Unverified Commit c081e358 authored by Mark Lodato's avatar Mark Lodato Committed by GitHub
Browse files

Merge pull request #26 from MarkLodato/srs-book

Remove broken links to SRS Book PDF (#25).
parents 6dca080c 85861abf
...@@ -184,12 +184,11 @@ builds, there are two related but distinct concepts: "reproducible" and ...@@ -184,12 +184,11 @@ builds, there are two related but distinct concepts: "reproducible" and
"verified reproducible." "verified reproducible."
"Reproducible" means that repeating the build with the same inputs results in "Reproducible" means that repeating the build with the same inputs results in
bit-for-bit identical output. This property bit-for-bit identical output. This property provides
[provides](https://reproducible-builds.org/docs/buy-in/)
[many](https://wiki.debian.org/ReproducibleBuilds/About) [many](https://wiki.debian.org/ReproducibleBuilds/About)
[benefits](https://static.googleusercontent.com/media/sre.google/en//static/pdf/building_secure_and_reliable_systems.pdf#page=357), [benefits](https://reproducible-builds.org/docs/buy-in/), including easier
including easier debugging, more confident cherry-pick releases, better build debugging, more confident cherry-pick releases, better build caching and storage
caching and storage efficiency, and accurate dependency tracking. efficiency, and accurate dependency tracking.
For these reasons, SLSA 3 [requires](#proposed-slsa-definitions) reproducible For these reasons, SLSA 3 [requires](#proposed-slsa-definitions) reproducible
builds unless there is a justification why the build cannot be made builds unless there is a justification why the build cannot be made
...@@ -227,8 +226,8 @@ chain integrity, nor are they practical in all cases: ...@@ -227,8 +226,8 @@ chain integrity, nor are they practical in all cases:
Therefore, SLSA does not require verified reproducible builds directly. Instead, Therefore, SLSA does not require verified reproducible builds directly. Instead,
verified reproducible builds are one option for implementing the requirements. verified reproducible builds are one option for implementing the requirements.
For more on reproducibility, see For more on reproducibility, see "Hermetic, Reproducible, or Verifiable?" in
[Hermetic, Reproducible, or Verifiable?](https://sre.google/static/pdf/building_secure_and_reliable_systems.pdf#page=357) Chapter 14 of the [Secure and Reliable Systems Book][SRS Book].
## Terminology ## Terminology
...@@ -636,7 +635,7 @@ For a broader view of the software supply chain problem: ...@@ -636,7 +635,7 @@ For a broader view of the software supply chain problem:
Prior iterations of the ideas presented here: Prior iterations of the ideas presented here:
* [Building Secure and Reliable Systems, Chapter 14: Deploying Code](https://sre.google/static/pdf/building_secure_and_reliable_systems.pdf#page=339) * [Building Secure and Reliable Systems, Chapter 14: Deploying Code][SRS Book]
* [Binary Authorization for Borg] - This is how Google implements the SLSA * [Binary Authorization for Borg] - This is how Google implements the SLSA
idea internally. idea internally.
...@@ -663,6 +662,7 @@ Other takes on provenance and CI/CD: ...@@ -663,6 +662,7 @@ Other takes on provenance and CI/CD:
<!-- Links --> <!-- Links -->
[Binary Authorization for Borg]: https://cloud.google.com/security/binary-authorization-for-borg [Binary Authorization for Borg]: https://cloud.google.com/security/binary-authorization-for-borg
[SRS Book]: https://sre.google/books/building-secure-reliable-systems/
[Threats, Risks, and Mitigations in the Open Source Ecosystem]: https://github.com/Open-Source-Security-Coalition/Open-Source-Security-Coalition/blob/master/publications/threats-risks-mitigations/v1.1/Threats%2C%20Risks%2C%20and%20Mitigations%20in%20the%20Open%20Source%20Ecosystem%20-%20v1.1.pdf [Threats, Risks, and Mitigations in the Open Source Ecosystem]: https://github.com/Open-Source-Security-Coalition/Open-Source-Security-Coalition/blob/master/publications/threats-risks-mitigations/v1.1/Threats%2C%20Risks%2C%20and%20Mitigations%20in%20the%20Open%20Source%20Ecosystem%20-%20v1.1.pdf
[curl-dev]: https://pkgs.alpinelinux.org/package/edge/main/x86/curl-dev [curl-dev]: https://pkgs.alpinelinux.org/package/edge/main/x86/curl-dev
[curlimages/curl]: https://hub.docker.com/r/curlimages/curl [curlimages/curl]: https://hub.docker.com/r/curlimages/curl
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment