id	author	title	date	pages	extension	mime	words	sentences	flesch	summary	cache	txt
blog-dshr-org-7824		DSHR's Blog: Securing The Software Supply Chain			.html	text/html	7910	698	70	In an important paper entitled Software Distribution Transparency and Auditability, Benjamin Hof and Georg Carle from TU Munich use Debian's Advanced Package Tool (APT) as an example of a state-of-the-art software supply chain, and: The publisher verifies the signature and builds the source to form the compiled package, whose hash is then included in the release file. This release file, meta data, and source packages are submitted to a log server operating an appendonly Merkle tree, as shown in Figure 2. A software supply chain based on APT enhanced with Hof and Carle's transparency layer, distributing packages reproducibly built with bootstrapped compilers, would be much more difficult to attack than current technology. Dan Goodin's The year-long rash of supply chain attacks against open source is getting worse is a useful overview of the recent incidents pointing to the need for verifiable logs and reproducible builds.	./cache/blog-dshr-org-7824.html	./txt/blog-dshr-org-7824.txt