Reproducible Builds

Reproducible builds are an idealistic solution to many supply chain security challenges I see today. They eliminate an entire chain of attacks, from a compromised build infrastructure (see SolarWinds) to a compromised artifact distribution. But they are only a piece of the solution, and they are rarely implemented today. Here’s my take on what a complete solution would look like, and why no one is doing it. Theoretical Solution An end-to-end solution needs multiple checks at each point along the software deliver path. The goal is to eliminate any single point that can be compromised in the build pipeline. ...