@@ -10,9 +10,7 @@ Welcome to the April 2019 report from the [Reproducible Builds](https://reproduc
As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
### Weekly blog changes to monthly blog
Starting this month we have changed the frequency of our blog to monthly. In this post we will detail the most important things which have been up to in/around the world of reproducible builds and secure toolchains in the month of April.
In this post we will detail the most important things which have been up to in/around the world of reproducible builds and secure toolchains in the month of April — starting this month we have changed the frequency of our blog to monthly.
In this months's report, we will cover:
...
...
@@ -28,6 +26,8 @@ In this months's report, we will cover:
* The [SecureList](https://securelist.com) website [reported on Operation "ShadowHammer"](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/), a high-profile supply chain attack involving the [ASUS](https://en.wikipedia.org/wiki/Asus) Live Update Utility. As their post describes in more detail, tampering with binaries usually breaks the digital signature but in this case the digital signature appeared to have been compromised. ([Read more](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/))
*[Linux Weekly News (LWN)](https://lwn.net/) covered the [recent `bootstrap-sass` backdoor incident](https://lwn.net/Articles/785386/) which speaks to the prevalence of supply-chain and mirror-based attacks. [David A. Wheeler](https://dwheeler.com) also [published an essay on the incident](https://dwheeler.com/essays/bootstrap-sass-subversion.html) that explicitly proposes reproducible builds as a potential way to reduce the impact of such attacks in the future.
* There was an interesting discussion on [Hacker News](https://news.ycombinator.com/) regarding the release of [WAPM](https://wapm.io/), a package manager for [WebAssembly](https://webassembly.org/) packages that are typically embedded into browsers and web-pages. In [the discussion there was a query](https://news.ycombinator.com/item?id=19732794) and distinction raised by commenter *whyrusleeping* between the ability to reproduce any generated packages versus simply signing packages in the usual manner which received warm reception by the upstream authors.
...
...
@@ -184,7 +184,7 @@ We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framewor
* Add/update the new `reproducible-builds.org` [MX records](https://en.wikipedia.org/wiki/MX_record). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9ddd1042)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/711267ec)]
* Fix typo in comment; thanks to `ijc` for reporting! [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2435823c)]
Holger Levsen ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4a79527a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a24c3aa9)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/363a02f3)]), Mattia Rizzolo ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9d4d39d1)]) and Vagrant Cascadian ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a6412217)]) all performed a large amount of build node maintenance, system and jenkins administration and Chris Lamb provided a patch to avoid double spaces in IRC notifications. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f4b80011)]
Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4a79527a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a24c3aa9)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/363a02f3)], Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9d4d39d1)] and Vagrant Cascadian [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a6412217)] all performed a large amount of build node maintenance, system & Jenkins administration and Chris Lamb provided a patch to avoid double spaces in IRC notifications [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f4b80011)].