The Open Source Software Security Mobilization Plan

David A. Wheeler dwheeler at
Wed May 25 15:01:34 UTC 2022

On May 14, 2022, at 12:37 AM, Larry Doolittle <larry at> wrote:
> Probably a lot of you already saw headlines pointing to a 51-page
document released by the Linux Foundation and OpenSSF, titled
 The Open Source Software Security Mobilization Plan
> I noticed a few interesting and/or distressing things about it.
Firstly, although they dance around all the same topics discussed here
(e.g., software supply chain, digital signatures on software releases)
not once do they mention reproducible builds.  Opportunity missed.

I agree it would have been nice to have mentioned reproducible builds in the document.
That said, stream 10 specifically notes SLSA, and the current SLSA spec
at level 4 requires a "best effort" at reproducible builds. But note that the
emphasis is on changing build & distribution systems so that aspects such
as reproducible builds are the default - we don't want most developers to have
to do anything special to make reproducible builds or to detect non-reproducible builds.

> As I mentioned in another thread, "Stream 7: Conduct third-party code reviews"
is arguably useless without bootstrapped toolchains and reproducible builds.

Not at all. The goal is *risk management*. Today the *vast* majority
of problems are unintentional vulnerabilities. The *next* most common
are simple malicious code attacks, primarily typosquatting attacks.

I'm a big believer in reproducible builds, bootstrapped toolchains, and of course
diverse double-compiling (DDC) :-). But these are strong countermeasures against
advanced attacks. We're still trying to get people to stop inserting easily-exploited
unintentional vulnerabilities, and also to update their software faster when vulnerabilities
are found. So yes, let's get those countermeasures going for advanced attacks.
But don't build the back wall high when the attacker can walk through the front door.

--- David A. Wheeler

More information about the rb-general mailing list