<div dir="ltr">You could also suggest this for addition to the OpenSSF Badge Program.   <a href="https://www.bestpractices.dev/en">https://www.bestpractices.dev/en</a><div><br></div><div>It likely would need to be at a new, higher level rather than gold.  Other things in this ecosystem like in-toto attestations, etc. could likely also be added there.   </div><div><br></div><div>Thanks,</div><div>Justin</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 26, 2024 at 3:24 AM Bernhard M. Wiedemann via rb-general <<a href="mailto:rb-general@lists.reproducible-builds.org">rb-general@lists.reproducible-builds.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
On our summit in Hamburg we discussed that r-b should be listed as a <br>
recommendation or requirement in new standards to encourage people to <br>
ensure builds are reproducible.<br>
<br>
<br>
Via [1] I found 3 relevant standards:<br>
<br>
* NIST Secure Software Development Framework = <br>
<a href="https://csrc.nist.gov/Projects/ssdf" rel="noreferrer" target="_blank">https://csrc.nist.gov/Projects/ssdf</a><br>
* OpenSSF Scorecard = <a href="https://openssf.org/resources/guides/" rel="noreferrer" target="_blank">https://openssf.org/resources/guides/</a><br>
* SLSA (Supply Chain Levels for Software Artifacts Framework)<br>
<br>
<br>
SLSA level4 already lists reproducible builds as optional/recommended<br>
= <a href="https://slsa.dev/spec/v1.0/faq#q-what-about-reproducible-builds" rel="noreferrer" target="_blank">https://slsa.dev/spec/v1.0/faq#q-what-about-reproducible-builds</a><br>
<br>
<br>
NIST <br>
<a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf" rel="noreferrer" target="_blank">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf</a> <br>
has on page 16:<br>
> PO.3.2: Follow recommended security practices to<br>
> deploy, operate, and maintain tools and toolchains.<br>
<br>
> Example 4: Implement the technologies and processes needed for reproducible<br>
> builds.<br>
<br>
<br>
In the OpenSSF docs, I found<br>
<a href="https://github.com/ossf/scorecard/blob/main/docs/checks.md" rel="noreferrer" target="_blank">https://github.com/ossf/scorecard/blob/main/docs/checks.md</a><br>
but I think, it should be promoted in other contexts there, too.<br>
<br>
<br>
Ciao<br>
Bernhard M.<br>
<br>
[1] <br>
<a href="https://www.heise.de/news/Viele-Open-Source-Maintainer-schmeissen-hin-steigender-Druck-auf-Projekte-9904636.html" rel="noreferrer" target="_blank">https://www.heise.de/news/Viele-Open-Source-Maintainer-schmeissen-hin-steigender-Druck-auf-Projekte-9904636.html</a><br>
</blockquote></div>