<![CDATA[Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past?]]>Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past?

Link Preview Image
In a Big Move to Linux Security, Debian Makes Reproducible Builds Mandatory

Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch.

favicon

It's FOSS (itsfoss.com)

]]>https://board.circlewithadot.net/topic/1f155029-cc66-499a-acbf-3228e53f3324/would-this-move-by-debian-requiring-byte-for-byte-reproducible-builds-have-caught-any-real-world-supply-chain-attacks-seen-in-the-pastRSS for NodeFri, 15 May 2026 07:46:09 GMTWed, 13 May 2026 18:33:13 GMT60<![CDATA[Reply to Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past? on Wed, 13 May 2026 19:43:30 GMT]]>@kemotep @dangoodin well, in the xz case, it was actually one of the main contributors who slipped in the attack. There is little that can be done against that.

]]>https://board.circlewithadot.net/post/https://fediscience.org/users/GeorgWeissenbacher/statuses/116568975641366594https://board.circlewithadot.net/post/https://fediscience.org/users/GeorgWeissenbacher/statuses/116568975641366594Wed, 13 May 2026 19:43:30 GMT<![CDATA[Reply to Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past? on Wed, 13 May 2026 19:33:12 GMT]]>@kemotep @dangoodin it’s about being able to prove that the binary distribution matches the source code. If the source code is already tainted it won’t help.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/brown/statuses/116568935120304382https://board.circlewithadot.net/post/https://infosec.exchange/users/brown/statuses/116568935120304382Wed, 13 May 2026 19:33:12 GMT<![CDATA[Reply to Would this move by Debian, requiring byte-for-byte reproducible builds, have caught any real-world supply chain attacks seen in the past? on Wed, 13 May 2026 19:00:00 GMT]]>@dangoodin it would not have caught the xz attack. But is the point of reproducible builds more about consistency and reliability than security?

]]>https://board.circlewithadot.net/post/https://mastodo.neoliber.al/users/kemotep/statuses/116568804609913736https://board.circlewithadot.net/post/https://mastodo.neoliber.al/users/kemotep/statuses/116568804609913736Wed, 13 May 2026 19:00:00 GMT