r-b as a recommendation in standards
Bernhard M. Wiedemann
bernhardout at lsmod.de
Thu Sep 26 07:24:44 UTC 2024
Hi,
On our summit in Hamburg we discussed that r-b should be listed as a
recommendation or requirement in new standards to encourage people to
ensure builds are reproducible.
Via [1] I found 3 relevant standards:
* NIST Secure Software Development Framework =
https://csrc.nist.gov/Projects/ssdf
* OpenSSF Scorecard = https://openssf.org/resources/guides/
* SLSA (Supply Chain Levels for Software Artifacts Framework)
SLSA level4 already lists reproducible builds as optional/recommended
= https://slsa.dev/spec/v1.0/faq#q-what-about-reproducible-builds
NIST
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
has on page 16:
> PO.3.2: Follow recommended security practices to
> deploy, operate, and maintain tools and toolchains.
> Example 4: Implement the technologies and processes needed for reproducible
> builds.
In the OpenSSF docs, I found
https://github.com/ossf/scorecard/blob/main/docs/checks.md
but I think, it should be promoted in other contexts there, too.
Ciao
Bernhard M.
[1]
https://www.heise.de/news/Viele-Open-Source-Maintainer-schmeissen-hin-steigender-Druck-auf-Projekte-9904636.html
More information about the rb-general
mailing list