Thanks for this info! RB work can be a slog through annoying technical details, so confirmation of its important always helps lift my spirits. Its definitely good fodder for getting funding for related work.
.hc David A. Wheeler:
All: There’s been a recently-revealed attack on the SolarWinds product “Orion", a Network Management System (NMS). This software is widely used and thus this attack is extremely concerning. According to SANS, "SolarWinds has published limited information in which they state they believe the build environment was compromised.” https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ Let me restate this: it appears that the *source code* wasn’t compromised, and the *distribution* system wasn’t compromised. Instead, the *build system* was compromised. This is *EXACTLY* the kind of attack that is countered by reproducible builds. Thus, the recent SolarWinds subversion is a very good argument for why it’s important to have reproducible builds (and to verify builds using reproducible builds). I’ve read a number of articles about SolarWinds, and none of them mention reproducible builds, even though reproducible builds is clearly a countermeasure to this problem. Perhaps journalists will eventually learn about reproducible builds; that would be nice! --- David A. Wheeler PS: Here are some articles about the attack on SolarWinds: https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ <https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/> https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html <https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html> https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html <https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html> https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now <https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now> https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/ <https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/>
-- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556