The Open Source Software Security Mobilization Plan

Larry Doolittle larry at
Sat May 14 04:37:18 UTC 2022

Friends -

Probably a lot of you already saw headlines pointing to a 51-page
document released by the Linux Foundation and OpenSSF, titled
  The Open Source Software Security Mobilization Plan

I noticed a few interesting and/or distressing things about it.
Firstly, although they dance around all the same topics discussed here
(e.g., software supply chain, digital signatures on software releases)
not once do they mention reproducible builds.  Opportunity missed.

As I mentioned in another thread, "Stream 7: Conduct third-party code reviews"
is arguably useless without bootstrapped toolchains and reproducible builds.

Maybe technical people aren't really the target audience.
I would have hoped for a mention of Merkle trees.  Nope.

$ sha256sum White\ House\ OSS\ Mobilization\ Plan.pdf
cbb1f2ce92590a1388f249527bf55e5c3e27ec10f80c22c53fb34ab01b253bb9  White House OSS Mobilization Plan.pdf
$ pdfinfo White\ House\ OSS\ Mobilization\ Plan.pdf 
Creator:        Adobe InDesign 17.2 (Macintosh)
Producer:       Adobe PDF Library 16.0.7
CreationDate:   Wed May 11 12:39:28 2022 PDT
ModDate:        Wed May 11 12:39:29 2022 PDT
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
JavaScript:     no
Pages:          51
Encrypted:      no
Page size:      612 x 792 pts (letter)
Page rot:       0
File size:      540834 bytes
Optimized:      yes
PDF version:    1.7

The document does list 79 human names under "This document was authored
ith the support and collaboration of the following individuals."  If any
of you have a relationship with any of those people, maybe you can remind
them about the importance of the reproducible builds effort.

  - Larry

More information about the rb-general mailing list