Reproducible verification build blog

Signed-off-by: Andrew Leonard <[email protected]>

content/blog/adoptium-reproducible-verification-builds/index.md

@@ -2,7 +2,7 @@
 title: Eclipse Temurin Reproducible Verification Builds for Secure Supply Chain Validation
 date: "2024-08-09T12:00:00+00:00"
 author: andrewleonard
-description: Eclipse Temurin JDK 21+ builds are fully reproducible build. This blog explains how
+description: Eclipse Temurin JDK 21+ builds are fully reproducible. This blog explains how
  third-party users can perform an independent secure verification of an Eclipse Temurin build to
  validate the security of the supply chain, and why you would want to do this.
 tags:
@@ -16,7 +16,7 @@ securely obtained and verified tooling, in a secure and well defined build envir
 by providing a mechanism for independent verification of the software integrity of the official releases. An important aspect for performing an
 independent reproducible build is the security and source of the build environment. The upstream product sources, build scripts and toolchain
 must be original securely obtained sources, and any system binaries must be securely verified by signatures. Once completed, a byte-for-byte identical
-comparison with the official software product release binaries will then validate to a very high degree the secure supply chain used and that the official
+comparison with the official software product release binaries will then validate to a very high degree the security of the supply chain used and that the official
 release binary is secure and has not been tampered with.
 
 ### Eclipse Temurin JDK 21+ now "Fully Reproducible"
@@ -25,24 +25,24 @@ In my previous blog [Reproducible Builds at Eclipse Adoptium](https://adoptium.n
 how the Adoptium community has been working to achieve fully "Reproducible Builds" for the Eclipse Temurin JDK 21+ releases,
 and how that helps provide better secure supply chain validation, and improved build pipeline quality and script verification.
 Eclipse Temurin JDK 21+ releases are now fully reproducible for the platforms x64 Linux, aarch64 Linux, x64 Windows, x64 Mac and aarch64 Mac,
-and we have introduced new AQAVit reproducible comparison tests for reproducibility.
+and we have introduced new [Eclipse AQAvit](https://projects.eclipse.org/projects/adoptium.aqavit) reproducible comparison tests for reproducibility.
 
-### Using a "gcc DevKit" to build Eclipse Temurin
+### Using a "GCC DevKit" to build Eclipse Temurin
 
-Up until recently Eclipse Temurin Linux builds were compiled using a custom Adoptium build of gcc from source, which due to its unique
-source build nature, would mean in order for a third-party to identically re-build, then the very same Adoptium gcc
+Up until recently Eclipse Temurin Linux builds were compiled using a custom Adoptium build of GCC from source, which due to its unique
+source build nature, would mean in order for a third-party to identically re-build, then the very same Adoptium GCC
 [compilers](https://ci.adoptium.net/userContent/gcc/) would need to be downloaded. This then presents a potential toolchain vulnerability
-in relying on the very same gcc compiler binary. As of Eclipse Temurin JDK 21.0.3, the Adoptium build scripts and pipelines for the Linux
-gcc build platforms, have been upgraded to use an "gcc DevKit". This defines an absolute definition of a gcc toolchain,
-the gcc and dependency source versions, the sysroot used, and how it is exactly built. Eclipse Adoptium publishes the DevKits that are
-used to build with in the repository [https://github.com/adoptium/devkit-binaries/releases](https://github.com/adoptium/devkit-binaries/releases).
-Due to the way the DevKit is defined, a third-party can re-build the exact same toolchain purely from sources and securely verified sysroot RPMs.
-This independent build of the gcc toolchain allows another secure level of validation of the supply chain used to build the compiler,
+in relying on the very same GCC compiler binary. As of Eclipse Temurin JDK 21.0.3, the Adoptium build scripts and pipelines for the Linux
+GCC build platforms, have been upgraded to use an "GCC DevKit". This defines an absolute definition of a GCC toolchain,
+the GCC and dependency source versions, the sysroot used, and how it is exactly built. Eclipse Adoptium publishes the DevKits that are
+used to in the repository [https://github.com/adoptium/devkit-binaries/releases](https://github.com/adoptium/devkit-binaries/releases).
+Due to the way the DevKit is defined, a third-party can re-build the exact same toolchain purely from GPG-verified sources and GPG-verified sysroot RPMs.
+This independent build of the GCC toolchain allows another secure level of validation of the supply chain used to build the compiler,
 subsequently used to build the Eclipse Temurin binaries.
 
 ## Independently fully reproducible Eclipse Temurin
 
-Combining the use of the "gcc DevKit", the well defined Eclipse Temurin reproducible build pipeline and the generated Software Bill
+Combining the use of the "GCC DevKit", the well defined Eclipse Temurin reproducible build pipeline and the generated Software Bill
 of Materials (SBOM), allows a documented and independent method for third-parties to perform a reproducible build.
 By comparing the independently built binary with the official Eclipse Temurin release, any discrepancies or tampering can be detected,
 ensuring that the release has been securely and correctly built. These third-party reproducible builds help maintain trust in the supply chain
@@ -51,7 +51,7 @@ by providing a mechanism for independent verification of software integrity of t
 ## How to perform a third-party reproducible verification build
 
 To perform your own reproducible verification build of an Eclipse Temurin JDK 21+ official release, we have prepared a set of instructions
-for each platform that will guide you through the process of re-building the selected JDK 21+ Eclipse Temurin builds from upstream
+for each platform that will guide you through the process of rebuilding the selected JDK 21+ Eclipse Temurin builds from upstream
 OpenJDK community sources and with your own securely built toolchains and dependencies.
 
 - [JDK 21+ Linux x64](/docs/reproducible-verification-builds/reproduce-linux-x64)