><div><br></div><div>Just to chime in here, I've been interviewed by a few journalists on the topic ( <a href="https://finance.yahoo.com/news/why-russias-massive-cyberattack-is-especially-insidious-222912267.html">Yahoo Finance</a>, <a href="https://www.crainsnewyork.com/technology/no-evidence-city-was-cyberhacked-despite-work-breached-company">Crains</a>, with more hopefully coming out).  I mentioned repro builds, etc. to them and really stressed it with verification as the solution but they just didn't use this in their stories.  I think the problem is that it's hard enough to explain to a general audience where their story focus is more on the problem and who might be behind it than any potential solution.</div><div><br></div><div>On another note, I would say this is an ideal time to engage the broader academic / open source communities about reproducible builds.  I started a paper draft a few years ago ( <a href="https://github.com/JustinCappos/reproduciblebuildpaper">https://github.com/JustinCappos/reproduciblebuildpaper</a> ), but there was a loss of momentum.  Perhaps it is time to consider brushing it off or starting something new?</div><div><br></div><div>Thanks,</div><div>Justin</div></div></div>