Chris Lamb wrote:
> > I reviewed the latter and found some issues:
>
> Thanks for your review. Unfortunately, there is limited scope to
> make substantive changes at this stage in the publication cycle.
>
> However, I'm sure some of the grammatical fixes you mention can be
> absorbed, so thank
On Wed, Apr 14, 2021 at 7:02 PM Chris Lamb
wrote:
>
> Chris Lamb wrote:
>
> > > > > As it happens, Stefano Zacchiroli recently suggested to me that we
> > > > > write a paper together that we would first offer to IEEE Software. We
> > > > > got into a good routine and submitted to IEEE about a
Hi Bernhard,
> I reviewed the latter and found some issues:
Thanks for your review. Unfortunately, there is limited scope to
make substantive changes at this stage in the publication cycle.
However, I'm sure some of the grammatical fixes you mention can be
absorbed, so thank you for pointing
On 14/04/2021 19.02, Chris Lamb wrote:
> A quick update: as permitted by IEEE, the paper is now available in an
> open access / preprint capacity:
>
>https://ieeexplore.ieee.org/document/9403390
>https://arxiv.org/abs/2104.06020
I reviewed the latter and found some issues:
> doing so
Chris Lamb wrote:
> > > > As it happens, Stefano Zacchiroli recently suggested to me that we
> > > > write a paper together that we would first offer to IEEE Software. We
> > > > got into a good routine and submitted to IEEE about a fortnight ago.
> > > >
> > >
> > > Chris: Any news on this
And for those have not seen this item, another take on supply chain
vulnerability scenarios:
https://www.schneier.com/blog/archives/2021/02/dependency-confusion-another-supply-chain-vulnerability.html
On 2/23/21 12:56 AM, Fredrik Strömberg wrote:
> On Mon, Feb 22, 2021 at 6:52 PM Chris Lamb
>
On Mon, Feb 22, 2021 at 6:52 PM Chris Lamb
wrote:
>
> Fredrik, as you asked for updates: just to mention that the paper has
> passed its initial review, and we are now making some minor changes to
> address various comments and concerns (mostly around the framing of
> the issue and ensuring it is
Chris Lamb wrote:
> > > As it happens, Stefano Zacchiroli recently suggested to me that we
> > > write a paper together that we would first offer to IEEE Software. We
> > > got into a good routine and submitted to IEEE about a fortnight ago.
> > >
> >
> > Chris: Any news on this article? I'd love
Hi Fredrik,
> > As it happens, Stefano Zacchiroli recently suggested to me that we
> > write a paper together that we would first offer to IEEE Software. We
> > got into a good routine and submitted to IEEE about a fortnight ago.
> >
>
> Chris: Any news on this article? I'd love to read it.
Hi Chris, and everyone else!
On Tue, Dec 22, 2020 at 1:37 PM Chris Lamb
wrote:
>
> As it happens, Stefano Zacchiroli recently suggested to me that we
> write a paper together that we would first offer to IEEE Software. We
> got into a good routine and submitted to IEEE about a fortnight ago.
>
I just posted, on The Linux Foundation blog, an article titled
"Preventing Supply Chain Attacks like SolarWinds” at:
https://www.linuxfoundation.org/en/blog/preventing-supply-chain-attacks-like-solarwinds/
It *prominently* notes the need for reproducible builds.
Ximin Luo:
> From my experience
Yeah, a short writeup on RB in the context of the SolarWinds attack would be
great to have, especially now that more details are coming out. Its quite an
impressive hack, it even cleans up after itself:
To prevent detection, Sunburst’s creators “included a hash verification check”
to
>From my experience working in R-B, media chatter isn't sufficient to overcome
>engineering inertia.
There's a lot of tunnel vision and arrogant engineers in upstream toolchain
projects nitpicking at technical crap that doesn't matter, when we submit
patches. To advance reproducible builds,
Holger Levsen:
On Wed, Dec 30, 2020 at 04:41:08PM +0100, Hans-Christoph Steiner wrote:
If you'd like to see a concrete use, for the apps that require reproducible
builds in F-Droid, an APK build is not signed and released unless
f-droid.org's build matches the upstream developer's APK.
On Wed, Dec 30, 2020 at 04:41:08PM +0100, Hans-Christoph Steiner wrote:
> If you'd like to see a concrete use, for the apps that require reproducible
> builds in F-Droid, an APK build is not signed and released unless
> f-droid.org's build matches the upstream developer's APK.
while this is
hi,
On Mon, Dec 21, 2020 at 01:58:01PM -0500, Santiago Torres-Arias wrote:
> To be a little bit more upfront: I think that we as a community
> sometimes focus on "is this thing reproducible" and not on "how can I
> use this to secure the ecosystem".
I fully agree and believe this is due to us
On 21/12/2020 22.28, Richard Purdie wrote:
> OE-Core is about 800 pieces of software generating ~11,000
> packages of which we have about 65 marked as not reproducible at
> present. We're obviously working on improving those 65, and the
> techniques used will "just work" to a large extend
Hi Martin,
> > Stefano Zacchiroli recently suggested to me that we
> > write a paper together that we would first offer to IEEE Software. We
> > got into a good routine and submitted to IEEE about a fortnight ago.
>
> Congrats on the submission! Would you have a preprint or Arxiv version
>
Hi Justin,
> On another note, I would say this is an ideal time to engage the
> broader academic / open source communities about reproducible builds.
As it happens, Stefano Zacchiroli recently suggested to me that we
write a paper together that we would first offer to IEEE Software. We
got into
On Tue, Dec 22, 2020 at 4:58 AM David A. Wheeler
wrote:
>
>
> On Dec 21, 2020, at 1:58 PM, Santiago Torres-Arias
> wrote:
> I agree that we need more visibility on the reprobuilds aspect of this
> compromise.
>
>
> I don’t think it’s visible to *reporters* though.
>
Just to chime in here, I've
On Mon, 2020-12-21 at 15:57 -0500, David A. Wheeler wrote:
> I think these things need to happen in stages. Broadly:
> 1. Get key applications & libraries reproducible (assuming toolchains
> are okay)
> 2. Establish independent processes that *check* that the binaries are
> what they’re supposed
> On Dec 21, 2020, at 1:58 PM, Santiago Torres-Arias
> wrote:
> I agree that we need more visibility on the reprobuilds aspect of this
> compromise.
I don’t think it’s visible to *reporters* though.
> To be a little bit more upfront: I think that we as a community
> sometimes focus on "is
Hello.
On Thu, Dec 17, 2020 at 07:33:11PM -0500, David A. Wheeler wrote:
> All:
>
> There’s been a recently-revealed attack on the SolarWinds product “Orion", a
> Network Management System (NMS). This software is widely used and thus this
> attack is extremely concerning.
>
> According to
it don't help much to rant on this ML where all people know what reproducible
builds are. instead contacting all those journalists that did not mention it
has a chance to change the current status.
a publication on reproducible-builds.org about this incident would also be
helpful to share the
David A. Wheeler wrote:
> Let me restate this: it appears that the *source code* wasn’t
> compromised, and the *distribution* system wasn’t compromised. Instead,
> the *build system* was compromised.
Thanks for this, David. You are absolutely right that this is exactly
what Reproducible Builds
Thanks for this info! RB work can be a slog through annoying technical
details, so confirmation of its important always helps lift my spirits.
Its definitely good fodder for getting funding for related work.
.hc
David A. Wheeler:
All:
There’s been a recently-revealed attack on the
All:
There’s been a recently-revealed attack on the SolarWinds product “Orion", a
Network Management System (NMS). This software is widely used and thus this
attack is extremely concerning.
According to SANS, "SolarWinds has published limited information in which they
state they believe the
27 matches
Mail list logo
