Progress on securing our distribution against supply chain attacks: The Debian testing/trixie release on amd64 is now reproducible for over 95%, and counting. You can use the new debian-repro-status package to query the reproducibility status of your installed Debian packages. See reproduce.debian.net/ #debian #reproducible-builds
andy
in reply to Debian • • •Slightly worried by sudo being listed bad on my trixie system:
[-] sudo amd64 1.9.16p2-1 BAD
apt reinstall doesn't fix it either. Is there a correct response to BAD results?
Erik
in reply to Debian • • •stf
in reply to Debian • • •how exactly is reproducability protecting against "supply chain attacks"? if as a maintainer or dev backdoor a dependency of some upstream package and then a new backdoored source code version is released, in this case reproducable builds will only make sure that my backdoor is reproducably built, but it will not mitigate my backdoor.
i think my scenario is *the* definition of a supply chain attack. no? would your reproducible build have caught jia tan? what am i missing? 🧵 1/4