r-b as a recommendation in standards

Bernhard M. Wiedemann bernhardout at lsmod.de
Thu Sep 26 07:24:44 UTC 2024


Hi,

On our summit in Hamburg we discussed that r-b should be listed as a 
recommendation or requirement in new standards to encourage people to 
ensure builds are reproducible.


Via [1] I found 3 relevant standards:

* NIST Secure Software Development Framework = 
https://csrc.nist.gov/Projects/ssdf
* OpenSSF Scorecard = https://openssf.org/resources/guides/
* SLSA (Supply Chain Levels for Software Artifacts Framework)


SLSA level4 already lists reproducible builds as optional/recommended
= https://slsa.dev/spec/v1.0/faq#q-what-about-reproducible-builds


NIST 
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf 
has on page 16:
> PO.3.2: Follow recommended security practices to
> deploy, operate, and maintain tools and toolchains.

> Example 4: Implement the technologies and processes needed for reproducible
> builds.


In the OpenSSF docs, I found
https://github.com/ossf/scorecard/blob/main/docs/checks.md
but I think, it should be promoted in other contexts there, too.


Ciao
Bernhard M.

[1] 
https://www.heise.de/news/Viele-Open-Source-Maintainer-schmeissen-hin-steigender-Druck-auf-Projekte-9904636.html


More information about the rb-general mailing list