Visto che i build riproducibili sono spesso citati in lista, in particolare in relazione agli attacchi alla "software supply chain", mi permetto di segnalare questo articolo di prossima pubblicazione su IEEE Software di cui sono co-autore, sperando di fare cosa gradita. È un articolo sostanzialmente divulgativo sui "reproducible builds" e di come questi aiutino ad aumentare la fiducia nella software supply chain, in particolare per il software libero. Presenta inoltre l'esperienza del progetto Reproducible Builds https://reproducible-builds.org/ nel rendere riproducibile una larghissima parte della distribuzione Debian. L'articolo è destinato ai vari professionisti del software, ma accessibile a chiunque si interessi di software in senso lato. Qua i dettagli bibliografici ed un link ad un preprint open access: Chris Lamb, Stefano Zacchiroli Reproducible Builds: Increasing the Integrity of Software Supply Chains To appear in IEEE Software. IEEE, 2021 https://arxiv.org/abs/2104.06020 Abstract: Although it is possible to increase confidence in Free and Open Source Software (FOSS) by reviewing its source code, trusting code is not the same as trusting its executable counterparts. These are typically built and distributed by third-party vendors, with severe security consequences if their supply chains are compromised. In this paper, we present reproducible builds, an approach that can determine whether generated binaries correspond with their original source code. We first define the problem, and then provide insight into the challenges of making real-world software build in a "reproducible" manner --- this is, when every build generates bit-for-bit identical results. Through the experience of the Reproducible Builds project making the Debian Linux distribution reproducible, we also describe the affinity between reproducibility and quality assurance (QA). A presto -- Stefano Zacchiroli . zack@upsilon.cc . upsilon.cc/zack . . o . . . o . o Computer Science Professor . CTO Software Heritage . . . . . o . . . o o Former Debian Project Leader & OSI Board Director . . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club »