[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
22/66: icse-2022: Cite SolarWinds and Executive Order.
From: |
Ludovic Courtès |
Subject: |
22/66: icse-2022: Cite SolarWinds and Executive Order. |
Date: |
Wed, 29 Jun 2022 11:31:59 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit 3e6b9041e9fdf53cc9e728aad59841b0d2857c6d
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon Aug 30 17:23:08 2021 +0200
icse-2022: Cite SolarWinds and Executive Order.
---
doc/icse-2022/security.sbib | 20 ++++++++++++++++++++
doc/icse-2022/supply-chain.skb | 12 ++++++++++--
2 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/doc/icse-2022/security.sbib b/doc/icse-2022/security.sbib
index 88e87f1..d7583f7 100644
--- a/doc/icse-2022/security.sbib
+++ b/doc/icse-2022/security.sbib
@@ -210,6 +210,26 @@ Thayer")
(year "2021")
(url "https://github.com/cryptidtech/git-cryptography-protocol"))
+(article peisert2021:solarwinds
+ (author "S. Peisert, B. Schneier, H. Okhravi, F. Massacci, T. Benzel, C.
Landwehr, M. Mannan, J. Mirkovic, A. Prakash, J. Michael")
+ (journal "IEEE Security & Privacy")
+ (title "Perspectives on the SolarWinds Incident")
+ (year "2021")
+ (volume "19")
+ (number "02")
+ (issn "1558-4046")
+ (pages "7-13")
+ (doi "10.1109/MSEC.2021.3051235")
+ (publisher "IEEE Computer Society")
+ (address "Los Alamitos, CA, USA")
+ (month "March"))
+
+(misc biden2021:executive-order
+ (author "Joseph Biden")
+ (year "2021")
+ (month "May")
+ (title "Executive Order on Improving the Nation’s Cybersecurity")
+ (url
"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/"))
#|
(defun skr-from-bibtex ()
diff --git a/doc/icse-2022/supply-chain.skb b/doc/icse-2022/supply-chain.skb
index 639a008..af6888a 100644
--- a/doc/icse-2022/supply-chain.skb
+++ b/doc/icse-2022/supply-chain.skb
@@ -223,7 +223,15 @@ binaries users run, many things can go wrong: binaries can
be
compromised on their way to the user's machine, on the provider's
servers, or possibly indirectly ,(it [via]) toolchain compromission
,(ref :bib "thompson1984:trusting-trust"). Every software installation
-and every upgrade can put users at risk.])
+and every upgrade can put users at risk. Recent high-profile cases have
+reminded us that software supply chain attacks are a very real threat
+,(ref :bib '(lamb2021:reproducible peisert2021:solarwinds)). This led,
+for example, the US Government to call for work in this area in its
+Executive Order on cybersecurity, explicitly mentioning actions such as
+“using administratively separate build environments” and “employing
+automated tools (…) to maintain trusted source code supply chains” ,(ref
+:bib 'biden2021:executive-order). That there is room for improvement in
+current practices and tools is unquestioned.])
(p [GNU Guix is a set of software deployment tools and a
standalone GNU/Linux distribution; it includes a package manager similar
@@ -275,7 +283,7 @@ different hash. Thus, each store file name uniquely
identifies build
results. This model is the foundation of ,(emph [end-to-end provenance
tracking]): Guix records and uniquely identifies the inputs leading to
build results available in ,(tt [/gnu/store]).])
- (p [Providing more than 17,000 software packages today, Guix is
+ (p [Providing more than 18,000 software packages today, Guix is
used as a general purpose day-to-day GNU/Linux distribution that
provides the additional safety net of ,(emph [transactional upgrades and
rollbacks]): because build results are kept in the store by default, any
- 16/66: ccs-2021: Tweak "Related Work"., (continued)
- 16/66: ccs-2021: Tweak "Related Work"., Ludovic Courtès, 2022/06/29
- 17/66: ccs-2021: Give example authentication throughput., Ludovic Courtès, 2022/06/29
- 18/66: ccs-2021: Prepare for ICSE resubmission., Ludovic Courtès, 2022/06/29
- 19/66: icse-2022: Add CCS reviews., Ludovic Courtès, 2022/06/29
- 20/66: icse-2022: Mention sigstore., Ludovic Courtès, 2022/06/29
- 35/66: programming-2022: Mention prior work upfront in the intro., Ludovic Courtès, 2022/06/29
- 36/66: programming-2022: Clarify intro commits and downgrade protection., Ludovic Courtès, 2022/06/29
- 44/66: cise-2022: Remove unused procedures., Ludovic Courtès, 2022/06/29
- 45/66: programming-2022: Add diff document., Ludovic Courtès, 2022/06/29
- 47/66: programming-2022: Add README.md for artifact evaluation., Ludovic Courtès, 2022/06/29
- 22/66: icse-2022: Cite SolarWinds and Executive Order.,
Ludovic Courtès <=
- 23/66: icse-2022: Address CCS reviewer comments., Ludovic Courtès, 2022/06/29
- 26/66: icse-2022: Fix typos., Ludovic Courtès, 2022/06/29
- 38/66: programming-2022: Tweak dot options., Ludovic Courtès, 2022/06/29
- 33/66: programming-2022: Augment abstract., Ludovic Courtès, 2022/06/29
- 42/66: cise-2022: Improve a couple of references., Ludovic Courtès, 2022/06/29
- 49/66: programming-2022: Fix typos., Ludovic Courtès, 2022/06/29
- 51/66: doc: Add a few DOIs in .sbib files., Ludovic Courtès, 2022/06/29
- 53/66: programming-2022: Address comments from reviewer C., Ludovic Courtès, 2022/06/29
- 58/66: programming-2022: Add DOIs and "Last accessed" notes., Ludovic Courtès, 2022/06/29
- 62/66: programming-2022: More bibliography tweaks., Ludovic Courtès, 2022/06/29