include the goals of the r-b project on our website

Bernhard has started a pad at https://etherpad.opensuse.org/p/reproduciblebuilds-goal which describes our goals. I think this should be moved to our website properly and thus am opening this ticket.

In case the pad goes down, this is the current text:

What is the goal of reproducible builds? 

The goal of reproducible builds is to reduce the risk (aka likelyhood) of running software that was corrupted (during build)

goal-FAQ:

How would such "corruption" happen?

1. The worst case is "malicious corruption" as defined(used) by David A. Wheeler in his dissertation on DDC. https://dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-trust-ddc.html That is corruption from attackers manipulating the build system. One such example is https://unit42.paloaltonetworks.com/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/

2. Hardware corruption (from faulty RAM/CPU/HDD/Network) ; see also Rowhammer and Bitsquatting http://dinaburg.org/bitsquatting.html for how such faults can even affect security. Incomplete downloads, dropped packets, truncated files, false combination of real files via inode corruption and simply writing the wrong data to disk. (most of those are software errors though and thus should be under #3)

3. The type we mostly found so far: Software issues that cause corruption during the build (FIXME link to "bugs_found" page with https://github.com/bmwiedemann/theunreproduciblepackage/tree/master/race and others). Or modify the resulting binary before storage to disk or from disk. Improper server configuration resulting in the wrong files delivered or artifically truncating the files delivered or munging files that don't belong together. (Add example links of such bugs/fixes?)

Are there other benefits of reproducible builds? Yes, many. See https://reproducible-builds.org/docs/buy-in/

What related sub-goals exist? As software developers, we want to reduce the likelihood of shipping software that was corrupted (during build).

How do we achieve this goal? By allowing multiple independent parties to verify that the sources produce the exact binaries using tools and standards developed by the reproducible builds project (participants).

What are non-goals? Reproducible builds does not (intend to) help with vulnerabilities and other issues that exist in the source code. Other methods exist to address those. E.g. print "2+2=5" is wrong, yet perfectly reproducible.