guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

22/66: icse-2022: Cite SolarWinds and Executive Order.

From: Ludovic Courtès
Subject: 22/66: icse-2022: Cite SolarWinds and Executive Order.
Date: Wed, 29 Jun 2022 11:31:59 -0400 (EDT) 
civodul pushed a commit to branch master
in repository maintenance.

commit 3e6b9041e9fdf53cc9e728aad59841b0d2857c6d
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon Aug 30 17:23:08 2021 +0200

    icse-2022: Cite SolarWinds and Executive Order.
---
 doc/icse-2022/security.sbib    | 20 ++++++++++++++++++++
 doc/icse-2022/supply-chain.skb | 12 ++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/doc/icse-2022/security.sbib b/doc/icse-2022/security.sbib
index 88e87f1..d7583f7 100644
--- a/doc/icse-2022/security.sbib
+++ b/doc/icse-2022/security.sbib
@@ -210,6 +210,26 @@ Thayer")
   (year "2021")
   (url "https://github.com/cryptidtech/git-cryptography-protocol";))
 
+(article peisert2021:solarwinds
+  (author "S. Peisert, B. Schneier, H. Okhravi, F. Massacci, T. Benzel, C. 
Landwehr, M. Mannan, J. Mirkovic, A. Prakash, J. Michael")
+  (journal "IEEE Security & Privacy")
+  (title "Perspectives on the SolarWinds Incident")
+  (year "2021")
+  (volume "19")
+  (number "02")
+  (issn "1558-4046")
+  (pages "7-13")
+  (doi "10.1109/MSEC.2021.3051235")
+  (publisher "IEEE Computer Society")
+  (address "Los Alamitos, CA, USA")
+  (month "March"))
+  
+(misc biden2021:executive-order
+  (author "Joseph Biden")
+  (year "2021")
+  (month "May")
+  (title "Executive Order on Improving the Nation’s Cybersecurity")
+  (url 
"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/";))
 
 #|
 (defun skr-from-bibtex ()
diff --git a/doc/icse-2022/supply-chain.skb b/doc/icse-2022/supply-chain.skb
index 639a008..af6888a 100644
--- a/doc/icse-2022/supply-chain.skb
+++ b/doc/icse-2022/supply-chain.skb
@@ -223,7 +223,15 @@ binaries users run, many things can go wrong: binaries can 
be
 compromised on their way to the user's machine, on the provider's
 servers, or possibly indirectly ,(it [via]) toolchain compromission
 ,(ref :bib "thompson1984:trusting-trust").  Every software installation
-and every upgrade can put users at risk.])
+and every upgrade can put users at risk.  Recent high-profile cases have
+reminded us that software supply chain attacks are a very real threat
+,(ref :bib '(lamb2021:reproducible peisert2021:solarwinds)).  This led,
+for example, the US Government to call for work in this area in its
+Executive Order on cybersecurity, explicitly mentioning actions such as
+“using administratively separate build environments” and “employing
+automated tools (…) to maintain trusted source code supply chains” ,(ref
+:bib 'biden2021:executive-order).  That there is room for improvement in
+current practices and tools is unquestioned.])
       
       (p [GNU Guix is a set of software deployment tools and a
 standalone GNU/Linux distribution; it includes a package manager similar
@@ -275,7 +283,7 @@ different hash.  Thus, each store file name uniquely 
identifies build
 results.  This model is the foundation of ,(emph [end-to-end provenance
 tracking]): Guix records and uniquely identifies the inputs leading to
 build results available in ,(tt [/gnu/store]).])
-      (p [Providing more than 17,000 software packages today, Guix is
+      (p [Providing more than 18,000 software packages today, Guix is
 used as a general purpose day-to-day GNU/Linux distribution that
 provides the additional safety net of ,(emph [transactional upgrades and
 rollbacks]): because build results are kept in the store by default, any
reply via email to
[Prev in Thread] Current Thread [Next in Thread]