openSUSE LinuxDec 6, 2023
A general-purpose #Linux distribution consisting of 100% bit-reproducible packages. Find out more in the #ReproBuilds update. https://reproducible-builds.org/reports/2023-11/
Reproducible Builds in November 2023 — reproducible-builds.org

Show threadCassandrichDec 3, 2022
@ariadne I'm interested in this for software trust purposes (#ReproBuilds level and trust of underlying codebases & maintainerships).
Show threadCassandrichDec 1, 2022
@aral There's a lot of tie-in that can be had with #ReproBuilds here. Allowing separate vetting of the claim that "package matches the source" from "I've reviewed the source changes and they seem to do what they're advertised as", etc.
Show threadCassandrichNov 18, 2022
@Foxboron Very possibly! There was an epic thread with taviso (the one where he blocked me and a bunch of other folks for not agreeing with him that they're useless) a long time ago on birdsite over the value of #reprobuilds and webs of trust, where a lot of this came up.
Show threadCassandrichNov 18, 2022

Particularly, the value Twitter had as a unified public social graph of curated trust-as-source-of-information relationships.

The same kind of trust-as-source-of-information has come up in #reprobuilds and software provenance fields.

Stefano ZacchiroliApr 16, 2021

In an upcoming #IEEESoftware paper with Chris Lamb, we describe the #ReproducibleBuilds approach to increase the integrity of [#opensource] software #SupplyChains and how that worked out for #Debian.

#openaccess preprint: https://arxiv.org/abs/2104.06020

#FreeSoftware #FOSS #ReproBuilds

Reproducible Builds: Increasing the Integrity of Software Supply Chains

Although it is possible to increase confidence in Free and Open Source Software (FOSS) by reviewing its source code, trusting code is not the same as trusting its executable counterparts. These are typically built and distributed by third-party vendors, with severe security consequences if their supply chains are compromised. In this paper, we present reproducible builds, an approach that can determine whether generated binaries correspond with their original source code. We first define the problem, and then provide insight into the challenges of making real-world software build in a "reproducible" manner-this is, when every build generates bit-for-bit identical results. Through the experience of the Reproducible Builds project making the Debian Linux distribution reproducible, we also describe the affinity between reproducibility and quality assurance (QA).

FLOX AdvocateApr 1, 2019

hardware audit of 8086, but need to change the law first

https://reproducible-builds.org/news/2019/04/01/reproducible-builds-twain-Intel-8086-audit-and-Berne-Convention-patches/

#InfoSec #FLOX #ReproBuilds

Reproducible Builds Announces a Crowd-funded Intel® 8086® Audit — reproducible-builds.org