create overview of recommendations and standards requesting r-b

Bernhard M. Wiedemann wrote on rb-general:

On our summit in Hamburg we discussed that r-b should be listed as a recommendation or requirement in new standards to encourage people to ensure builds are reproducible.

Via [1] I found 3 relevant standards:

• NIST Secure Software Development Framework = https://csrc.nist.gov/Projects/ssdf
• OpenSSF Scorecard = https://openssf.org/resources/guides/
• SLSA (Supply Chain Levels for Software Artifacts Framework)

SLSA level4 already lists reproducible builds as optional/recommended = https://slsa.dev/spec/v1.0/faq#q-what-about-reproducible-builds

NIST https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf has on page 16:

PO.3.2: Follow recommended security practices to deploy, operate, and maintain tools and toolchains.

Example 4: Implement the technologies and processes needed for reproducible builds.

In the OpenSSF docs, I found https://github.com/ossf/scorecard/blob/main/docs/checks.md but I think, it should be promoted in other contexts there, too.

Larry Doolittle then mentioned:

Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials https://media.defense.gov/2023/Dec/11/2003355557/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20MANAGING%20OPEN%20SOURCE%20SOFTWARE%20AND%20SOFTWARE%20BILL%20OF%20MATERIALS.PDF August 2022, 64-page PDF by a consortium of U.S. Government agencies unfortunately R-B is only a mentioned a couple of times, but it is there. See Requirement ID REB-1.

David A. Wheeler mentioned the OpenSSF has a course called "Developing Secure Software" (LFD121). https://training.linuxfoundation.org/training/developing-secure-software-lfd121/ He mention the LFD121 course because it has a section on hardening builds, and it includes some information on reproducible builds. Here's some of that text:

If an attacker manages to subvert the build process, the subverted results are often difficult to detect. A strong countermeasure to this attack is a verified reproducible build. A build is reproducible “if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts” (as defined in “Definitions” from the Reproducible Builds project). A reproducible build is also called a deterministic build. A verified reproducible build is simply a build that’s been independently verified to be a reproducible build (on different computer(s)). Verified reproducible builds make attacking the build process much harder, because the attacker must then subvert multiple independent build systems to successfully subvert building the software.

You can see the full text here: https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#harden-the-development-environment-including-build-and-cicd-pipeline--distribution-environment