Securing Build Platforms: Enhancing Trust in Software Distribution

Explore the critical importance of securing build platforms in software development during this 35-minute conference talk from the Linux Plumbers Conference. Delve into the growing concerns surrounding the software chain of trust and its impact on security, compliance, and reliability. Examine how Linux distributions mitigate trust decisions for consumers and the challenges in evaluating distribution trustworthiness. Learn about npm's adoption of SLSA and Sigstore for build provenance, and consider the complexities of applying similar techniques to distribution build platforms. Investigate the efforts of SUSE and Flatcar Linux in this area, along with their unresolved verification issues. Gain insights into potential solutions for Linux distribution build platforms, with a focus on OpenEmbedded/Yocto Project and proof-of-concept experiments in the yocto-autobuilder2 system.

Securing build platforms - Joshua Lock