GripNews<p>🌘 關於二進位發布重建 – Simon Josefsson 的部落格<br>➤ 探討軟體重現性的極限與未來方向<br>✤ <a href="https://blog.josefsson.org/2025/03/31/on-binary-distribution-rebuilds/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.josefsson.org/2025/03/31/</span><span class="invisible">on-binary-distribution-rebuilds/</span></a><br>Simon Josefsson 分享了他重建 Debian 和 Ubuntu 封包 (前 50 名熱門封包) 的實驗,並與 Reproduce.Debian.net 專案進行比較。Reproduce.Debian.net 旨在完全重現官方發布的封包,但使用與原始建立時相同的建構輸入。Josefsson 認為,為了確保真正的可信賴,不僅需要可重現的重建,更需要「冪等重建」(Idempotent Rebuild),即從最初的源碼完全重建整個發布版本,而不依賴任何初始的二進位 Blob。他提出了一個迭代的重建過程,目標是達到一個穩定的狀態,即後續重建不再產生任何差異。此過程可能面臨的挑戰包括嵌入式時間戳和非確定性輸出,甚至可能發現 Debian 主系統已經無法完全重建。他還建議使用 Guix<br><a href="https://mastodon.social/tags/%E9%96%8B%E6%BA%90" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>開源</span></a> <a href="https://mastodon.social/tags/Debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Debian</span></a> <a href="https://mastodon.social/tags/%E5%8F%AF%E9%87%8D%E7%8F%BE%E6%80%A7" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>可重現性</span></a> <a href="https://mastodon.social/tags/%E8%BB%9F%E9%AB%94%E4%BE%9B%E6%87%89%E9%8F%88" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>軟體供應鏈</span></a></p>
ohai.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A cozy, fast and secure Mastodon server where everyone is welcome. Run by the folks at ohai.is.
Administered by:
Server stats:
1.8Kactive users
ohai.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-nightly.2025-04-01
#軟體供應鏈
1 post · 1 participant · 0 posts today
GripNews<p>🌘 單一漏洞如何摧毀JavaScript生態系統 - Lupin&Holmes<br>➤ JavaScript生態系統面臨的單一漏洞風險<br>✤ <a href="https://www.landh.tech/blog/20240603-npm-cache-poisoning/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">landh.tech/blog/20240603-npm-c</span><span class="invisible">ache-poisoning/</span></a><br>本文揭露了對JavaScript生態系統的重大威脅,一個Cache Poisoning Attack對npm庫的潛在影響。此漏洞可能導致廣泛的軟體開發中斷和供應鏈的崩潰。<br>+ 這篇文章很重要,提醒我們軟體供應鏈的安全性和可靠性問題,這對全球的軟體開發和應用有著深遠的影響。<br>+ 這篇文章真實描繪了軟體供應鏈可能面臨的威脅,讓人感到擔憂和警覺。<br><a href="https://mastodon.social/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> <a href="https://mastodon.social/tags/%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>安全漏洞</span></a> <a href="https://mastodon.social/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> <a href="https://mastodon.social/tags/%E8%BB%9F%E9%AB%94%E4%BE%9B%E6%87%89%E9%8F%88" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>軟體供應鏈</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload