Re: Please review the draft for March's report

2021-04-05 Thread Daniel Shahaf 
Chris Lamb wrote on Mon, 05 Apr 2021 09:03 +00:00:
> Please review the draft for March's Reproducible Builds report:
> 
>   https://reproducible-builds.org/reports/2021-03/?draft

I don't understand from that post what's so significant about sigstore,
even after having followed the link to upstream's press release.  

The key technical points of upstream's PR seem to be:

> > Signing materials are then stored in a tamper-proof public log

> > Very few open source projects cryptographically sign software
> > release artifacts

> > sigstore seeks to solve […] by utilization of short lived
> > ephemeral keys with a trust root leveraged from an open and
> > auditable public transparency logs.

but none of that says what sigstore _actually does_, what attacks it
aims to thwart, why it's new/significant…

It's not our business to fix their press release, of course, but if we
link to something, we should ensure _our_ readers will be able to tell
what we link to and why it's significant.  If their press release doesn't
explain that, then we could explain those bits ourselves, or link to
a more technical write-up (cf. https://m.xkcd.com/1301/), etc..

HTH,

Daniel

Please review the draft for March's report

2021-04-05 Thread Chris Lamb 
Hi all,

Please review the draft for March's Reproducible Builds report:

  https://reproducible-builds.org/reports/2021-03/?draft

… or, via the Git repository itself:

  
https://salsa.debian.org/reproducible-builds/reproducible-website/blob/master/_reports/2021-03.md

I intend to publish it no earlier than:

  $ date -d 'Wed, 07 Apr 2021 16:00:00 +0100'

  https://time.is/compare/1600_07_Apr_2021_in_BST

§

Please feel free and commit/push to drafts without the overhead of
sending patches or merge requests. You should make your changes to the
"_reports/2021-03.md" file in the "reproducible-website" repository:

  $ git clone https://salsa.debian.org/reproducible-builds/reproducible-website
  $ cd reproducible-website
  $ sensible-editor _reports/2021-03.md

I am happy to reword and/or rework additions prior to publishing. If you
currently do not have access to the above repository, you can request access
by following the instructions at:

  https://reproducible-builds.org/contribute/salsa/


Regards,

-- 
  o
⬋   ⬊  Chris Lamb
   o o reproducible-builds.org 💠
⬊   ⬋
  o