[Git][reproducible-builds/reproducible-website][master] 2 commits: Remove FOSDEM talk entirely as the tense/context is too weird to get right - I...
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Wed Feb 7 22:16:48 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
aaadce95 by Chris Lamb at 2024-02-07T14:13:56-08:00
Remove FOSDEM talk entirely as the tense/context is too weird to get right - I will do a separate post tomorrow on the blog.
- - - - -
c00c750e by Chris Lamb at 2024-02-07T14:16:37-08:00
published as https://reproducible-builds.org/reports/2024-01/
- - - - -
1 changed file:
- _reports/2024-01.md
Changes:
=====================================
_reports/2024-01.md
=====================================
@@ -3,7 +3,8 @@ layout: report
year: "2024"
month: "01"
title: "Reproducible Builds in January 2024"
-draft: true
+draft: false
+date: 2024-02-07 22:16:37
---
[![]({{ "/images/reports/2024-01/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
@@ -12,25 +13,9 @@ draft: true
---
-### Upcoming presentation at FOSDEM 2024
-
-FIXME: I find this heading confusing as FOSDEM is just over. Also we should somehow convey that there were more talks at FOSDEM bout r-b, eg https://fosdem.org/2024/schedule/event/fosdem-2024-1769-reproducible-builds-for-confidential-computing-why-remote-attestation-is-worthless-without-it/ plus there was a whole SBOM track too.
-
-[![]({{ "/images/reports/2024-01/fosdem.jpeg#right" | relative_url }})](https://fosdem.org/2024/schedule/event/fosdem-2024-3353-reproducible-builds-the-first-ten-years/)
-
-Core Reproducible Builds developer Holger Levsen presented at the main track at [FOSDEM](https://fosdem.org/2024/) on Saturday 3rd February on the topic of ***Reproducible Builds: The First Ten Years***:
-
-> In this talk Holger 'h01ger' Levsen will give an overview about Reproducible Builds: How it started with a small BoF at DebConf13 (and before), then grew from being a Debian effort to something many projects work on together, until in 2021 it was mentioned in an Executive Order of the President of the United States. And of course, the talk will not end there, but rather outline where we are today and where we still need to be going, until Debian stable (and other distros!) will be 100% reproducible, verified by many.
->
-> h01ger has been involved in reproducible builds since 2014 and so far has set up automated reproducibility testing for Debian, Fedora, Arch Linux, FreeBSD, NetBSD and coreboot.
-
-More information can be found [on FOSDEM's page for the talk](https://fosdem.org/2024/schedule/event/fosdem-2024-3353-reproducible-builds-the-first-ten-years/).
-
-<br>
-
### "How we executed a critical supply chain attack on PyTorch"
-[John Stawinski](https://johnstawinski.com/) and [Adnan Khan](https://adnanthekhan.com/) published a lengthy blog post detailing [how they executed a supply-chain attack](https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/) against [PyTorch](https://pytorch.org/), a machine learning platform "used by titans like Google, Meta, Boeing, and Lockheed Martin":
+[John Stawinski](https://johnstawinski.com/) and [Adnan Khan](https://adnanthekhan.com/) published a lengthy blog post detailing [how they executed a supply-chain attack](https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/) against [PyTorch](https://pytorch.org/), a popular machine learning platform "used by titans like Google, Meta, Boeing, and Lockheed Martin":
> Our exploit path resulted in the ability to upload malicious [PyTorch](https://pytorch.org/) releases to GitHub, upload releases to [Amazon Web Services], potentially add code to the main repository branch, backdoor PyTorch dependencies – the list goes on. **In short, it was bad. Quite bad.**
@@ -46,7 +31,7 @@ On our [mailing list](https://lists.reproducible-builds.org/pipermail/rb-general
Called [`archlinux-userland-fs-cmp`](https://github.com/kpcyrd/archlinux-userland-fs-cmp), the tool is "supposed to be used from a rescue image (any Linux) with an Arch install mounted to, [for example], `/mnt`." Crucially, however, "at no point is any file from the mounted filesystem eval'd or otherwise executed. Parsers are written in a memory safe language."
-More information about the tool can be found [on their announcement message](https://lists.reproducible-builds.org/pipermail/rb-general/2024-January/003232.html), as well as on the [tool's homepage](https://github.com/kpcyrd/archlinux-userland-fs-cmp). Also available is a [GIF of the tool in action](https://asciinema.org/a/MFefYEdvU2O5LlIzseQnyBky5).
+More information about the tool can be found [on their announcement message](https://lists.reproducible-builds.org/pipermail/rb-general/2024-January/003232.html), as well as on the [tool's homepage](https://github.com/kpcyrd/archlinux-userland-fs-cmp). A [GIF of the tool in action](https://asciinema.org/a/MFefYEdvU2O5LlIzseQnyBky5) is also available.
<br>
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/d2d89b638cf8582d0adf8061cca2685a6e51e972...c00c750e6588ad6675816915d135f16367467153
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/d2d89b638cf8582d0adf8061cca2685a6e51e972...c00c750e6588ad6675816915d135f16367467153
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240207/98950b54/attachment.htm>
More information about the rb-commits
mailing list