New research paper about Reproducible-Builds at IEEE 44th IEEE Symposium on Security and Privacy
Marcel Fourné
email at marcelfourne.de
Sat Jul 1 09:34:39 UTC 2023
As promised, you can now find the video recording of the talk online at https://www.youtube.com/watch?v=H0A2cSejlZ4 - please do tell me if I got anything wrong, so I can fix it in my dissertation. :)
On Fri, 2023-06-16, at 11:03:20 +0200, Marcel Fourné wrote:
> Dear all,
>
> as some of you may know, since I worked with you on this, we just released our paper
> "It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security"
> at IEEE S&P 2023 (informally "Oakland", https://sp2023.ieee-security.org/program-papers.html) and presented a short talk about it at the symposium.
> While a talk recording may be published in the future, I want to share the final paper with you all, including an additional appendix:
>
> https://publications.teamusec.de/2023-oakland-repro/
>
> The focus of the paper is about security aspects of reproducible builds and why we need them as a prerequisite for any software supply chain security not founded on signing and trusting binaries of which we don't know how they were created.
> I hope for further feedback from you and just like the interest from people during the conference - being encouraged to ramble about SBOMs on stage, how they behave more like hopefully kept up-to-date documentation.
>
> Anyway, I hope to be of help and thank those of you who helped me compile this paper specifically as well as all of you for your interest and other work!
>
> Cheers
> Marcel
>
> [N.B.: I had to change my previous mail address due to procmail rules and forgot to subscribe the new one. This is a repost of my initial mail.]
--
Marcel FOURNÉ
Please note that I honour and respect boundaries around personal
time, well-being, care-taking and the rest.
Should you receive correspondence from me during a time that you're
engaging in any of the above, please protect your time and wait to
respond until you're next working or in front of a PC.
Prioritize joy and not e-mail when and where you can.
More information about the rb-general
mailing list