Hi,
On our summit in Hamburg we discussed that r-b should be listed as a
recommendation or requirement in new standards to encourage people to
ensure builds are reproducible.
Via [1] I found 3 relevant standards:
* NIST Secure Software Development Framework =
https://csrc.nist.gov/Projects/ssdf
* OpenSSF Scorecard = https://openssf.org/resources/guides/
* SLSA (Supply Chain Levels for Software Artifacts Framework)
SLSA level4 already lists reproducible builds as optional/recommended
= https://slsa.dev/spec/v1.0/faq#q-what-about-reproducible-builds
NIST
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
has on page 16:
PO.3.2: Follow recommended security practices to
deploy, operate, and maintain tools and toolchains.
Example 4: Implement the technologies and processes needed for reproducible
builds.
In the OpenSSF docs, I found
https://github.com/ossf/scorecard/blob/main/docs/checks.md
but I think, it should be promoted in other contexts there, too.
Ciao
Bernhard M.
[1]
https://www.heise.de/news/Viele-Open-Source-Maintainer-schmeissen-hin-steigender-Druck-auf-Projekte-9904636.html
