Attack on SolarWinds could have been countered by reproducible builds

Justin Cappos justincappos at gmail.com
Tue Dec 22 06:51:09 UTC 2020


On Tue, Dec 22, 2020 at 4:58 AM David A. Wheeler <dwheeler at dwheeler.com>
wrote:

>
>
> On Dec 21, 2020, at 1:58 PM, Santiago Torres-Arias <santiago at archlinux.org>
> wrote:
> I agree that we need more visibility on the reprobuilds aspect of this
> compromise.
>
>
> I don’t think it’s visible to *reporters* though.
>

Just to chime in here, I've been interviewed by a few journalists on the
topic ( Yahoo Finance
<https://finance.yahoo.com/news/why-russias-massive-cyberattack-is-especially-insidious-222912267.html>
, Crains
<https://www.crainsnewyork.com/technology/no-evidence-city-was-cyberhacked-despite-work-breached-company>,
with more hopefully coming out).  I mentioned repro builds, etc. to them
and really stressed it with verification as the solution but they just
didn't use this in their stories.  I think the problem is that it's hard
enough to explain to a general audience where their story focus is more on
the problem and who might be behind it than any potential solution.

On another note, I would say this is an ideal time to engage the broader
academic / open source communities about reproducible builds.  I started a
paper draft a few years ago (
https://github.com/JustinCappos/reproduciblebuildpaper ), but there was a
loss of momentum.  Perhaps it is time to consider brushing it off or
starting something new?

Thanks,
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20201222/ed0134c5/attachment.htm>


More information about the rb-general mailing list