r-b as a recommendation in standards

Justin Cappos jc4946 at nyu.edu
Thu Sep 26 14:21:48 UTC 2024


You could also suggest this for addition to the OpenSSF Badge Program.
https://www.bestpractices.dev/en

It likely would need to be at a new, higher level rather than gold.  Other
things in this ecosystem like in-toto attestations, etc. could likely also
be added there.

Thanks,
Justin

On Thu, Sep 26, 2024 at 3:24 AM Bernhard M. Wiedemann via rb-general <
rb-general at lists.reproducible-builds.org> wrote:

> Hi,
>
> On our summit in Hamburg we discussed that r-b should be listed as a
> recommendation or requirement in new standards to encourage people to
> ensure builds are reproducible.
>
>
> Via [1] I found 3 relevant standards:
>
> * NIST Secure Software Development Framework =
> https://csrc.nist.gov/Projects/ssdf
> * OpenSSF Scorecard = https://openssf.org/resources/guides/
> * SLSA (Supply Chain Levels for Software Artifacts Framework)
>
>
> SLSA level4 already lists reproducible builds as optional/recommended
> = https://slsa.dev/spec/v1.0/faq#q-what-about-reproducible-builds
>
>
> NIST
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
> has on page 16:
> > PO.3.2: Follow recommended security practices to
> > deploy, operate, and maintain tools and toolchains.
>
> > Example 4: Implement the technologies and processes needed for
> reproducible
> > builds.
>
>
> In the OpenSSF docs, I found
> https://github.com/ossf/scorecard/blob/main/docs/checks.md
> but I think, it should be promoted in other contexts there, too.
>
>
> Ciao
> Bernhard M.
>
> [1]
>
> https://www.heise.de/news/Viele-Open-Source-Maintainer-schmeissen-hin-steigender-Druck-auf-Projekte-9904636.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240926/9bf3581b/attachment.htm>


More information about the rb-general mailing list