The Open Source Software Security Mobilization Plan

Chris Lamb chris at
Wed May 25 13:00:18 UTC 2022

Hey Larry,

> [..]

Sorry for the delay in replying to this thread. I had accidentally
misfiled this outside of my "reply to these emails" folder.

Anyway, I hear your frustration that reproducible builds was not
mentioned in this document. And I may also have smirked at the
"Macintosh" in the file's Creator header... even though that's probably
a pretty cheap shot given the way that corporate communications are
handled these days. :)

I'll only add that I really hope that all of the energy being put into
improving open source software supply chains doesn't split into two
separate camps: one focused on vaguely accreditation-like efforts
(SBOMs, lists of approved/assured/vetted software packages, badge
programmes, etc.), and another camp focused on systemic/structural
changes to the supply chain itself... an inchoate group of ideas and
practices into which I would lump reproducible builds.

> The document does list 79 human names under "This document was authored
> with the support and collaboration of the following individuals."  If any
> of you have a relationship with any of those people, maybe you can remind
> them about the importance of the reproducible builds effort.

Clearly, there's a lot we can all work together towards, so making
kindly & friendly overtures to anyone you have a good connection with
would be quite welcome from my point of view.

Best wishes,

    ⬋   ⬊      Chris Lamb
   o     o 💠
    ⬊   ⬋

More information about the rb-general mailing list