The Open Source Software Security Mobilization Plan
chris at reproducible-builds.org
Wed May 25 13:00:18 UTC 2022
Sorry for the delay in replying to this thread. I had accidentally
misfiled this outside of my "reply to these emails" folder.
Anyway, I hear your frustration that reproducible builds was not
mentioned in this document. And I may also have smirked at the
"Macintosh" in the file's Creator header... even though that's probably
a pretty cheap shot given the way that corporate communications are
handled these days. :)
I'll only add that I really hope that all of the energy being put into
improving open source software supply chains doesn't split into two
separate camps: one focused on vaguely accreditation-like efforts
(SBOMs, lists of approved/assured/vetted software packages, badge
programmes, etc.), and another camp focused on systemic/structural
changes to the supply chain itself... an inchoate group of ideas and
practices into which I would lump reproducible builds.
> The document does list 79 human names under "This document was authored
> with the support and collaboration of the following individuals." If any
> of you have a relationship with any of those people, maybe you can remind
> them about the importance of the reproducible builds effort.
Clearly, there's a lot we can all work together towards, so making
kindly & friendly overtures to anyone you have a good connection with
would be quite welcome from my point of view.
⬋ ⬊ Chris Lamb
o o reproducible-builds.org 💠
More information about the rb-general