[Git][reproducible-builds/reproducible-website][master] 2022-08: Re-add NSA/CISA/ODNI news item lost in drafting. Thanks, David.

Thu Sep 8 06:26:07 UTC 2022


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
f9fa3c4c by Chris Lamb at 2022-09-08T07:25:15+01:00
2022-08: Re-add NSA/CISA/ODNI news item lost in drafting. Thanks, David.

- - - - -


2 changed files:

- _reports/2022-08.md
- + images/reports/2022-08/nsa.png


Changes:

=====================================
_reports/2022-08.md
=====================================
@@ -16,17 +16,35 @@ As ever, if you are interested in contributing to the project, please visit our
 
 #### Community news
 
-* As announced last month, registration is currently **open** for our [in-person summit this year]({{ "/events/venice2022/" | relative_url }}) which is due to be held between **November 1st → November 3rd**. The event will take place in **Venice (Italy)**. Very soon we intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees. Please see the [announcement email](https://lists.reproducible-builds.org/pipermail/rb-general/2022-July/002666.html) for information about how to register.
+As announced last month, registration is currently **open** for our [in-person summit this year]({{ "/events/venice2022/" | relative_url }}) which is due to be held between **November 1st → November 3rd**. The event will take place in **Venice (Italy)**. Very soon we intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees. Please see the [announcement email](https://lists.reproducible-builds.org/pipermail/rb-general/2022-July/002666.html) for information about how to register..
+
+<br>
+
+[![]({{ "/images/reports/2022-08/nsa.png#right" | relative_url }})](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/)
+
+The US [National Security Agency](https://en.wikipedia.org/wiki/National_Security_Agency) (NSA), [Cybersecurity and Infrastructure Security Agency](https://en.wikipedia.org/wiki/Cybersecurity_and_Infrastructure_Security_Agency) (CISA) and the [Office of the Director of National Intelligence](https://en.wikipedia.org/wiki/Director_of_National_Intelligence#Office_of_the_Director_of_National_Intelligence) (ODNI) have released a document called "*Securing the Software Supply Chain: Recommended Practices Guide for Developers*" ([PDF](https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF)) as part of their Enduring Security Framework (ESF) work.
+
+The document expressly recommends having reproducible builds as part of "advanced" recommended mitigations, along with hermetic builds. Page 31 (page 35 in the [PDF](https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF)) says:
+
+> Reproducible builds provide additional protection and validation against attempts to compromise build systems. They ensure the binary products of each build system match: i.e., they are built from the same source, regardless of variable metadata such as the order of input files, timestamps, locales, and paths. Reproducible builds are those where re-running the build steps with identical input artifacts results in bit-for-bit identical output. Builds that cannot meet this must provide a justification why the build cannot be made reproducible.
+
+The [full press release](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/) is available online.
+
+<br>
 
 [![]({{ "/images/reports/2022-08/appfair.png#right" | relative_url }})](https://appfair.net/)
 
-* On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Marc Prud'hommeaux posted a feature request for *diffoscope* which additionally outlines a project called [The App Fair](https://appfair.net/),  an autonomous distribution network of free and open-source macOS and iOS applications, where "validated apps are then signed and submitted for publication".
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Marc Prud'hommeaux posted a feature request for *diffoscope* which additionally outlines a project called [The App Fair](https://appfair.net/),  an autonomous distribution network of free and open-source macOS and iOS applications, where "validated apps are then signed and submitted for publication".
+
+<br>
 
-* Author/blogger [Cory Doctorow](https://craphound.com/bio/) posted published a provocative blog post this month titled "[Your computer is tormented by a wicked god](https://pluralistic.net/2022/07/28/descartes-was-an-optimist/#uh-oh)". Touching on Ken Thompson's famous talk, "[Reflections on Trusting Trust](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf)", the early goals of "Secure Computing" and UEFI firmware interfaces:
+Author/blogger [Cory Doctorow](https://craphound.com/bio/) posted published a provocative blog post this month titled "[Your computer is tormented by a wicked god](https://pluralistic.net/2022/07/28/descartes-was-an-optimist/#uh-oh)". Touching on Ken Thompson's famous talk, "[Reflections on Trusting Trust](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf)", the early goals of "Secure Computing" and UEFI firmware interfaces:
 
 > This is the core of a two-decade-old debate among security people, and it's one that the "benevolent God" faction has consistently had the upper hand in. They're the "curated computing" advocates who insist that preventing you from choosing an alternative app store or side-loading a program is for your own good – because if it's possible for you to override the manufacturer's wishes, then malicious software may impersonate you to do so, or you might be tricked into doing so. [..] This benevolent dictatorship model only works so long as the dictator is both perfectly benevolent and perfectly competent. We know the dictators aren't always benevolent. [...] But even if you trust a dictator's benevolence, you can't trust in their perfection. Everyone makes mistakes. Benevolent dictator computing works well, but fails badly. Designing a computer that intentionally can't be fully controlled by its owner is a nightmare, because that is a computer that, once compromised, can attack its owner with impunity.
 
-* Lastly, Chengyu HAN updated the [Reproducible Builds website]({{ "/" | relative_url }}) to correct an incorrect Git command. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fc235bb9)]
+<br>
+
+Lastly, Chengyu HAN updated the [Reproducible Builds website]({{ "/" | relative_url }}) to correct an incorrect Git command. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fc235bb9)]
 
 <br>
 


=====================================
images/reports/2022-08/nsa.png
=====================================
Binary files /dev/null and b/images/reports/2022-08/nsa.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f9fa3c4c301ed45bfcc1744d601ae9f0707a4c74

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f9fa3c4c301ed45bfcc1744d601ae9f0707a4c74
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20220908/c04117ed/attachment.htm>
