Post AtjwPSW3oXKmrUnGGe by tasket@infosec.exchange
 (DIR) More posts by tasket@infosec.exchange
 (DIR) Post #AtjRPV637g9AHnAPWy by debian@framapiaf.org
       2025-05-03T23:17:15Z
       
       0 likes, 0 repeats
       
       Progress on securing our distribution against supply chain attacks: The Debian testing/trixie release on amd64 is now reproducible for over 95%, and counting. You can use the new debian-repro-status package to query the reproducibility status of your installed Debian packages. See https://reproduce.debian.net/ #debian #reproducible-builds
       
 (DIR) Post #AtjwPSW3oXKmrUnGGe by tasket@infosec.exchange
       2025-05-04T05:04:35Z
       
       0 likes, 0 repeats
       
       @debian Wow.  I hope someday bluetooth will become function again.
       
 (DIR) Post #Atk0SlZfoPBKehJeaG by ams@mastodon.social
       2025-05-04T05:49:59Z
       
       0 likes, 0 repeats
       
       @debian Slightly worried by sudo being listed bad on my trixie system:[-] sudo amd64 1.9.16p2-1 BAD  apt reinstall doesn't fix it either. Is there a correct response to BAD results?
       
 (DIR) Post #Atk5nDqOumAntYiJ6W by elaan@infosec.exchange
       2025-05-04T06:49:44Z
       
       0 likes, 0 repeats
       
       @debian Als not in stable yet. I'll wait, looks promising.
       
 (DIR) Post #AtkUKqvJ2QrtYLZq40 by stf@chaos.social
       2025-05-04T11:24:41Z
       
       0 likes, 0 repeats
       
       @debian how exactly is reproducability protecting against "supply chain attacks"? if as a maintainer or dev backdoor a dependency of some upstream package and then a new backdoored source code version is released, in this case reproducable builds will only make sure that my backdoor is reproducably built, but it will not mitigate my backdoor. i think my scenario is *the* definition of a supply chain attack. no? would your reproducible build have caught jia tan? what am i missing?