[Git][reproducible-builds/reproducible-website][master] 6 commits: feat: Add user stories
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Fri Nov 29 13:34:26 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
22598fe6 by Mariano Giménez at 2024-11-29T13:30:49+00:00
feat: Add user stories
- Add user stories data and include user stories in index page
- Update how section and add sidebar
- - - - -
fb1cb173 by Mariano Giménez at 2024-11-29T13:30:49+00:00
chore: fix styling and syntax errors
- - - - -
2ff18799 by Alex Feyerke at 2024-11-29T13:30:49+00:00
refactor: inline the user stories since we’ll only need them once
- - - - -
c3a62234 by Alex Feyerke at 2024-11-29T13:30:49+00:00
feat: improve r-b benefit cards on index page (why r-b matter)
- - - - -
02cf3048 by Alex Feyerke at 2024-11-29T13:30:49+00:00
feat: add user-specific benefit cards to index page
- - - - -
9678ab2d by Alex Feyerke at 2024-11-29T13:30:49+00:00
feat: reinstate old index page lead text as new introductory page in the docs and link on index page with a big cta
- - - - -
6 changed files:
- _data/docs.yml
- + _data/reasons-for-rb.yml
- + _data/user-stories.yml
- + _docs/which-problems-do-reproducible-builds-solve.md
- assets/styles/components.scss
- index.md
Changes:
=====================================
_data/docs.yml
=====================================
@@ -1,5 +1,6 @@
- title: Introduction
docs:
+ - which-problems-do-reproducible-builds-solve
- definition
- history
- buy-in
=====================================
_data/reasons-for-rb.yml
=====================================
@@ -0,0 +1,17 @@
+cards:
+ - emoji: "🔒"
+ title: "Security & Trust"
+ description: "Reproducible Builds let third parties make sure that software hasn’t been altered, increasing **safety and reliability**."
+ - emoji: "🔬"
+ title: "Transparency in Development"
+ description: "Reproducible Builds make sure that developers’ code always works the same way, which makes the software more **consistent and trustworthy**."
+ - emoji: "🏰"
+ title: "Protection of Build Infrastructure"
+ description: "Attacks on build systems and supply chains can affect many users. Reproducible builds **detect unauthorized changes** to the build process early."
+ - emoji: "📜"
+ title: "Regulatory Compliance & Licensing"
+ description: "Reproducible Builds **ensure software complies with licenses** and industry standards by proving that binaries match their source code."
+ - emoji: "🛡️"
+ title: "Increased Resilience Against Attacks"
+ description: "Reproducible Builds **protect developers from targeted attacks** by allowing third-party verification of their software, preventing your projects from being compromised."
+
=====================================
_data/user-stories.yml
=====================================
@@ -0,0 +1,18 @@
+cards:
+ - emoji: "🔒"
+ title: "End User"
+ description: "**Reproducible Builds** ensure that the software you trust is both safe and verifiable. They do this by verifying that the binaries that you download match the original, untampered source code. For security-related tools, this means high confidence that your data and communications are protected against hidden backdoors or vulnerabilities. "
+ cta: "When choosing the software for your critical tasks, opt for projects that advertise their builds as reproducible. You can see which technologies are using deterministic builds in our [success stories](https://reproducible-builds.org/success-stories/)"
+ - emoji: "💻"
+ title: "Software Developer"
+ description: "**Reproducible Builds** elevate deterministic builds by making the build process independently verifiable by anyone. This means others can confirm your binaries match the source code exactly, fostering trust, improving debugging, speeding up builds, and demonstrating your commitment to high standards. It also allows the development of extremely concise and easily verifiable patches for any version of your software, eg. for customers that have high security requirements and need to audit every release they make."
+ cta: "[The Commandments of Reproducible Builds](https://reproducible-builds.org/docs/commandments/) are a good place to start your journey."
+ - emoji: "🛠️"
+ title: "Tech CTO / Project Lead"
+ description: "**Reproducible Builds** add a strong layer of security to your build pipelines, enabling independent audits and ensuring every binary matches the source code. They're a powerful tool for mitigating risks in your software supply chain, simplifying regulatory and license compliance, verifying SBOMs, and aligning your engineering practices with the highest standards. For a CTO, it's an investment in resilience and trust."
+ cta: "Read on to learn about [planning to make your builds reproducible](https://reproducible-builds.org/docs/plans/)"
+ - emoji: "📜"
+ title: "Tech CEO / Project Owner"
+ description: "**Reproducible Builds** demonstrate your company's commitment to best-in-class processes and trustworthiness by guaranteeing the integrity of your software. Your software is enhanced with verifiable proof of consistency, giving customers confidence that your product is secure and transparent. Your supply chain and your developers are much better protected against a variety of attacks. This positions your company at the leading edge of accountability, setting you apart in competitive markets and building lasting relationships with users and stakeholders. "
+ cta: "Find out more about [the high-level benefits of Reproducible Builds](https://reproducible-builds.org/docs/buy-in/)"
+
=====================================
_docs/which-problems-do-reproducible-builds-solve.md
=====================================
@@ -0,0 +1,19 @@
+---
+title: Which problems do Reproducible Builds Solve?
+layout: docs
+permalink: /docs/which-problems-do-reproducible-builds-solve/
+---
+
+<span class="lead">Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond.</span>
+
+**This incentivises attacks** on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence.
+
+This is particularly a concern for developers collaborating on **privacy or security software**: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime.
+
+Whilst individual developers are a natural target, it additionally encourages **attacks on build infrastructure** as a successful attack would provide access to a large number of downstream computer systems. By modifying the generated binaries here instead of modifying the upstream source code, illicit changes are essentially invisible to its original authors and users alike.
+
+**The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.**
+
+This ability to notice if a developer or build system has been compromised then prevents such threats or attacks occurring in the first place, as any compromise can be quickly detected. As a result, front-liners cannot be threatened/coerced into exploiting or exposing their colleagues.
+
+[Several free software projects](/who/projects) already provide reproducible builds, or will do soon.
\ No newline at end of file
=====================================
assets/styles/components.scss
=====================================
@@ -122,3 +122,86 @@
background-color: $oc-gray-2 !important;
padding: .2em !important;
}
+
+.tinted-icon {
+ width: 100px;
+ height: 100px;
+ font-size: 60px;
+ background-color: #c3ccd5;
+ filter: sepia(1) hue-rotate(180deg);
+}
+
+.big-cta {
+ color: white;
+ display: flex;
+ align-items: center;
+ margin: 0 15px;
+ transition: transform 0.25s;
+ width: 100%;
+ &:hover {
+ transform: scale(1.01);
+ color: white;
+ .point {
+ transform: scale(1.1);
+ }
+ }
+ .card-body {
+ background-color: $primary;
+ display: flex;
+ gap: 2em;
+ align-items: center;
+ justify-content: space-between;
+ width: 100%;
+ flex-direction: column;
+ strong {
+ display:block;
+ }
+
+ @media (min-width: 576px) {
+ flex-direction: row;
+ }
+ }
+ .cta-text {
+ flex-shrink: 100;
+ }
+ .point {
+ content: "";
+ width: 4em;
+ height: 4em;
+ border-radius: 50%;
+ background: white;
+ display: flex;
+ justify-content: center;
+ align-items: center;
+ transition: transform 0.25s;
+ &:before {
+ content: "";
+ display: block;
+ background-color: $primary;
+ width: 2em;
+ height: 2em;
+ transform: rotate(45deg);
+ margin-left: -0.5em;
+ }
+ &:after {
+ content: "";
+ display: block;
+ background-color: white;
+ width: 1.5em;
+ height: 1.5em;
+ transform: rotate(45deg);
+ position: absolute;
+ margin-left: -1.75em;
+ }
+ }
+}
+
+ at media (min-width: 992px) {
+ .offset-boxes {
+ padding-bottom: 4em;
+ .col-lg-6:nth-child(even) {
+ margin-top: 4em;
+ margin-bottom: -2.5em !important;
+ }
+ }
+}
\ No newline at end of file
=====================================
index.md
=====================================
@@ -12,12 +12,10 @@ permalink: /
<a href="{{ "/" | relative_url }}">
<img class="mb-4 img-fluid" src="{{ "/assets/images/logo-text-white.png" | relative_url }}" alt="Reproducible Builds" />
</a>
-
<p class="lead mt-5 pt-5 pb-5">
<strong>Reproducible builds</strong> are a set of software development
practices that create an independently-verifiable path from source
to binary code.
-
<small class="d-none d-sm-inline">
(<a href="{{ "/docs/definition/" | relative_url }}">more</a>)
</small>
@@ -28,90 +26,108 @@ permalink: /
{% include nav_buttons.html %}
-## Why does it matter?
-
-Whilst anyone may inspect the source code of free and open source software for
-malicious flaws, most software is distributed pre-compiled with no method to
-confirm whether they correspond.
-
-This incentivises attacks on developers who release software, not only via
-traditional exploitation, but also in the forms of political influence,
-blackmail or even threats of violence.
-
-This is particularly a concern for developers collaborating on privacy or
-security software: attacking these typically result in compromising
-particularly politically-sensitive targets such as dissidents, journalists and
-whistleblowers, as well as anyone wishing to communicate securely under a
-repressive regime.
-
-Whilst individual developers are a natural target, it additionally encourages
-attacks on build infrastructure as a successful attack would provide access to
-a large number of downstream computer systems. By modifying the generated
-binaries here instead of modifying the upstream source code, illicit changes
-are essentially invisible to its original authors and users alike.
-
-The motivation behind the **Reproducible Builds** project is therefore to allow
-verification that no vulnerabilities or backdoors have been introduced during
-this compilation process. By promising identical results are always
-generated from a given source, this allows multiple third parties to come
-to a consensus on a "correct" result, highlighting any deviations as suspect
-and worthy of scrutiny.
-
-This ability to notice if a developer or build system has been compromised
-then prevents such threats or attacks occurring in the first place, as any
-compromise can be quickly detected. As a result, front-liners cannot be
-threatened/coerced into exploiting or exposing their colleagues.
-
-[Several free software projects]({{ "/who/projects/" | relative_url }})
-already, or will soon, provide reproducible builds.
-
-## How?
-
-First, the **build system** needs to be made entirely deterministic:
-transforming a given source must always create the same result. For example,
-the current date and time must not be recorded and output always has to be
-written in the same order.
-
-Second, the set of tools used to perform the build and more generally the
-**build environment** should either be recorded or pre-defined.
-
-Third, users should be given a way to recreate a close enough build
-environment, perform the build process, and **validate** that the output matches
-the original build.
-
-Learn more about [how to make your software build reproducibly…]({{ "/docs" | relative_url }})
-
-## Recent monthly reports
-
-<ul class="list-unstyled">
- {% assign reports = site.reports | sort: 'year, month' | where: 'draft', 'false' | reverse %}
- {% for x in reports limit: 3 %}
- <li>
- <span class="text-muted">{{ x.date | date: "%b %-d, %Y" }}</span>:
- <a href="{{ x.url | relative_url }}">{{ x.title }}</a>
- </li>
+<div class="row justify-content-center">
+ <h2 class="text-center mb-4">Why Reproducible Builds Matter</h2>
+ <p class="mb-4"><strong>In short: </strong>Reproducible Builds provide certainty that software is genuine and has not been tampered with.</p>
+ <div class="row justify-content-center">
+ {% for card in site.data.reasons-for-rb.cards %}
+ <div class="col-lg-4 col-md-6 col-sm-12 mb-4 d-flex">
+ <div class="card h-100 shadow-sm">
+ <div class="card-body">
+ <div
+ class="d-flex justify-content-center align-items-center p-3 rounded-circle mx-auto tinted-icon"
+ >
+ {{ card.emoji }}
+ </div>
+ <h3 class="card-title mt-3">{{ card.title }}</h3>
+ <p class="card-text text-left">{{ card.description | markdownify }}</p>
+ </div>
+ </div>
+ </div>
{% endfor %}
-</ul>
-
-([See all reports…]({{ "/news/" | relative_url }}))
-
-## Recent news
+ </div>
+</div>
-<ul class="list-unstyled">
- {% assign posts = site.posts | where: 'draft', 'false' %}
- {% for x in posts limit: 3 %}
- <li>
- <span class="text-muted">{{ x.date | date: "%b %-d, %Y" }}</span>:
- <a href="{{ x.url | relative_url }}">{{ x.title }}</a>
- </li>
+<div class="row justify-content-center">
+ <h2 class="text-center mb-5">Reproducible Builds and You</h2>
+ <div class="row justify-content-start offset-boxes">
+ {% for card in site.data.user-stories.cards %}
+ <div class="col-lg-6 col-md-6 col-sm-12 mb-4 d-flex">
+ <div class="card h-100 shadow-sm">
+ <div class="card-body">
+ <h3 class="card-title mt-0">{{ card.title }}</h3>
+ <p class="card-text text-left">{{ card.description | markdownify }}</p>
+ <p class="card-text text-left"><strong>{{ card.cta | markdownify }}</strong></p>
+ </div>
+ </div>
+ </div>
{% endfor %}
-</ul>
-
-([See all…]({{ "/news/" | relative_url }}))
+ </div>
+ <a href="/docs/which-problems-do-reproducible-builds-solve/" class="big-cta card">
+ <div class="card-body">
+ <div class="cta-text"><strong>Protect developers, safeguard privacy, and ensure trust in software.</strong>Discover how Reproducible Builds help you defend against threats and empower secure collaboration.</div>
+ <div class="point"></div>
+ </div>
+ </a>
+</div>
+<div class="container my-5">
+ <div class="row">
+ <!-- How section -->
+ <div class="col-md-8">
+ <h2 class="mb-4">How does it work?</h2>
+ <p>
+ First, the <strong>build system</strong> needs to be made entirely deterministic:
+ transforming a given source must always create the same result. For example,
+ the current date and time must not be recorded and output always has to be
+ written in the same order.
+ </p>
+ <p>
+ Second, the set of tools used to perform the build and more generally the
+ <strong>build environment</strong> should either be recorded or pre-defined.
+ </p>
+ <p>
+ Third, users should be given a way to recreate a close enough build
+ environment, perform the build process, and <strong>validate</strong> that the output matches
+ the original build.
+ </p>
+ <a href="{{ '/docs' | relative_url }}">Learn more about how to make your software build reproducibly…</a>
+ </div>
+ <!-- Sidebar: Recent Reports and News -->
+ <div class="col-md-4">
+ <div class="p-4 bg-light rounded">
+ <h3 class="mb-3">Recent Monthly Reports</h3>
+ <ul class="list-unstyled mb-4">
+ {% assign reports = site.reports | sort: 'year, month' | where: 'draft', 'false' | reverse %}
+ {% for x in reports limit: 3 %}
+ <li class="mb-2">
+ <span class="text-muted">{{ x.date | date: "%b %-d, %Y" }}</span>:
+ <a href="{{ x.url | relative_url }}">{{ x.title }}</a>
+ </li>
+ {% endfor %}
+ </ul>
+ <a href="{{ "/news/" | relative_url }}" class="btn btn-outline-primary btn-sm">See all reports</a>
+ </div>
+ <div class="p-4 bg-light rounded mt-4">
+ <h3 class="mb-3">Recent News</h3>
+ <ul class="list-unstyled mb-4">
+ {% assign posts = site.posts | where: 'draft', 'false' %}
+ {% for x in posts limit: 3 %}
+ <li class="mb-2">
+ <span class="text-muted">{{ x.date | date: "%b %-d, %Y" }}</span>:
+ <a href="{{ x.url | relative_url }}">{{ x.title }}</a>
+ </li>
+ {% endfor %}
+ </ul>
+ <a href="{{ "/news/" | relative_url }}" class="btn btn-outline-primary btn-sm">See all news</a>
+ </div>
+ </div>
+ </div>
+</div>
{% assign sponsors = site.data.sponsors.platinum | sort: 'name' %}
{% if sponsors.size != 0 %}
+
## Sponsors
We are proud to be [sponsored by]({{ "/sponsors/" | relative_url }}):
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/7ba241717529c09d830d64228afba21c4fac3a5b...9678ab2d1ae745699021ebd7ff6bd595344183fd
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/7ba241717529c09d830d64228afba21c4fac3a5b...9678ab2d1ae745699021ebd7ff6bd595344183fd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20241129/9195a3a3/attachment.htm>
More information about the rb-commits
mailing list