Attack on SolarWinds could have been countered by reproducible builds
David A. Wheeler
dwheeler at dwheeler.com
Wed Jan 13 16:28:55 UTC 2021
I just posted, on The Linux Foundation blog, an article titled
"Preventing Supply Chain Attacks like SolarWinds” at:
https://www.linuxfoundation.org/en/blog/preventing-supply-chain-attacks-like-solarwinds/
It *prominently* notes the need for reproducible builds.
Ximin Luo:
> From my experience working in R-B, media chatter isn't sufficient to overcome engineering inertia.
I don’t agree, because there’s been almost no media chatter. There’s been very little attention paid to reproducible builds by the media. SolarWinds is a big deal, yet journalists have generally failed to mention reproducible builds when discussing SolarWinds (probably because they don’t understand R-B). Yes, there are exceptions, but it *should* be mentioned in every story. It’s understandable that the journalists first focused on “what happened”, but I would like the discussion to start moving to “what should happen in the future to help counter its recurrence?”
> There's a lot of tunnel vision and arrogant engineers in upstream toolchain projects nitpicking at technical crap that doesn't matter, when we submit patches. To advance reproducible builds, this social issue has to be addressed somehow ...
> Of course maintaining a FOSS project is also thankless work, so understandably some engineers are more conservative and grumble about outsiders. At some point it becomes obstructionism though. I don't know enough about who is getting paid by $BIGCO vs who is getting zilch, to comment on which specific projects have which problems. It is a broad-spectrum thing that goes across the board.
To be fair, those engineers are being asked to do far more than they have time for, *AND* they’re asked produce high-quality results. I don’t approve of arrogance, but I *do* appreciate that they have to say “no” a lot. Which is why r-b needs *more* media attention; those engineers need to prioritize what’s important, and so we need to make it clearer that this is important.
--- David A. Wheeler
More information about the rb-general
mailing list