Reproducible verification build blog

Signed-off-by: Andrew Leonard <[email protected]>
adoptium · Aug 9, 2024 · ac5f742 · ac5f742
1 parent 16a5581
commit ac5f742
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/...-pages/docs/reproducible-verification-builds/reproduce-linux-aarch64/index.adoc b/...-pages/docs/reproducible-verification-builds/reproduce-linux-aarch64/index.adoc
@@ -91,7 +91,8 @@ timedatectl set-timezone UTC
 
 . Download Adoptium DevKit Toolchain make script files
 +
-In order to securely and identically build a gcc DevKit Toolchain, securely download the following scripts from the Eclipse Adoptium repository
+In order to securely and identically build a gcc DevKit Toolchain, securely download the following scripts from the Eclipse Adoptium repository. These scripts
+and patches enable the DevKit make process to build with a Centos sysroot and also enables GPG verified downloading of the Centos RPMs for additional integrity checking.
 +
 [source,]
 ----

diff --git a/...idoc-pages/docs/reproducible-verification-builds/reproduce-linux-x64/index.adoc b/...idoc-pages/docs/reproducible-verification-builds/reproduce-linux-x64/index.adoc
@@ -91,7 +91,8 @@ timedatectl set-timezone UTC
 
 . Download Adoptium DevKit Toolchain make script files
 +
-In order to securely and identically build a gcc DevKit Toolchain, securely download the following scripts from the Eclipse Adoptium repository
+In order to securely and identically build a gcc DevKit Toolchain, securely download the following scripts from the Eclipse Adoptium repository. These scripts
+and patches enable the DevKit make process to build with a Centos sysroot and also enables GPG verified downloading of the Centos RPMs for additional integrity checking.
 +
 [source,]
 ----

diff --git a/content/blog/adoptium-reproducible-verification-builds/index.md b/content/blog/adoptium-reproducible-verification-builds/index.md
@@ -13,7 +13,10 @@ tags:
 
 A third-party reproducible verification build is a re-build of an official software product release, built purely from upstream sources and
 securely obtained and verified tooling, in a secure and well defined build environment. Its purpose is to help maintain trust in the supply chain
-by providing a mechanism for independent verification of the software integrity of the official releases. An important aspect for performing an
+by providing a mechanism for independent verification of the software integrity of the official releases. The trust of the supply chain is very
+important from the perspective of ensuring no vulnerabilities or malware affect the offocial releases software.
+
+An important aspect for performing an
 independent reproducible build is the security and source of the build environment. The upstream product sources, build scripts and toolchain
 must be original securely obtained sources, and any system binaries must be securely verified by signatures. Once completed, a byte-for-byte identical
 comparison with the official software product release binaries will then validate to a very high degree the security of the supply chain used and that the official