Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://todon.nl/users/janneke/statuses/111107771330012591">Janneke (janneke@todon.nl)'s status on Wednesday, 04-Oct-2023 07:10:46 JST</a><a href="https://todon.nl/@janneke" title="janneke@todon.nl"><img src="https://gnusocial.jp/avatar/114964-48-20230426143038.webp" width="48" height="48" alt="Janneke" style="position: absolute; left: 0; top: 0;">Janneke</a><div><a href="https://mastodon.social/@amszmidt/111098290786820091" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/130031" title="amszmidt@mastodon.social">Alfred M. Szmidt</a></li></ul></div></section><article><p><a href="https://mastodon.social/@amszmidt">@amszmidt</a> <br>That's right, they do not help: they're essential!</p><p>Without Reproducible builds and Bootstrappable builds, free software, and certainly software freedom, is an illusion at best.</p><p>Re: Trusting Trust, see for example the excellent talk by <a href="https://floss.social/@vagrantc">@vagrantc</a> </p><p><a href="https://archive.org/details/fossy2023_Breaking_the_Chains_of_Trustin" rel="nofollow noreferrer">https://archive.org/details/fossy2023_Breaking_the_Chains_of_Trustin</a></p><p><a href="https://todon.nl/tags/RebproducibleBuilds" rel="tag">#RebproducibleBuilds</a><br><a href="https://todon.nl/tags/Bootstrappable" rel="tag">#Bootstrappable</a> <br><a href="https://todon.nl/tags/BootstrappableBuilds" rel="tag">#BootstrappableBuilds</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2086958#notice-4190695">In conversation</a><time datetime="2023-10-04T07:10:46+09:00" title="Wednesday, 04-Oct-2023 07:10:46 JST">about a year ago</time> <span>from <span><a href="https://todon.nl/@janneke/111107771330012591" rel="external" title="Sent from todon.nl via ActivityPub">todon.nl</a></span></span><a href="https://todon.nl/@janneke/111107771330012591">permalink</a><h4>Attachments</h4><ol><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="http://best.Re/">best.re - このウェブサイトは販売用です！ - best リソースおよび情報</a></h5><div></div></header><div>このウェブサイトは販売用です！ best.re は、あなたがお探しの情報の全ての最新かつ最適なソースです。一般トピックからここから検索できる内容は、best.reが全てとなります。あなたがお探しの内容が見つかることを願っています！</div><footer></footer></article></li><li><article><header><div>Domain not in remote thumbnail source whitelist: ia600505.us.archive.org</div><h5><a href="https://archive.org/details/fossy2023_Breaking_the_Chains_of_Trustin#RebproducibleBuilds">Breaking the Chains of Trusting Trust: Reproducible Builds and More! by Vagrant Cascadian</a></h5><div></div></header><div>Corrupted build environments can deliver compromised cryptographically
signed binaries. Several exploits in in critical supply chains have
been demonstrated in recent years, proving that this is not just
theoretical. The most well secured build environments are still single
points of failure when they fail.In 1984, Ken Thompson presented "Reflections on trusting trust" which
described an attack on a build toolchain that would be impossible to
detect through source code review ... in the decades since, what has
been done to actually mitigate these types of attacks?Work in the Reproducible Builds and Bootstrappable Builds communities
has been progressing steadily in recent years, and can be used to
significantly reduce the risks of "Trusting Trust" and other supply
chain attacks, by making it possible to independently review not only
the end result, but the entire toolchain used to build a given
artifact.This talk will focus on the state of the art from several angles in
related Free and Open Source Software projects, what works, current
challenges and future plans for building trustworthy toolchains you do
not need to trust.https://reproducible-builds.org
https://bootstrappable.orgSpeaker: 
            Vagrant Cascadian</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Janneke (janneke@todon.nl)'s status on Wednesday, 04-Oct-2023 07:10:46 JSTJanneke
in reply to
- Vagrant Cascadian
- Alfred M. Szmidt
@amszmidt
That's right, they do not help: they're essential!
Without Reproducible builds and Bootstrappable builds, free software, and certainly software freedom, is an illusion at best.
Re: Trusting Trust, see for example the excellent talk by @vagrantc
https://archive.org/details/fossy2023_Breaking_the_Chains_of_Trustin
#RebproducibleBuilds
#Bootstrappable
#BootstrappableBuilds
In conversationabout a year ago from todon.nlpermalink
Attachments
1. No result found on File_thumbnail lookup.
  best.re - このウェブサイトは販売用です！ - best リソースおよび情報
  このウェブサイトは販売用です！ best.re は、あなたがお探しの情報の全ての最新かつ最適なソースです。一般トピックからここから検索できる内容は、best.reが全てとなります。あなたがお探しの内容が見つかることを願っています！
2. Domain not in remote thumbnail source whitelist: ia600505.us.archive.org
  Breaking the Chains of Trusting Trust: Reproducible Builds and More! by Vagrant Cascadian
  Corrupted build environments can deliver compromised cryptographically signed binaries. Several exploits in in critical supply chains have been demonstrated in recent years, proving that this is not just theoretical. The most well secured build environments are still single points of failure when they fail. In 1984, Ken Thompson presented "Reflections on trusting trust" which described an attack on a build toolchain that would be impossible to detect through source code review ... in the decades since, what has been done to actually mitigate these types of attacks? Work in the Reproducible Builds and Bootstrappable Builds communities has been progressing steadily in recent years, and can be used to significantly reduce the risks of "Trusting Trust" and other supply chain attacks, by making it possible to independently review not only the end result, but the entire toolchain used to build a given artifact. This talk will focus on the state of the art from several angles in related Free and Open Source Software projects, what works, current challenges and future plans for building trustworthy toolchains you do not need to trust. https://reproducible-builds.org https://bootstrappable.orgSpeaker: Vagrant Cascadian

Public

Embed Notice

HTML Code

Corresponding Notice