News: Reproducible builds recommended as an "advanced" recommended mitigation by the US government's "Securing the Software Supply Chain: Recommended Practices Guide for Developers"

[Justin Cappos]

Glad to see reproducible builds get the recognition it deserves!

Justin

On Fri, Sep 2, 2022 at 11:59 AM David A. Wheeler <dwheeler at dwheeler.com>
wrote:

> FYI:
>
> The US National Security Agency (NSA), Cybersecurity and Infrastructure
> Security Agency (CISA), and the Office of the Director of National
> Intelligence (ODNI) have released a document called  "Securing the Software
> Supply Chain: Recommended Practices Guide for Developers" as part of their
> Enduring Security Framework (ESF) work:
>
> https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF
>
> It *expressly* recommends having reproducible builds as part of "advanced"
> recommended mitigations (along with hermetic builds). PDF page 35 (labelled
> page 31) says:
> "Reproducible builds provide additional protection and validation against
> attempts to compromise build systems. They ensure the binary products of
> each build system match: i.e., they are built from the same source,
> regardless of variable metadata such as the order of input files,
> timestamps, locales, and paths. Reproducible builds are those where
> re-running the build steps with identical input artifacts results in
> bit-for-bit identical output. Builds that cannot meet this must provide a
> justification why the build cannot be made reproducible.
>
> Their press release is here:
>
> https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/
>
> --- David A. Wheeler
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20220905/dacb6afa/attachment.htm>