[Git][reproducible-builds/reproducible-website][master] 2 commits: new supporter interview: improve formatting

Holger Levsen (@holger) gitlab at salsa.debian.org
Wed Nov 30 14:25:56 UTC 2022



Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website


Commits:
653e8069 by Holger Levsen at 2022-11-30T15:09:08+01:00
new supporter interview: improve formatting

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
7221d471 by Holger Levsen at 2022-11-30T15:25:42+01:00
new supporter interview: improve formatting further, add FIXMEs were still needed

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -


1 changed file:

- _posts/2022-11-30-supporter-spotlight.md


Changes:

=====================================
_posts/2022-11-30-supporter-spotlight.md
=====================================
@@ -1,6 +1,6 @@
 ---
 layout: post
-title: "Supporter spotlight: David A. Wheeler"
+title: "Supporter spotlight: David A. Wheeler from the Linux Foundation"
 date: 2022-11-30 10:00:00
 categories: org
 draft: true
@@ -19,16 +19,9 @@ Today, however, we will be talking with <big>**David A. Wheeler**, the Director
 
 [![]({{ "/images/news/supporter-spotlight-david-a-wheeler/dwheeler-2003c.jpg?#right" | relative_url }})](https://FIXME.org/)
 
-**Holger: Welcome, David! Could you briefly tell me about yourself?**
+**Holger: Welcome, David, thanks for taking the time to talk with us today. First, could you briefly tell me about yourself?**
 
-Hans: Sure...
-
-<br>
-
-
-Holger: Hi David, thanks for taking the time to talk with us today. First, could you briefly tell me about yourself?
-
-Sure! I'm David A. Wheeler.
+David: Sure! I'm David A. Wheeler.
 I work for the Linux Foundation as the "Director of Open Source Supply Chain Security".
 That just means that my job is to help open source software projects
 improve their security, including its development, build, distribution,
@@ -44,7 +37,7 @@ My PhD dissertation was on countering the "Trusting Trust" attack, an attack
 that subverts fundamental build system tools such as compilers.
 The attack was discovered by Karger & Schell in the 1970s, and later
 demonstrated & popularized by Ken Thompson.
-In my dissertation (<https://dwheeler.com/trusting-trust>) I showed that the process
+In my [dissertation 'trusting trust'](https://dwheeler.com/trusting-trust) I showed that the process
 "Diverse Double-Compiling" (DDC), which I named, could detect trusting trust attacks.
 That process is a specialized kind of reproducible build specifically designed
 to detect trusting trust style attacks. In addition, the countering the trusting trust
@@ -54,9 +47,9 @@ build-time subversions.
 Most attackers wouldn't bother with a trusting trust attack if they could just
 directly use a build-tie subversion of the software they actually want to subvert.
 
+<br>
 
-
-Holger: thanks for taking the time to introduce yourself to us, David! What do you think are the biggest challenges today in computing? 
+**Holger: thanks for taking the time to introduce yourself to us, David! What do you think are the biggest challenges today in computing?**
 
 There are many big challenges in computing today. For example:
 
@@ -99,11 +92,11 @@ There are many big challenges in computing today. For example:
   attacks, but their job is difficult due to inadequately secure software that doesn't
   support those monitoring & recovery efforts well either. The results are terrible security.
 
+<br>
 
+**Holger: Do you think reproducible builds are an important part in secure computing today already?**
 
-Holger: Do you think reproducible builds are an important part in secure computing today already?
-
-Yes, but let's put things in context.
+David: Yes, but let's put things in context.
 
 Today, when attackers exploit software vulnerabilities, they're primarily exploiting
 unintentional vulnerabilities that were created by the software developers.
@@ -130,10 +123,6 @@ on the software supply chain (Sonatype found a 650% increase in one year).
 
 The software supply chain hasn't historically gotten much attention, making it the easy target.
 
-----------------------begin-holger-comment------
-maybe cut something from the next 50 lines
-------------------------end-holger--------------
-
 There are simple supply chain attacks with simple solutions:
 * In almost every year the top attack has been typosquatting. In typo squatting,
   an attacker creates packages with *almost* the right name. This is an easy attack to
@@ -177,14 +166,11 @@ I named and explained in my PhD dissertation, and the "bootstrappable builds" pr
 both counter trusting trust attacks in the software space. So there is no reason to lose hope;
 there is a "bottom turtle" as it were.
 
+<br>
 
-(David said above)
->> The software supply chain hasn't historically gotten much attention, making it the easy target.
-
-Holger: thankfully this slowly started to change, as evident by efforts like https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF which you shared on the r-b general list.  in there, r-b are mentioned as recommended advanced practice, which is both pretty cool (we've come a long way) but to me also sounds  like this will take another decade until it's become standard normal  procedure. do you agree on 'a decade'? :)
-
+**Holger: thankfully this slowly started to change and supply chain issues are now widely discussed, as evident by efforts like [FIXME:name](https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF) which you shared on the [r-b general list](https://lists.reproducible-builds.org/listinfo/rb-general). In there, Reproducible Builds are mentioned as recommended advanced practice, which is both pretty cool (we've come a long way!) but to me also sounds  like this will take another decade until it's become standard normal  procedure. Do you agree on 'a decade'?**
 
-I don't think there will be any particular timeframe. Different projects and
+David: I don't think there will be any particular timeframe. Different projects and
 ecosystems will move at different speeds. I wouldn't be surprised if it
 took a decade of so for them to become relatively common, and there are
 good reasons for that.
@@ -211,11 +197,11 @@ it'll take a while to get build systems able to widely perform reproducible buil
 so we need to start that work now. That's true for anything where you know
 you'll need it but it will take a long time to get ready - you need to start now.
 
+<br>
 
+**Holger: what are your suggestions to accellerate things here?**
 
-Holger: what are your suggestions to accellerate things here?
-
-Reproducible builds need to be:
+David: Reproducible builds need to be:
 
 * Easy (ideally automatic). Tools need to be modified so that reproducible builds
   are the default or at least easier to do.
@@ -240,19 +226,18 @@ supporting some societally important critical infrastructure (e.g., running dams
 it should also be considered important. You can then work on the
 ones that are less important over time.
 
+<br>
 
+**Holger: on another topic, you're involved in, how is the [Best practices badge](https://github.com/coreinfrastructure/best-practices-badge/) going? I mean, how many projects are participating, and how many are missing?**
 
-Holger: on another topic, you're involved in, how is https://github.com/coreinfrastructure/best-practices-badge/ going? I mean, how many projects are participating, and how many are missing?
-
-It's going very well. You can see some automatically-generated statistics here:
-https://bestpractices.coreinfrastructure.org/project_stats
-We have over 5,000 projects, adding more than 1/day on average.
+David: It's going very well. You can see some [automatically-generated statistics](https://bestpractices.coreinfrastructure.org/project_stats), showing we have over 5,000 projects, adding more than 1/day on average.
 We have more than 800 projects that have earned at least the "passing" badge level.
 
-Holger: And how many of the participing ones are doing reproducible builds?
+<br>
+
+**Holger: And how many of the participing ones are doing reproducible builds?**
 
-As of 2022-09-28 there are
-168 projects that report meeting the reproducible builds criterion.
+David: As of 2022-09-28 there are 168 projects that report meeting the reproducible builds criterion.
 That's a relatively small percentage of projects. However, note that this criterion (named "build_reproducible")
 is only required for the "gold" badge. It's not required for the passing or silver level badge.
 
@@ -272,10 +257,6 @@ chemical manufacturers, financial systems, and weapons.
 We definitely encourage any of those kinds of projects to earn higher badge levels.
 
 
-Holger: David, thanks a lot for taking the time for having this discussion and giving us much food for thought!
-
-
-
 
 
 



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/d5d64599e08b93709443265493205dbfd35f9ea3...7221d471ba8fcd750466398e3e3cbe697f81c1e5

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/d5d64599e08b93709443265493205dbfd35f9ea3...7221d471ba8fcd750466398e3e3cbe697f81c1e5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20221130/5f4242b0/attachment.htm>


More information about the rb-commits mailing list