Collaborative Working Sessions - Convince others

Take on the problem of spreading the word and convince people that should be convinced that reproducible builds are important.

Participants (TODO: self-update full names :) ?):

• Laj /Julien
• Gabor
• Alice
• Andrey
• Sasa
• Aman
• Jarek Potiuk
• Michael Winser

Initial thoughts !

Audience - and what pain we solve to those audiences without talking to reproducibility

The roles that we can see in the ecosyte:

• App builders - who create : individual maintaienr
• Distros (composers that rebuild stuff) : Debian/ Suse/ F-Droid
• Package repos: PyPI/ NPM / F-Droid (multiple roles)
• Customers & end users: Corporates, SMBs, Individual users
• Business owners: Proj Managers/Product Manager/ Biz types
• Science computation on the data: Science community
• Private and government security focused organizations that are investing into security: Alpha-Omega, Sovereign Tech Agency
• Governments / regulators / standard bodies: EU Commission, US NSA

• Developers and contributors, maintainers to other projects using them - various “technical” users of the apps - other open source project, OS Rebuild,

• (!) malicious actors - we do not really need to include them

Roles can be mixed. Conclusions: we need to be read for crisis to happen (inevitable) - it will happen and we should be ready.

What’s next ?

• How we can drivate the interest?
• Did it happen with XZ utils case? Yes - it did (Google people came to reproducible Summit for example) - but it is not sticky.
• We need more of those - but in a controlled way.
• We likely need a chaos-monkey kind of approach where we induce some crisises in a more controlled way.
• Is audit maybe a solution ? Security is always at the bottom of the pile - certificates ?
• App builders have a lot of other problems to worry about - we have not a good tooling

Why do we suck at marketing RB ?

• no turnkey tooling builders can use (*)
• not clear build attestation status and lack of visibility
• hard to understand outcomes and benefits (*)
• no clear and established definition - and commmunication to different users
• tampering as a worry is something that humans genuinly understand and they might have implicit expectations about stuff “not being tampered with” (example https://en.wikipedia.org/wiki/Chicago_Tylenol_murders which resulted in drugs having seals that make it obvious that they were tampered with).
• Lack of connecting risk to revenues
• Lack of terminology/language education - reproducibility is a fancy word but it does not have meaning (*)
• maturity problem - we are very early stage and we do not have yet right marketing, promotion of what we are doing (*)

Proposed Strategy and tactics

• We need to work on more “commercial” or “business” way to promote what we want to promote - not necessarily in technical and precise terms, but in a way that can be easily conveyed to wider audience

• The “Software Tamper Protection League” might be a better term to use for example (*)

• We need some understandable goals, language and drive business demand with “Sign up here to be tamper-proof with your software!!!”

• We need to prioritise problems and actors - our goal is to get some people to dring the cool aid of our and drive the solution (*)

• The good solution is when things are prevented, but the problem is that this makes it difficult to “promote” it and have people drink the “cool aid” (*)

• Reduce the toil to become reproducible and normalize the concept. Productisation of the solution space is needed for scaled adoption

• Do we have some good examples - from the past for Developers? There are good success stories Tools for automation onboarding from days to minutes. Tooling to automate things scale.

• Do we have some good examples - from the past for Business and Commercial users?

• How can we promote “Tamper proof” approach better ?

• Introduce tooling that injects “Tampering checks” into the engineering pipelines - on all engineering levels and organisational boundaries - those should be “red-team” kind of audits - auditing the whole supply chain and making it “loud” and showing when the “fence” works - when we get to the crisis (which will happen eventually).

We should not let any good next crisis happens to leverage outputs of such work