New research paper about Reproducible-Builds at IEEE 44th IEEE Symposium on Security and Privacy

[Marcel Fourné]

Dear all,

as some of you may know, since I worked with you on this, we just released our paper
"It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security"
at IEEE S&P 2023 (informally "Oakland", https://sp2023.ieee-security.org/program-papers.html) and presented a short talk about it at the symposium.
While a talk recording may be published in the future, I want to share the final paper with you all, including an additional appendix:

https://publications.teamusec.de/2023-oakland-repro/

The focus of the paper is about security aspects of reproducible builds and why we need them as a prerequisite for any software supply chain security not founded on signing and trusting binaries of which we don't know how they were created.
I hope for further feedback from you and just like the interest from people during the conference - being encouraged to ramble about SBOMs on stage, how they behave more like hopefully kept up-to-date documentation.

Anyway, I hope to be of help and thank those of you who helped me compile this paper specifically as well as all of you for your interest and other work!

Cheers
Marcel

[N.B.: I had to change my previous mail address due to procmail rules and forgot to subscribe the new one. This is a repost of my initial mail.]