On 9/29/25 3:28 PM, Arnout Engelen via rb-general wrote:
Do you agree with the comments above? Are there any changes you'd like to see, or
additional comments you think would be valuable to relay in the context of reproducible
builds? The timeline is relatively strict: if we can get rough consensus before, say,
Wednesday, I think we could respond "as the Reproducible Builds project".
It's really close to "until Wednesday" already, but in my opinion a
missed opportunity in the original SBOM standard was:
> The build tools/compiler are a material of your software executable
Knowing which exact compiler and compiler version was used is necessary
for triaging certain security issues[1], and it's also critical
information for any reproducible builds efforts.
At the moment this gap is filled by buildinfo files (each project having
their own):
https://reproducible-builds.org/docs/recording/
Also to any CISA staff following this thread: hi! 😺
cheers,
kpcyrd
[1]: Any security issue that isn't "the build input contained a defect"
but "the way the build input[2] was processed was faulty".
[2]: This is assuming "the build tools" are not a build input, which I
think is only half the truth.
