r-b as a recommendation in standards

David A. Wheeler dwheeler at dwheeler.com
Fri Oct 4 20:49:43 UTC 2024 


> On Sep 26, 2024, at 3:24 AM, Bernhard M. Wiedemann via rb-general <rb-general at lists.reproducible-builds.org> wrote:
> 
> Hi,
> 
> On our summit in Hamburg we discussed that r-b should be listed as a recommendation or requirement in new standards to encourage people to ensure builds are reproducible.

It's not a *standard*, but the OpenSSF has a course called
"Developing Secure Software" (LFD121). If you know someone (including you!)
who develops software, but who hasn't learned how to develop *secure* software,
I *encourage* them to take the course. It's free, and its certification of completion
is free. If you're not sure, the easy way to find out is to enroll and give it
a try (did I mention it's free?):
https://training.linuxfoundation.org/training/developing-secure-software-lfd121/

I mention the LFD121 course because it has a section on hardening builds, and
it includes some information on reproducible builds. Here's some of that text:

> If an attacker manages to subvert the build process, the subverted results are often difficult to detect. A strong countermeasure to this attack is a verified reproducible build. A build is reproducible “if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts” (as defined in “Definitions” from the Reproducible Builds project). A reproducible build is also called a deterministic build. A verified reproducible build is simply a build that’s been independently verified to be a reproducible build (on different computer(s)). Verified reproducible builds make attacking the build process much harder, because the attacker must then subvert multiple independent build systems to successfully subvert building the software.
> ...
> More information on how to create reproducible builds is available; see “Documentation” from the Reproducible Builds project.
You can see the full text here:
https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#harden-the-development-environment-including-build-and-cicd-pipeline--distribution-environment

Full disclosure: I'm the lead author of LFD121. But hopefully you'll find it useful anyway :-).
I *do* want to that the many people who reviewed it & provided helpful feedback on it.

--- David A. Wheeler

More information about the rb-general mailing list