diff options
Diffstat (limited to 'doc.bib')
| -rw-r--r-- | doc.bib | 477 |
1 files changed, 477 insertions, 0 deletions
@@ -0,0 +1,477 @@ +@article{Thompson:1984, + added-at = {2013-03-25T19:03:53.000+0100}, + author = {Thompson, Ken}, + biburl = {https://www.bibsonomy.org/bibtex/2607b76f1e1c21d4519d0ea69f772b13b/privtec}, + interhash = {1e8757ac6ded0c6e3719314d21b8c1b7}, + intrahash = {607b76f1e1c21d4519d0ea69f772b13b}, + journal = {Communications of the ACM}, + keywords = {}, + number = 8, + owner = {jonny}, + pages = {761--763}, + publisher = {ACM}, + timestamp = {2013-03-25T22:11:36.000+0100}, + title = {{R}eflections on trusting trust}, + volume = 27, + month = 8, + url = {https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf}, + year = 1984 +} + +@book{raymond2001cathedral, + added-at = {2011-08-11T14:51:35.000+0200}, + address = {Beijing; Cambridge; Farnham; Köln; Paris; Sebastopol; Taip}, + author = {Raymond, Eric S.}, + biburl = {https://www.bibsonomy.org/bibtex/2a83f1c344fc6fe12cffb18175b610342/meneteqel}, + edition = {2., überarb. und erw. A.}, + interhash = {3fbbba1926d6f49d1692a17aa85bb0f8}, + intrahash = {a83f1c344fc6fe12cffb18175b610342}, + isbn = {0-596-00108-8}, + keywords = {freesoftware hackers linux opensource}, + language = {eng}, + note = {With a foreword by Bob Young}, + pages = 241, + publisher = {O'Reilly Media}, + timestamp = {2020-11-02T22:16:10.000+0100}, + title = {The cathedral and the bazaar: musings on Linux and open source by an accidental revolutionary}, + url = {http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/}, + year = 2001 +} + +@phdthesis{phd/basesearch/Dolstra06, + added-at = {2021-05-19T00:00:00.000+0200}, + author = {Dolstra, Eelco}, + biburl = {https://www.bibsonomy.org/bibtex/227bbd38dd30dce2deb8793240f02ddba/dblp}, + ee = {https://www.base-search.net/Record/a08129eedcb8dd41edc5134cf8566ada4a47661d260060bc635445e825564b73}, + interhash = {abf4b3ec01f9b43bd8ba35d1a3effab8}, + intrahash = {27bbd38dd30dce2deb8793240f02ddba}, + keywords = {dblp}, + school = {Utrecht University, Netherlands}, + timestamp = {2024-04-09T09:24:36.000+0200}, + title = {The purely functional software deployment model.}, + url = {https://edolstra.github.io/pubs/phd-thesis.pdf}, + year = 2006 +} + +@phdthesis{phd/basesearch/Wheeler09a, + added-at = {2022-05-04T00:00:00.000+0200}, + author = {Wheeler, David A.}, + biburl = {https://www.bibsonomy.org/bibtex/2dcf914503e0488baabe38d46c189fe94/dblp}, + ee = {https://www.base-search.net/Record/909bf3e4967d6a789133becc59d4a889a71d00e8a093819e285f402cc2e7fb07}, + interhash = {6b4107fff7c68dfd4037281175ad6002}, + intrahash = {dcf914503e0488baabe38d46c189fe94}, + keywords = {dblp}, + school = {George Mason University, Fairfax, Virginia, USA}, + timestamp = {2024-04-09T09:18:42.000+0200}, + title = {Fully Countering Trusting Trust through Diverse Double-Compiling.}, + url = {https://dwheeler.com/trusting-trust/}, + year = 2009 +} + +@inproceedings{conf/els/Courtes13, + added-at = {2019-11-14T00:00:00.000+0100}, + author = {Courtès, Ludovic}, + biburl = {https://www.bibsonomy.org/bibtex/2d2945805d83e3e44a7e276fddd7add78/dblp}, + booktitle = {ELS}, + crossref = {conf/els/2013}, + editor = {Queinnec, Christian and Serrano, Manuel}, + ee = {https://european-lisp-symposium.org/static/proceedings/2013.pdf#page=10}, + interhash = {75d5c43f59abf707a3d66a6338cb8deb}, + intrahash = {d2945805d83e3e44a7e276fddd7add78}, + keywords = {dblp}, + pages = {4-14}, + publisher = {ELSAA}, + timestamp = {2019-11-15T11:51:07.000+0100}, + title = {Functional Package Management with Guix.}, + url = {http://dblp.uni-trier.de/db/conf/els/els2013.html#Courtes13}, + year = 2013 +} + +@standard{prestonwerner2013semantic, + added-at = {2017-08-15T15:44:50.000+0200}, + author = {Preston-Werner, Tom}, + biburl = {https://www.bibsonomy.org/bibtex/23173ea6213f7e95ddda7332ab518bd7c/shelley.adams}, + edition = {2.0.0}, + howpublished = {web}, + interhash = {fe69bee1a65de121542b0e624f08980c}, + intrahash = {3173ea6213f7e95ddda7332ab518bd7c}, + keywords = {openaccess programming software standards}, + timestamp = {2025-01-13T10:26:54.000+0100}, + title = {Semantic Versioning}, + url = {http://semver.org/}, + urldate = {2025-07-03}, + year = 2013 +} + +@article{deniable-backdoors-compiler-bugs, + author = {Bauer, Scott and Cuoq, Pascal and Regehr, John}, + title = {Deniable Backdoors Using Compiler Bugs}, + journal = {International Journal of PoC ‖ GTFO}, + volume = 8, + number = 3, + url = {https://www.alchemistowl.org/pocorgtfo/pocorgtfo08.pdf}, + year = 2015 +} + +@online{gnu-guix-0.9.0-released, + author = {Courtès, Ludovic}, + title = {GNU Guix 0.9.0 released}, + url = {https://savannah.gnu.org/forum/forum.php?forum_id=8398}, + urldate = {2025-07-02}, + year = 2015 +} + +@online{lets-package-jquery, + author = {Christine Lemmer-Webber}, + title = {Let's Package jQuery: A Javascript Packaging Dystopian Novella}, + url = {https://dustycloud.org/blog/javascript-packaging-dystopia/}, + urldate = {2025-07-03}, + year = 2015 +} + +@online{bootstraping-rust, + author = {Milosavljevic, Danny}, + title = {Bootstrapping Rust}, + url = {https://guix.gnu.org/blog/2018/bootstrapping-rust/}, + urldate = {2025-07-03}, + year = 2018 +} + +@inproceedings{conf/uss/Torres-AriasAKC19, + added-at = {2021-02-01T00:00:00.000+0100}, + author = {Torres-Arias, Santiago and Afzali, Hammad and Kuppusamy, Trishank Karthik and Curtmola, Reza and Cappos, Justin}, + biburl = {https://www.bibsonomy.org/bibtex/293dca6dec7ce8aa5dd69f72ea2d0b254/dblp}, + booktitle = {USENIX Security Symposium}, + crossref = {conf/uss/2019}, + editor = {Heninger, Nadia and Traynor, Patrick}, + ee = {https://www.usenix.org/conference/usenixsecurity19/presentation/torres-arias}, + interhash = {3b2cc144b1c96ce429a5850aa0b01284}, + intrahash = {93dca6dec7ce8aa5dd69f72ea2d0b254}, + keywords = {dblp}, + pages = {1393-1410}, + publisher = {USENIX Association}, + timestamp = {2024-04-09T15:39:03.000+0200}, + title = {in-toto: Providing farm-to-table guarantees for bits and bytes.}, + url = {https://dblp.uni-trier.de/db/conf/uss/uss2019.html#Torres-AriasAKC19}, + year = 2019 +} + +@online{anvaka-rank-gist, + author = {Kashcha, Andrei}, + title = {npm rank}, + url = {https://gist.github.com/anvaka/8e8fa57c7ee1350e3491}, + urldate = {2025-07-03}, + year = 2019 +} + +@online{btao-wot-for-npm, + author = {Bojlén, Tao}, + title = {A web of trust for npm}, + url = {https://btao.org/posts/2020-10-02-npm-trust/}, + urldate = {2025-07-03}, + year = 2020 +} + +@mastersthesis{goswami-reproducibility, + author = {Goswami, Pronnoy}, + school = {Virginia Polytechnic Institute and State University}, + title = {Investigating the Reproducbility of NPM packages}, + url = {https://vtechworks.lib.vt.edu/server/api/core/bitstreams/3ef5408d-8617-4993-ac7e-d171a13dfa22/content}, + year = 2020 +} + +@article{Abdalkareem2020, + author = {Abdalkareem, Rabe and Oda, Vinicius and Mujahid, Suhaib and Shihab, Emad}, + title = {On the impact of using trivial packages: an empirical case study on npm and PyPI}, + journal = {Empirical Software Engineering}, + month = 3, + day = 1, + volume = 25, + number = 2, + pages = {1168--1204}, + issn = {1573-7616}, + doi = {10.1007/s10664-019-09792-9}, + url = {https://rabeabdalkareem.github.io/files/12-abdelkareem_emse2020.pdf}, + urldate = {2025-07-03}, + year = 2020, +} + +@online{owasp-scvs, + author = {Springett, Steve and Russo, Dave and Fick Garret and Herz JC and Scott John and Symons Mark and Nallapareddy Pruthvi and Garcia Bryan}, + organization = {The OWASP Foundation}, + title = {Software Component Verification Standard}, + edition = {v1.0}, + url = {https://owasp.org/www-project-software-component-verification-standard/}, + urldate = {2025-07-02}, + year = 2020 +} + +@inproceedings{conf/uic/SterleB21, + added-at = {2024-10-06T00:00:00.000+0200}, + author = {Sterle, Lindsay and Bhunia, Suman}, + biburl = {https://www.bibsonomy.org/bibtex/2ad22a0456539c71ebde623954329d0f6/dblp}, + booktitle = {SmartWorld/SCALCOM/UIC/ATC/IOP/SCI}, + crossref = {conf/uic/2021}, + ee = {https://doi.org/10.1109/SWC50871.2021.00094}, + interhash = {75c3c3f885481483464b4898391ceb16}, + intrahash = {ad22a0456539c71ebde623954329d0f6}, + isbn = {978-1-6654-1236-0}, + keywords = {dblp}, + pages = {636-641}, + publisher = {IEEE}, + timestamp = {2024-10-07T09:39:08.000+0200}, + title = {On SolarWinds Orion Platform Security Breach.}, + url = {https://dblp.uni-trier.de/db/conf/uic/uic2021.html#SterleB21}, + year = 2021 +} + +@article{DBLP:journals/corr/abs-2104-06020, + author = {Lamb, Chris and Zacchiroli, Stefano}, + title = {Reproducible Builds: Increasing the Integrity of Software Supply Chains}, + journal = {CoRR}, + volume = {abs/2104.06020}, + url = {https://arxiv.org/abs/2104.06020}, + eprinttype = {arXiv}, + eprint = {2104.06020}, + timestamp = {Mon, 19 Apr 2021 16:45:47 +0200}, + biburl = {https://dblp.org/rec/journals/corr/abs-2104-06020.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + year = 2021 +} + +@online{cncf-sscp, + author = {Vega, Andres and Fox, Emily and Razzak, Faisal and Kennedy, Cole and Swift, Mikhail and Meadows, Jon and Yelgundhalli, Aditya Sirish A and Kumar, Nisha and Lock, Joshua and Martin, Andrew and Anandan, Vinod and Logan, Magno}, + organization = {Cloud Native Computing Foundation}, + title = {Software Supply Chain Security Best Practices}, + edition = {v1}, + url = {https://project.linuxfoundation.org/hubfs/CNCF_SSCP_v1.pdf}, + urldate = {2025-07-02}, + year = 2021 +} + +@article{courtès2022buildingsecuresoftwaresupply, + author={Courtès, Ludovic}, + title={Building a Secure Software Supply Chain with GNU Guix}, + journal={The Art, Science, and Engineering of Programming}, + volume=7, + number=1, + eprint={2206.14606}, + primaryClass={cs.SE}, + doi={https://doi.org/10.22152/programming-journal.org/2023/7/1}, + url={https://programming-journal.org/2023/7/1/}, + year=2022, +} + +@manual{debian-new-maintainers-guide, + author = {Rodin, Josip and Aoki, Osamu and Small, Craig and Hertzog, Raphaël}, + title = {Debian New Maintainers' Guide}, + organization = {Debian project}, + url = {https://www.debian.org/doc/manuals/maint-guide/index.en.html}, + urldate = {2025-07-02}, + year = 2022 +} + +@online{malicious-npm-techtarget-nichols, + author = {Nichols, Shaun}, + title = {More than 1,000 malware packages found in NPM repository}, + organization = {TechTarget}, + url = {https://www.techtarget.com/searchsecurity/news/252512799/More-than-1000-malware-packages-found-in-NPM-repository}, + urldate = {2025-07-03}, + year = 2022 +} + +@online{s2c2f, + author = {Diglio, Adrian and White, Jay and Wang, Jasmine and Bedford, Tom and Robinson, Christopher and Wheeler, David A.}, + organization = {Open Source Security Foundation}, + title = {Secure Supply Chain Consumption Framework}, + edition = {v1.1}, + url = {https://openssf.org/projects/s2c2f/}, + urldate = {2025-07-02}, + year = 2022 +} + +@online{nsa-esf-recommended-practices-devs, + author = {NSA and ODNI and CISA}, + organization = {Enduring Security Framework}, + title = {Securing the Software Supply Chain: Recommended Practices Guide for Developers}, + url = {https://www.cisa.gov/sites/default/files/publications/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF}, + note = {Executive Order (EO) 14028}, + urldate = {2025-07-03}, + month = 8, + year = 2022 +} + +@online{re-bringing-npm-to-guix, + author = {zamfofex}, + title = {Re: bringing npm packages to Guix}, + note = {Message to a GNU Guix mailing list}, + url = {https://lists.gnu.org/archive/html/guix-devel/2022-11/msg00234.html}, + urldate = {2025-07-03}, + year = 2022 +} + +@online{malicious-npm-infosec-muncaster, + author = {Muncaster, Phil}, + title = {Hundreds of Malicious Packages Found in npm Registry}, + organization = {Infosecurity Magazine}, + url = {https://www.infosecurity-magazine.com/news/hundreds-malicious-packages-npm/}, + urldate = {2025-07-03}, + year = 2023 +} + +@article{journals/corr/abs-2404-08987, + added-at = {2025-05-01T00:00:00.000+0200}, + author = {Lins, Mario and Mayrhofer, René and Roland, Michael and Hofer, Daniel and Schwaighofer, Martin}, + biburl = {https://www.bibsonomy.org/bibtex/22b5af508a2261ef41411fa2870280e00/dblp}, + ee = {https://doi.org/10.48550/arXiv.2404.08987}, + interhash = {5d1409d3a6c0cfbe6c7a383623ed0197}, + intrahash = {2b5af508a2261ef41411fa2870280e00}, + journal = {CoRR}, + keywords = {dblp}, + timestamp = {2025-05-05T07:19:38.000+0200}, + title = {On the critical path to implant backdoors and the effectiveness of potential mitigation techniques: Early learnings from XZ.}, + url = {https://dblp.uni-trier.de/db/journals/corr/corr2404.html#abs-2404-08987}, + volume = {abs/2404.08987}, + year = 2024 +} + +@online{nsa-sbom-management, + author = {NSA}, + title = {Recommendations for SBOM Management}, + edition = {1.1}, + url = {https://media.defense.gov/2023/Dec/14/2003359097/-1/-1/0/CSI-SCRM-SBOM-MANAGEMENT.PDF}, + note = {Executive Order (EO) 14028}, + urldate = {2025-07-03}, + year = 2024 +} + +@article{journals/corr/abs-2405-15516, + added-at = {2024-06-19T00:00:00.000+0200}, + author = {Courtès, Ludovic and Sample, Timothy and Tournier, Simon and Zacchiroli, Stefano}, + biburl = {https://www.bibsonomy.org/bibtex/24b76ab7dfbf0411f197e011e1f716dcd/dblp}, + ee = {https://doi.org/10.48550/arXiv.2405.15516}, + interhash = {23db881daefde92ad117fdb28e585674}, + intrahash = {4b76ab7dfbf0411f197e011e1f716dcd}, + journal = {CoRR}, + keywords = {dblp}, + timestamp = {2024-06-24T07:14:22.000+0200}, + title = {Source Code Archiving to the Rescue of Reproducible Deployment.}, + url = {http://dblp.uni-trier.de/db/journals/corr/corr2405.html#abs-2405-15516}, + volume = {abs/2405.15516}, + year = 2024 +} + +@manual{debian03developers, + added-at = {2011-12-16T09:34:31.000+0100}, + author = {Levsen, Holger and Yamane, Hideki and Nussbaum, Lucas and Barth, Andreas and Hertzog, Raphaël and Di Carlo, Adam and Schwarz, Christian}, + biburl = {https://www.bibsonomy.org/bibtex/27fe170b81380f12cbb3b96c07943a112/pbrada}, + groups = {public}, + interhash = {3f8119716d0cfa6f67377af07df745b8}, + intrahash = {7fe170b81380f12cbb3b96c07943a112}, + keywords = {sweng}, + timestamp = {2011-12-16T09:34:31.000+0100}, + title = {Debian Developer's Reference}, + username = {pbrada}, + edition = {13.20}, + organization = {Debian project}, + url = {https://www.debian.org/doc/manuals/developers-reference/index.en.html}, + urldate = {2025-07-03}, + year = 2025 +} + +@online{malicious-npm-bleep-toulas, + author = {Toulas, Bill}, + title = {Dozens of malicious packages on NPM collect host and network data}, + organization = {BleepingComputer}, + url = {https://www.bleepingcomputer.com/news/security/dozens-of-malicious-packages-on-npm-collect-host-and-network-data/}, + urldate = {2025-07-03}, + year = 2025 +} + +@online{malicious-npm-hacker-news-ravie, + author = {Lakshmanan, Ravie}, + title = {Over 70 Malicious npm and VS Code Packages Found Stealing Data and Crypto}, + organization = {The Hacker News}, + url = {https://thehackernews.com/2025/05/over-70-malicious-npm-and-vs-code.html}, + urldate = {2025-07-03}, + year = 2025 +} + +@online{slsa, + author = {Diglio Adrian and McNamara, Andrew and Lieberman, Mike and Winser, Michael and Hennen, Tom and Domingues, Bruno and Wheeler, David A. and Lock, Joshua and Lewandowski, Kim and Lodato, Mark and Kuppusamy, Trishank Karthik}, + title = {Supply-chain Levels for Software Artifacts}, + edition = {v1.1}, + organization = {Open Source Security Foundation}, + url = {https://slsa.dev/spec/v1.1/}, + urldate = {2025-07-02}, + year = 2025 +} + +@misc{drexel2025reproduciblebuildsinsightsindependent, + author={Drexel, Joshua and Hänggi, Esther and Veiga, Iyán Méndez}, + title={Reproducible Builds and Insights from an Independent Verifier for Arch Linux}, + eprint={2505.21642}, + archivePrefix={arXiv}, + primaryClass={cs.CR}, + doi={https://doi.org/10.18420/sicherheit2024_016}, + url=https://arxiv.org/abs/2505.21642}, + year=2025, +} + +@online{malicious-npm-cybernews-naprys, + author = {Naprys, Ernestas}, + title = {Dozens of malicious packages on NPM collect host and network data}, + organization = {Cybernews}, + url = {https://cybernews.com/security/node-developers-targeted-by-malware-in-npm-packages/}, + urldate = {2025-07-03}, + year = 2025 +} + +@misc{mitmproxy, + author = {Aldo Cortesi and Maximilian Hils and Thomas Kriechbaumer and contributors}, + title = {{mitmproxy}: A free and open source interactive {HTTPS} proxy}, + url = {https://mitmproxy.org/}, + note = {[Version 12.0]}, + year = {2010--present} +} + +@online{reproducible-builds-continuous, + label = {RBCT}, + title = {Continuous tests}, + organization = {Reproducible Builds}, + url = {https://reproducible-builds.org/}, + urldate = {2025-07-17} +} + +@online{archlinux-repro, + author = {Linderud, Morten and kpcyrd and contributors}, + title = {{archlinux-repro}: A tool for users to verify packages distributed by Arch Linux}, + url = {https://github.com/archlinux/archlinux-repro/}, + urldate = {2025-07-17}, + year = {2017--present} +} + +@online{semantic-release, + author = {Martynus, Gregor and Vanduynslager, Pierre and Travi, Matt and Bönnemann, Stephan and Lekang, Rolf Erik and Schmidt, Johannes Jörg and Pauls, Finn and Witzko, Christoph}, + title = {{semantic-release}: Fully automated version management and package publishing}, + note = {[Version 24.2.6]}, + url = {https://www.npmjs.com/package/semantic-release}, + urldate = {2025-07-03}, + year = {2015--present} +} + +@online{source-date-epoch, + author = {Lamb, Chris and Suda, Akihiro and Engelen, Arnout and Wiedemann, Bernhard M. and Prévot, David and Stegerman, FC and Levsen, Holger and hulkoba and zmölnig, IOhannes m and Zerebecki, Jan and van der Waa, Jelle and Crusoe, Michael R. and Wu, Peter and Davids, Sebastian and earlier wiki contributors}, + title = {SOURCE\_DATE\_EPOCH}, + organization = {Reproducible Builds}, + url = {https://reproducible-builds.org/docs/source-date-epoch/}, + urldate = {2025-07-08} +} + +@online{w3techs-javascript-library, + label = {W3JL}, + title = {Usage statistics and market shares of JavaScript libraries}, + organization = {W3Techs - World Wide Web Technology Surveys}, + url = {https://w3techs.com/technologies/overview/javascript_library}, + urldate = {2025-07-03} +}
\ No newline at end of file |