<div dir="ltr">I think it would be wise to add some sort of in-toto style verification that cryptographically checks proof that the reproducible builds were carried out and found equal. Without this piece, why would an attacker with insider access even bother to go through the reproducible builds process?<div><br></div><div>Thanks,</div><div>Justin</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jan 30, 2021 at 7:15 PM David A. Wheeler <<a href="mailto:dwheeler@linuxfoundation.org">dwheeler@linuxfoundation.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">My post "Preventing Supply Chain Attacks like SolarWinds” <<a href="https://www.linuxfoundation.org/en/blog/preventing-supply-chain-attacks-like-solarwinds/" rel="noreferrer" target="_blank">https://www.linuxfoundation.org/en/blog/preventing-supply-chain-attacks-like-solarwinds/</a>> prominently discusses verified reproducible builds.<br>
<br>
What would be especially helpful for accelerating deployment of verified reproducible builds in a few key places? E.g., what tools, infrastructure, people paid to do XYZ?<br>
<br>
Thanks!<br>
<br>
--- David A. Wheeler<br>
<br>
</blockquote></div>