How could we accelerate *deployment* of verified reproducible builds?

Justin Cappos justincappos at
Sat Jan 30 11:50:29 UTC 2021

I think it would be wise to add some sort of in-toto style verification
that cryptographically checks proof that the reproducible builds were
carried out and found equal.  Without this piece, why would an attacker
with insider access even bother to go through the reproducible builds


On Sat, Jan 30, 2021 at 7:15 PM David A. Wheeler <
dwheeler at> wrote:

> My post "Preventing Supply Chain Attacks like SolarWinds” <
> prominently discusses verified reproducible builds.
> What would be especially helpful for accelerating deployment of verified
> reproducible builds in a few key places? E.g., what tools, infrastructure,
> people paid to do XYZ?
> Thanks!
> --- David A. Wheeler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the rb-general mailing list