Glad to see reproducible builds get the recognition it deserves! Justin
On Fri, Sep 2, 2022 at 11:59 AM David A. Wheeler <dwhee...@dwheeler.com> wrote: > FYI: > > The US National Security Agency (NSA), Cybersecurity and Infrastructure > Security Agency (CISA), and the Office of the Director of National > Intelligence (ODNI) have released a document called "Securing the Software > Supply Chain: Recommended Practices Guide for Developers" as part of their > Enduring Security Framework (ESF) work: > > https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF > > It *expressly* recommends having reproducible builds as part of "advanced" > recommended mitigations (along with hermetic builds). PDF page 35 (labelled > page 31) says: > "Reproducible builds provide additional protection and validation against > attempts to compromise build systems. They ensure the binary products of > each build system match: i.e., they are built from the same source, > regardless of variable metadata such as the order of input files, > timestamps, locales, and paths. Reproducible builds are those where > re-running the build steps with identical input artifacts results in > bit-for-bit identical output. Builds that cannot meet this must provide a > justification why the build cannot be made reproducible. > > Their press release is here: > > https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/ > > --- David A. Wheeler > >