News: Reproducible builds recommended as an "advanced" recommended mitigation by the US government's "Securing the Software Supply Chain: Recommended Practices Guide for Developers"

David A. Wheeler dwheeler at dwheeler.com
Fri Sep 2 15:59:29 UTC 2022


FYI:

The US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have released a document called  "Securing the Software Supply Chain: Recommended Practices Guide for Developers" as part of their Enduring Security Framework (ESF) work:
https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF

It *expressly* recommends having reproducible builds as part of "advanced" recommended mitigations (along with hermetic builds). PDF page 35 (labelled page 31) says:
"Reproducible builds provide additional protection and validation against attempts to compromise build systems. They ensure the binary products of each build system match: i.e., they are built from the same source, regardless of variable metadata such as the order of input files, timestamps, locales, and paths. Reproducible builds are those where re-running the build steps with identical input artifacts results in bit-for-bit identical output. Builds that cannot meet this must provide a justification why the build cannot be made reproducible. 

Their press release is here:
https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/

--- David A. Wheeler



More information about the rb-general mailing list