Commit 7ac6f64c authored by Joshua Lock's avatar Joshua Lock Committed by Mark Lodato
Browse files

Revert "Remove broken links to SRS Book PDF (#25)."

The PDF is available again.

This reverts commit 85861abf.
parent 2b328fb8
...@@ -182,11 +182,12 @@ builds, there are two related but distinct concepts: "reproducible" and ...@@ -182,11 +182,12 @@ builds, there are two related but distinct concepts: "reproducible" and
"verified reproducible." "verified reproducible."
"Reproducible" means that repeating the build with the same inputs results in "Reproducible" means that repeating the build with the same inputs results in
bit-for-bit identical output. This property provides bit-for-bit identical output. This property
[provides](https://reproducible-builds.org/docs/buy-in/)
[many](https://wiki.debian.org/ReproducibleBuilds/About) [many](https://wiki.debian.org/ReproducibleBuilds/About)
[benefits](https://reproducible-builds.org/docs/buy-in/), including easier [benefits](https://static.googleusercontent.com/media/sre.google/en//static/pdf/building_secure_and_reliable_systems.pdf#page=357),
debugging, more confident cherry-pick releases, better build caching and storage including easier debugging, more confident cherry-pick releases, better build
efficiency, and accurate dependency tracking. caching and storage efficiency, and accurate dependency tracking.
For these reasons, SLSA 3 [requires](#proposed-slsa-definitions) reproducible For these reasons, SLSA 3 [requires](#proposed-slsa-definitions) reproducible
builds unless there is a justification why the build cannot be made builds unless there is a justification why the build cannot be made
...@@ -224,8 +225,8 @@ chain integrity, nor are they practical in all cases: ...@@ -224,8 +225,8 @@ chain integrity, nor are they practical in all cases:
Therefore, SLSA does not require verified reproducible builds directly. Instead, Therefore, SLSA does not require verified reproducible builds directly. Instead,
verified reproducible builds are one option for implementing the requirements. verified reproducible builds are one option for implementing the requirements.
For more on reproducibility, see "Hermetic, Reproducible, or Verifiable?" in For more on reproducibility, see
Chapter 14 of the [Secure and Reliable Systems Book][SRS Book]. [Hermetic, Reproducible, or Verifiable?](https://sre.google/static/pdf/building_secure_and_reliable_systems.pdf#page=357)
## Terminology ## Terminology
...@@ -645,7 +646,7 @@ For a broader view of the software supply chain problem: ...@@ -645,7 +646,7 @@ For a broader view of the software supply chain problem:
Prior iterations of the ideas presented here: Prior iterations of the ideas presented here:
* [Building Secure and Reliable Systems, Chapter 14: Deploying Code][SRS Book] * [Building Secure and Reliable Systems, Chapter 14: Deploying Code](https://sre.google/static/pdf/building_secure_and_reliable_systems.pdf#page=339)
* [Binary Authorization for Borg] - This is how Google implements the SLSA * [Binary Authorization for Borg] - This is how Google implements the SLSA
idea internally. idea internally.
...@@ -672,7 +673,6 @@ Other takes on provenance and CI/CD: ...@@ -672,7 +673,6 @@ Other takes on provenance and CI/CD:
<!-- Links --> <!-- Links -->
[Binary Authorization for Borg]: https://cloud.google.com/security/binary-authorization-for-borg [Binary Authorization for Borg]: https://cloud.google.com/security/binary-authorization-for-borg
[SRS Book]: https://sre.google/books/building-secure-reliable-systems/
[Threats, Risks, and Mitigations in the Open Source Ecosystem]: https://github.com/Open-Source-Security-Coalition/Open-Source-Security-Coalition/blob/master/publications/threats-risks-mitigations/v1.1/Threats%2C%20Risks%2C%20and%20Mitigations%20in%20the%20Open%20Source%20Ecosystem%20-%20v1.1.pdf [Threats, Risks, and Mitigations in the Open Source Ecosystem]: https://github.com/Open-Source-Security-Coalition/Open-Source-Security-Coalition/blob/master/publications/threats-risks-mitigations/v1.1/Threats%2C%20Risks%2C%20and%20Mitigations%20in%20the%20Open%20Source%20Ecosystem%20-%20v1.1.pdf
[curl-dev]: https://pkgs.alpinelinux.org/package/edge/main/x86/curl-dev [curl-dev]: https://pkgs.alpinelinux.org/package/edge/main/x86/curl-dev
[curlimages/curl]: https://hub.docker.com/r/curlimages/curl [curlimages/curl]: https://hub.docker.com/r/curlimages/curl
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment