From gitlab at salsa.debian.org Wed Nov 1 16:07:28 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Wed, 01 Nov 2023 16:07:28 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 3 commits: r-b summit 2023 hamburg: list the first 23 participating projects Message-ID: <654277c0308cf_5e724b9c3b83066929@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 66691658 by Holger Levsen at 2023-11-01T17:05:50+01:00 r-b summit 2023 hamburg: list the first 23 participating projects Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - c8a86c6b by Holger Levsen at 2023-11-01T17:05:50+01:00 r-b summit 2023 hamburg: add group photo Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 31b26b15 by Holger Levsen at 2023-11-01T17:07:07+01:00 fix grammar Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 3 changed files: - _events/hamburg2023/index.html - _events/venice2022/index.html - + images/groupphoto_rb2023summit.jpg Changes: ===================================== _events/hamburg2023/index.html ===================================== @@ -6,7 +6,7 @@ event_hide: false event_date: 2023-10-31 event_date_string: October 31st, November 1st-2nd 2023 event_location: Hamburg, Germany -event_summary: Three days to continue the grow of the Reproducible Builds effort. +event_summary: Three days to continue the growth of the Reproducible Builds effort. ---

{{ page.title }}

@@ -49,13 +49,14 @@ Germany
  • Work together and hack on solutions.
  • Discuss how reproducible builds will be usable and meaningful to users and developers alike.
    • +Reproducible Builds Summit 7 in Hamburg 2239 - +

    There will be a huge variety of topics to be discussed. To give a few examples:

    ===================================== _events/venice2022/index.html ===================================== @@ -6,7 +6,7 @@ event_hide: false event_date: 2022-11-01 event_date_string: November 1st-3rd 2022 event_location: Venice, Italy -event_summary: Three days to continue the grow of the Reproducible Builds effort. +event_summary: Three days to continue the growth of the Reproducible Builds effort. ---

    {{ page.title }}

    ===================================== images/groupphoto_rb2023summit.jpg ===================================== Binary files /dev/null and b/images/groupphoto_rb2023summit.jpg differ View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/c3662d961af530ce6d01e8c10be44a2ef543b5b9...31b26b1506d51f983a2980dd1577843962f50608 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/c3662d961af530ce6d01e8c10be44a2ef543b5b9...31b26b1506d51f983a2980dd1577843962f50608 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 16:10:38 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Wed, 01 Nov 2023 16:10:38 +0000 Subject: [Git][reproducible-builds/reproducible-lfs][master] add reproducible builds summit 2023 group photos Message-ID: <6542787e9531d_5e724b9c3b83067822@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-lfs Commits: 31052161 by Holger Levsen at 2023-11-01T17:07:42+01:00 add reproducible builds summit 2023 group photos Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 17 changed files: - + pictures/rbs23/DSCF9728.JPG - + pictures/rbs23/DSCF9729.JPG - + pictures/rbs23/DSCF9730.JPG - + pictures/rbs23/DSCF9731.JPG - + pictures/rbs23/DSCF9732.JPG - + pictures/rbs23/DSCF9733.JPG - + pictures/rbs23/DSCF9734.JPG - + pictures/rbs23/DSCF9735.JPG - + pictures/rbs23/DSCF9736.JPG - + pictures/rbs23/DSCF9737.JPG - + pictures/rbs23/DSCF9738.JPG - + pictures/rbs23/DSCF9739.JPG - + pictures/rbs23/DSCF9740.JPG - + pictures/rbs23/DSCF9741.JPG - + pictures/rbs23/DSCF9742.JPG - + pictures/rbs23/DSCF9743.JPG - + pictures/rbs23/DSCF9744.JPG Changes: ===================================== pictures/rbs23/DSCF9728.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9728.JPG differ ===================================== pictures/rbs23/DSCF9729.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9729.JPG differ ===================================== pictures/rbs23/DSCF9730.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9730.JPG differ ===================================== pictures/rbs23/DSCF9731.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9731.JPG differ ===================================== pictures/rbs23/DSCF9732.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9732.JPG differ ===================================== pictures/rbs23/DSCF9733.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9733.JPG differ ===================================== pictures/rbs23/DSCF9734.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9734.JPG differ ===================================== pictures/rbs23/DSCF9735.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9735.JPG differ ===================================== pictures/rbs23/DSCF9736.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9736.JPG differ ===================================== pictures/rbs23/DSCF9737.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9737.JPG differ ===================================== pictures/rbs23/DSCF9738.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9738.JPG differ ===================================== pictures/rbs23/DSCF9739.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9739.JPG differ ===================================== pictures/rbs23/DSCF9740.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9740.JPG differ ===================================== pictures/rbs23/DSCF9741.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9741.JPG differ ===================================== pictures/rbs23/DSCF9742.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9742.JPG differ ===================================== pictures/rbs23/DSCF9743.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9743.JPG differ ===================================== pictures/rbs23/DSCF9744.JPG ===================================== Binary files /dev/null and b/pictures/rbs23/DSCF9744.JPG differ View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-lfs/-/commit/310521615551d798bbf84262a42c7a0c9654a527 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-lfs/-/commit/310521615551d798bbf84262a42c7a0c9654a527 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 16:47:23 2023 From: gitlab at salsa.debian.org (Pol Dellaiera (@drupol)) Date: Wed, 01 Nov 2023 16:47:23 +0000 Subject: [Git][reproducible-builds/reproducible-website] Pushed new branch contribute/nixos/update Message-ID: <6542811b909f_5e724b9c3b830728d@godard.mail> Pol Dellaiera pushed new branch contribute/nixos/update at Reproducible Builds / reproducible-website -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/tree/contribute/nixos/update You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 17:13:32 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Wed, 01 Nov 2023 17:13:32 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] donate page: dont mention 'current' Debian release names Message-ID: <6542873c8fd7a_5e72df16288307545f@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 24bf9105 by Holger Levsen at 2023-11-01T18:13:20+01:00 donate page: dont mention 'current' Debian release names Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - donate.md Changes: ===================================== donate.md ===================================== @@ -75,11 +75,11 @@ The Reproducible Builds team has demonstrated that it is, in principle, possible to build a Linux distribution in a reproducible manner and have solved many of the issues in doing so. -However, the next release of Debian ("bullseye") is currently not yet 100% +However, the next release of Debian is currently not yet 100% reproducible and funding to support on-going maintenance of critical infrastructure will be absolutely essential to reach this goal. -This not only includes the administration of over 50 build nodes across +This not only includes the administration of around 42 build nodes across multiple architectures, it requires continuous and patient work with package maintainers and upstreams to merge reproducibility-related patches. It also includes extending the scope of [our testing @@ -93,7 +93,7 @@ their machines. Furthermore, maintaining momentum ? both in terms of public perception and in private ? around the various related projects such as *diffoscope*, etc. will -be key in ensuring a reproducible "buster" becomes a reality. +be key in ensuring a reproducible builds become a reality. ### Benefits of sponsorship View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/24bf910511b60d2d9327f021d4a9ec11f3c388f0 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/24bf910511b60d2d9327f021d4a9ec11f3c388f0 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 17:18:22 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Wed, 01 Nov 2023 17:18:22 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] donate page: fix grammar Message-ID: <6542885e858e0_5e724b9c3b830761dd@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 0343dfea by Holger Levsen at 2023-11-01T18:18:14+01:00 donate page: fix grammar Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - donate.md Changes: ===================================== donate.md ===================================== @@ -93,7 +93,7 @@ their machines. Furthermore, maintaining momentum ? both in terms of public perception and in private ? around the various related projects such as *diffoscope*, etc. will -be key in ensuring a reproducible builds become a reality. +be key in ensuring reproducible builds become a reality. ### Benefits of sponsorship View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0343dfeac4b38d849a8a284aee38d4b959f824b0 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0343dfeac4b38d849a8a284aee38d4b959f824b0 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 20:07:54 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Wed, 01 Nov 2023 20:07:54 +0000 Subject: [Git][reproducible-builds/reproducible-presentations][master] 2023-11-04: Beyond Trusting FOSS: Rearrange and remove some slides for Message-ID: <6542b01a9b675_5e72222013831094d4@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations Commits: 8a4977a0 by Vagrant Cascadian at 2023-11-01T13:04:57-07:00 2023-11-04: Beyond Trusting FOSS: Rearrange and remove some slides for shorter talk. - - - - - 1 changed file: - 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org Changes: ===================================== 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org ===================================== @@ -60,6 +60,7 @@ Track: Security and Privacy Difficulty: Introductory + #+END_comment * Who am I @@ -94,257 +95,6 @@ Free and Open Source Software - Share - Community -* Reproducible Builds - -** text - :PROPERTIES: - :BEAMER_col: 0.7 - :END: - -https://reproducible-builds.org/docs/definition/ - -\vspace{\baselineskip} - -A build is reproducible if given the same source code, build -environment and build instructions, any party can recreate bit-by-bit -identical copies of all specified artifacts. - -** image - :PROPERTIES: - :BEAMER_col: 0.3 - :END: - -[[./images/reproducible-builds.png]] - -* Spelling it out - -** text - :PROPERTIES: - :BEAMER_col: 0.7 - :END: - -Reproducible Builds provides... - -#+ATTR_BEAMER: :overlay <+-> -- strong confidence... -- that a binary was produced from a given source... -- ...probably! - -** image - :PROPERTIES: - :BEAMER_col: 0.3 - :END: -[[./images/reproducible-builds.png]] - - - -* Freedom to iterate - -Benefits of Reproducible Builds - -#+ATTR_BEAMER: :overlay <+-> -- ... -- Security -- Code refactoring -- Build Caching - -* For example - -Debian - -#+ATTR_BEAMER: :overlay <+-> -- The Universal Operating System -- ~34000 source packages ... and counting -- 380 million lines of code ... and counting! -- ~95% reproducible - -* diffocope - -https://diffoscope.org - -\vspace{\baselineskip} - -#+ATTR_BEAMER: :overlay <+-> -- Recursive and human-readable "diff" -- locates and diagnoses reproducibility issues -- used for analysing *why* something is reproducible! -- *not* used for determining whether something is reproducible! - -* diffoscope example - -[[./images/diffoscope.png]] - -* diffoscope, supported file types - -Android APK files, Android boot images, Ar(1) archives, Berkeley DB database files, Bzip2 archives, Character/block devices, ColorSync colour profiles (.icc), Coreboot CBFS filesystem images, Cpio archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes files, Debian source packages (.dsc), Device Tree Compiler blob files, Directories, ELF binaries, Ext2/ext3/ext4/btrfs filesystems, FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext message catalogues, GHC Haskell .hi files, GIF image files, Git repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), Gnumeric spreadsheets, Gzipped files, ISO 9660 CD images, Java .class files, JavaScript files, JPEG images, JSON files, LLVM IR bitcode files, MacOS binaries, Microsoft Windows icon files, Microsoft Word .docx files, Mono 'Portable Executable' files, Ogg Vorbis audio files, OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives (.ipk), PDF documents, PGP signed/encrypted messages, PNG images, PostScript documents, RPM archives, Rust object files (.deflate), SQLite databases, SquashFS filesystems, Statically-linked binaries, Symlinks, Tape archives (.tar), Tcpdump capture files (.pcap), Text files, TrueType font files, XML binary schemas (.xsb), XML files, XZ compressed files, etc. - -* try diffoscope - -https://diffoscope.org - -\vspace{\baselineskip} - -Available on many platforms: - -** text - :PROPERTIES: - :BEAMER_col: 0.4 - :END: - -#+ATTR_BEAMER: :overlay <+-> -- Debian -- Fedora -- OpenSUSE -- Archlinux -- GNU Guix - -** text - :PROPERTIES: - :BEAMER_col: 0.4 - :END: - -#+ATTR_BEAMER: :overlay <+-> -- NixOS -- FreeBSD -- NetBSD -- Homebrew -- PyPI - -* try diffoscope online - -And on the World Wide Web! - -https://try.diffoscope.org - -[[./images/try.diffoscope.org.png]] - -* Reprotest - -reprotest - -#+ATTR_BEAMER: :overlay <+-> -- builds something twice with many variations -- https://salsa.debian.org/reproducible/reprotest -- if unreproducible: "bisect" the variations - -* So you want to have Reproducible builds - -https://reproducible-builds.org/docs/recording/ - -Providing sufficient information for independent verification: - -#+ATTR_BEAMER: :overlay <+-> -- ... -- "toolchain" packages at specific versions -- SOURCE_DATE_EPOCH (seconds since 1970-01-01) -- Works best with Free and Open Source Software! - -* To Catch a Regression - -Automatic Testing (Continuous Integration, Quality Assurance, etc.) - -* Forget Trust, Verify - -No need to Trust, All you need is: - - #+ATTR_BEAMER: :overlay <+-> -- Free/Libre and Open Source Software -- Reproducible Builds -- Bootstrapping -- Diverse compilation -- ... and lots of compile cycles - - -* Trust - -Different levels of trust: - - #+ATTR_BEAMER: :overlay <+-> -- curl http://example.net/hackme | sudo sh -- curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -- download file, verify signature ... run code -- download source, verify signature, compile from source -- emerge --emptytree @world -- rewrite everything in assembly -- build it up from transitors -- I have a beach, some wood, abundant sunshine, and a lot of time - -* Trusting Trust - -Ken Thompson - -Reflections on trusting trust, 1984 - -https://archive.org/details/reflections-on-trusting-trust - -* The Moral of Trusting Trust - -"You can't trust code that you did not totally create yourself. - -(Especially code from companies that employ people like me.) - -No amount of source-level verification or scrutiny will protect you - -from using untrusted code." - Ken Thompson - -* Did I say 1984, I meant 1974 - -Karger, 1974 - -"... insert a trap door into the... compiler... - -the trap door can maintain itself, - -even when the compiler is recompiled" - -* Decades of Trust - -Since 1974 - - #+ATTR_BEAMER: :overlay <+-> -- 1984: Reflections on trusting trust -- 1980s: some papers about compiling multiple times -- 1990s ... usenet post mumbling about multiple compilers -- 2000s: some more papers about compiling multiple times -- 2005: Countering Trusting Trust through Diverse Double-Compiling -- 2009: Fully Countering Trusting Trust through Diverse Double-Compiling -- ... and some high profile compromises! - -* XcodeGhost or should we say Strawhorse? - - XcodeGhost, 2015 - - #+ATTR_BEAMER: :overlay <+-> -- Modified version of Apple's Xcode -- Over 4000 compromised apps - -* SolarWhat? - - SolarWinds, 2020 - - #+ATTR_BEAMER: :overlay <+-> -- Compromised build server... -- ...via weak and/or leaked passphrases -- signing certificates compromised -- possibly 18000 affected installations - -* The price of Trust - -What is the Price... - -of Trusting Trust? - -* Free and Open Source Software - -Free and Open Source Software - -#+ATTR_BEAMER: :overlay <+-> -- Use -- Study -- Change -- Share -- Community - * Share what exactly Sharing FOSS... @@ -394,7 +144,6 @@ assoc_insert (hash, key, value) make make install #+END_SRC - * A resulting binary might look like #+BEGIN_SRC shell @@ -424,6 +173,8 @@ RAbN at P@L.<:B@& BL 9E4( B #+END_SRC + + * Reproducible Builds ** text @@ -446,138 +197,158 @@ identical copies of all specified artifacts. [[./images/reproducible-builds.png]] -* Spelling it out - -** text - :PROPERTIES: - :BEAMER_col: 0.7 - :END: +* Reproducible Builds At Scale -Reproducible Builds provides... +Debian #+ATTR_BEAMER: :overlay <+-> -- strong confidence... -- that a binary was produced from a given source... -- ...probably! +- The Universal Operating System +- ~34000 source packages ... and counting +- 380 million lines of code ... and counting! +- ~95% reproducible -** image - :PROPERTIES: - :BEAMER_col: 0.3 - :END: -[[./images/reproducible-builds.png]] +* So you want to have Reproducible builds -* Once upon a time +https://reproducible-builds.org/docs/recording/ -#+ATTR_BEAMER: :overlay <+-> -- Historically software was reproducible! Every bit counted. -- Things eventually got more complicated... -- Bit for bit reproducible GNU toolchain in the early 90s on 10(?) architectures. -- *And we all forgot.* -- In 2011 and 2012, Bitcoin and Torbrowser were made reproducible... +Providing sufficient information for independent verification: -* Enter Debian +#+ATTR_BEAMER: :overlay <+-> +- ... +- "toolchain" packages at specific versions +- SOURCE_DATE_EPOCH (seconds since 1970-01-01) +- Works best with Free and Open Source Software! +- Automated testing (QA, CI, etc.) -In 2013 folks explore reproducibility for all of Debian +* diffocope -* Status in Debian +https://diffoscope.org -Debian +\vspace{\baselineskip} - #+ATTR_BEAMER: :overlay <+-> -- ~34000 source packages -- ~95% reproducible -- in theory... -- many submitted patches +#+ATTR_BEAMER: :overlay <+-> +- Recursive and human-readable "diff" +- locates and diagnoses reproducibility issues +- used for analysing *why* something is reproducible! +- *not* used for determining whether something is reproducible! -* Debian: gcc and binutils +* diffoscope example -gcc and binutils +[[./images/diffoscope.png]] - #+ATTR_BEAMER: :overlay <+-> -- test suite logs -- PGO (Profile Guided Optimiziation) -- LTO (Link Time Optimization) +* diffoscope, supported file types -* Debian: linux +Android APK files, Android boot images, Ar(1) archives, Berkeley DB +database files, Bzip2 archives, Character/block devices, ColorSync +colour profiles (.icc), Coreboot CBFS filesystem images, Cpio +archives, Dalvik .dex files, Debian .buildinfo files, Debian .changes +files, Debian source packages (.dsc), Device Tree Compiler blob files, +Directories, ELF binaries, Ext2/ext3/ext4/btrfs filesystems, +FreeDesktop Fontconfig cache files, FreePascal files (.ppu), Gettext +message catalogues, GHC Haskell .hi files, GIF image files, Git +repositories, GNU R database files (.rdb), GNU R Rscript files (.rds), +Gnumeric spreadsheets, Gzipped files, ISO 9660 CD images, Java .class +files, JavaScript files, JPEG images, JSON files, LLVM IR bitcode +files, MacOS binaries, Microsoft Windows icon files, Microsoft Word +.docx files, Mono 'Portable Executable' files, Ogg Vorbis audio files, +OpenOffice .odt files, OpenSSH public keys, OpenWRT package archives +(.ipk), PDF documents, PGP signed/encrypted messages, PNG images, +PostScript documents, RPM archives, Rust object files (.deflate), +SQLite databases, SquashFS filesystems, Statically-linked binaries, +Symlinks, Tape archives (.tar), Tcpdump capture files (.pcap), Text +files, TrueType font files, XML binary schemas (.xsb), XML files, XZ +compressed files, etc. -linux +* try diffoscope - #+ATTR_BEAMER: :overlay <+-> -- documentation randomness -- other unidentified issues -- fixes available - https://bugs.debian.org/1033663 - https://salsa.debian.org/kernel-team/linux/-/merge_requests/741 -- well, partial fixes, anyways... +https://diffoscope.org -* Debian: libzstd +\vspace{\baselineskip} -libzstd +Available on many platforms: -- recent regression +** text + :PROPERTIES: + :BEAMER_col: 0.4 + :END: -* Status in Guix +#+ATTR_BEAMER: :overlay <+-> +- Debian +- Fedora +- OpenSUSE +- Archlinux +- GNU Guix -GNU Guix +** text + :PROPERTIES: + :BEAMER_col: 0.4 + :END: #+ATTR_BEAMER: :overlay <+-> -- ~87% reproducible -- in practice! -- 21594 Reproducible! -- 1559 Unreproducible... -- 1692 Unknown... +- NixOS +- FreeBSD +- NetBSD +- Homebrew +- PyPI -* Guix made for success +* try diffoscope online -GNU Guix +And on the World Wide Web! -#+ATTR_BEAMER: :overlay <+-> -- reproducible by design -- normalized build environment -- guix challenge -- two build farms to compare against +https://try.diffoscope.org -* Arch Linux +[[./images/try.diffoscope.org.png]] -Arch Linux +* Reprotest -https://reproducible.archlinux.org/ +reprotest #+ATTR_BEAMER: :overlay <+-> -- ~14000 packages -- ~86% reproducible -- in practice! +- builds something twice with many variations +- https://salsa.debian.org/reproducible/reprotest +- if unreproducible: "bisect" the variations -* But wait, there is more! +* What you get with Reproducible Builds -#+ATTR_BEAMER: :overlay <+-> -- NetBSD 84% -- OpenWRT 96%-100% -- Coreboot 100% -- NixOS 95%-99.7% -- Yocto 99.98% -- openEuler 96% -- openSUSE mostly reproducible (caveats apply) +** text + :PROPERTIES: + :BEAMER_col: 0.7 + :END: -* We miss you! +Reproducible Builds provides... -We once had testing for... +#+ATTR_BEAMER: :overlay <+-> +- strong confidence... +- that a binary was produced from a given source... +- ...probably! -- Alpine -- Fedora +** image + :PROPERTIES: + :BEAMER_col: 0.3 + :END: +[[./images/reproducible-builds.png]] -* I am not picky about the color of your hat +* Trust -Wishlist based on current events... +Different levels of trust: -- AlmaLinux -- Rocky Linux + #+ATTR_BEAMER: :overlay <+-> +- curl http://example.net/hackme | sudo sh +- curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh +- download file, verify signature ... run code +- download source, verify signature, compile from source +- emerge --emptytree @world +- rewrite everything in assembly +- build it up from transitors +- I have a beach, some wood, abundant sunshine, and a lot of time + +* Trusting Trust -* Proof Pudding +Ken Thompson -Reproducible Builds is totally possible... +Reflections on Trusting Trust, 1984 -...But it only provides one strong link in a chain +https://archive.org/details/reflections-on-trusting-trust * Building on a solid foundation of turtles @@ -635,7 +406,8 @@ https://reproducible-builds.org/news/2019/12/21/reproducible-bootstrap-of-mes-c- GNU Guix: The Reduced Binary Seed Bootstrap https://guix.gnu.org/en/manual/devel/en/guix.html#Reduced-Binary-Seed-Bootstrap - #+ATTR_BEAMER: :overlay <+-> + +#+ATTR_BEAMER: :overlay <+-> - ... - Reduced to 145MB of bootstrap binaries (from 250MB) - Using Mes and guile... @@ -667,45 +439,29 @@ https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source https://github.com/fosslinux/live-bootstrap - #+ATTR_BEAMER: :overlay <+-> +#+ATTR_BEAMER: :overlay <+-> - A live environment - From kernel and a bit of source code - To a reproducibly bootstrapped toolchain - no pregenerated "source" code shortcuts -* UEFI based bootstrap - -Work-in-progress UEFI bootstrap - -https://git.stikonas.eu/andrius/stage0-uefi - -Only stage0... - -* Bare Metal Bootstrap - -Stage0 on Bare Metal? - -https://git.savannah.nongnu.org/cgit/stage0.git/tree/ - -* architectures - -Full bootstrap only available on x86 +* Under that Turtle -...x86 toolchain can then cross-compile to x86_64 - -* architectures in progress -- arm -- riscv64 -- powerpc64le or powerpc64el - -* Freedom in your bits and bytes +#+ATTR_BEAMER: :overlay <+-> +- UEFI https://git.stikonas.eu/andrius/stage0-uefi +- Bare Metal https://git.savannah.nongnu.org/cgit/stage0.git/tree/ -Free/Libre and Open Source Software +* Forget Trust, Verify -Allows arbitrary third-party verification +No need to Trust, all we need is: + #+ATTR_BEAMER: :overlay <+-> +- Free/Libre and Open Source Software +- Reproducible Builds +- Bootstrapping +- Diverse compilation +- ... and lots of compile cycles - * Make it happen https://reproducible-builds.org/contribute/ View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/8a4977a017685586c5bdbe112af6167077a32cba -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/8a4977a017685586c5bdbe112af6167077a32cba You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 20:27:43 2023 From: gitlab at salsa.debian.org (Bernhard M. Wiedemann (@bmwiedemann-guest)) Date: Wed, 01 Nov 2023 20:27:43 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023-10: +2 patches +openSUSE monthly Message-ID: <6542b4bf47b9f_5e7222201383114842@godard.mail> Bernhard M. Wiedemann pushed to branch master at Reproducible Builds / reproducible-website Commits: b8adfb0d by Bernhard M. Wiedemann at 2023-11-01T21:25:38+01:00 2023-10: +2 patches +openSUSE monthly - - - - - 1 changed file: - _reports/2023-10.md Changes: ===================================== _reports/2023-10.md ===================================== @@ -51,5 +51,9 @@ draft: true * [`xemacs-packages`](https://build.opensuse.org/request/show/1119260) (drop date) * [`occt`](https://build.opensuse.org/request/show/1119524) (sort (not upstream)) * [`mame`](https://build.opensuse.org/request/show/1119553) (order) + * [`qemu`](https://build.opensuse.org/request/show/1121011) (date+workaround sphinx toolchain issue) + * [`hub/golang`](https://github.com/golang/go/issues/63851) (toolchain random build path) + +* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory at lists.opensuse.org/thread/4QTSQCYBMF6QZYWIB63T46ILLTVGVMMJ/) * FIXME https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756 + https://news.ycombinator.com/item?id=38057591 View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b8adfb0da5dd81e198faf4c07ef24da6babd1a67 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b8adfb0da5dd81e198faf4c07ef24da6babd1a67 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 22:06:19 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Wed, 01 Nov 2023 22:06:19 +0000 Subject: [Git][reproducible-builds/reproducible-presentations][master] 2023-11-04: Beyond Trusting Trust: variations, SOURCE_DATE_EPOCH, Message-ID: <6542cbdbb4a70_5e724b9c3b83130866@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations Commits: a8e70040 by Vagrant Cascadian at 2023-11-01T15:03:07-07:00 2023-11-04: Beyond Trusting Trust: variations, SOURCE_DATE_EPOCH, update coypright header, consolidate and drop some slides. - - - - - 1 changed file: - 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org Changes: ===================================== 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org ===================================== @@ -144,6 +144,7 @@ assoc_insert (hash, key, value) make make install #+END_SRC + * A resulting binary might look like #+BEGIN_SRC shell @@ -173,8 +174,6 @@ RAbN at P@L.<:B@& BL 9E4( B #+END_SRC - - * Reproducible Builds ** text @@ -207,7 +206,27 @@ Debian - 380 million lines of code ... and counting! - ~95% reproducible -* So you want to have Reproducible builds +* Chaos and Freinds + +https://reproducible-builds.org/docs/env-variations/ + +#+ATTR_BEAMER: :overlay <+-> +- Timestamps +- User Information +- Host system information +- Randomness +- So many more! +- Especially Timestamps! + +* Deterministic time? + +SOURCE_DATE_EPOCH + +https://reproducible-builds.org/docs/source-date-epoch/ + +Supported in GCC, Clang, and more! + +* So you want Reproducible builds https://reproducible-builds.org/docs/recording/ @@ -220,6 +239,16 @@ Providing sufficient information for independent verification: - Works best with Free and Open Source Software! - Automated testing (QA, CI, etc.) +* Reprotest + +reprotest + +#+ATTR_BEAMER: :overlay <+-> +- builds something twice with many variations +- displays the differences between results +- https://salsa.debian.org/reproducible/reprotest +- if unreproducible: "bisect" the variations + * diffocope https://diffoscope.org @@ -231,6 +260,7 @@ https://diffoscope.org - locates and diagnoses reproducibility issues - used for analysing *why* something is reproducible! - *not* used for determining whether something is reproducible! +- Supported on many distributions * diffoscope example @@ -259,38 +289,6 @@ Symlinks, Tape archives (.tar), Tcpdump capture files (.pcap), Text files, TrueType font files, XML binary schemas (.xsb), XML files, XZ compressed files, etc. -* try diffoscope - -https://diffoscope.org - -\vspace{\baselineskip} - -Available on many platforms: - -** text - :PROPERTIES: - :BEAMER_col: 0.4 - :END: - -#+ATTR_BEAMER: :overlay <+-> -- Debian -- Fedora -- OpenSUSE -- Archlinux -- GNU Guix - -** text - :PROPERTIES: - :BEAMER_col: 0.4 - :END: - -#+ATTR_BEAMER: :overlay <+-> -- NixOS -- FreeBSD -- NetBSD -- Homebrew -- PyPI - * try diffoscope online And on the World Wide Web! @@ -299,15 +297,6 @@ https://try.diffoscope.org [[./images/try.diffoscope.org.png]] -* Reprotest - -reprotest - -#+ATTR_BEAMER: :overlay <+-> -- builds something twice with many variations -- https://salsa.debian.org/reproducible/reprotest -- if unreproducible: "bisect" the variations - * What you get with Reproducible Builds ** text @@ -360,16 +349,6 @@ And a C compiler to compile the other C compiler ...Ad infinitum -* Java bootstrap - -Java bootstrapping - - #+ATTR_BEAMER: :overlay <+-> -- openjdk17 needs... -- openjdk16 which needs... -- ... -- openjdk9 ... etc. - * Rust bootstrap Rust bootstrapping @@ -447,6 +426,10 @@ https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source * Under that Turtle +How about... + +...Without an operating system? + #+ATTR_BEAMER: :overlay <+-> - UEFI https://git.stikonas.eu/andrius/stage0-uefi - Bare Metal https://git.savannah.nongnu.org/cgit/stage0.git/tree/ @@ -462,16 +445,14 @@ No need to Trust, all we need is: - Diverse compilation - ... and lots of compile cycles -* Make it happen +* Thanks -https://reproducible-builds.org/contribute/ +Help make it happen! -* Keeping the lights on +https://reproducible-builds.org/contribute/ https://reproducible-builds.org/donate/ -* Thanks - https://reproducible-builds.org/who/sponsors/ Open Technology Fund @@ -496,3 +477,14 @@ Protocol Labs To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/ + +snippet from bash assoc.c: + + Copyright (C) 2008,2009,2011 Free Software Foundation, Inc. + + Bash is free software: you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + http://www.gnu.org/licenses/ View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/a8e70040834c3935eb941adf0ff6f036da988078 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/a8e70040834c3935eb941adf0ff6f036da988078 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 22:24:39 2023 From: gitlab at salsa.debian.org (Pol Dellaiera (@drupol)) Date: Wed, 01 Nov 2023 22:24:39 +0000 Subject: [Git][reproducible-builds/reproducible-website][contribute/nixos/update] nixos: update contribute page Message-ID: <6542d027abfd4_5e724b9c3b83134522@godard.mail> Pol Dellaiera pushed to branch contribute/nixos/update at Reproducible Builds / reproducible-website Commits: d98341b6 by Pol Dellaiera at 2023-11-01T23:24:27+01:00 nixos: update contribute page - - - - - 2 changed files: - _data/projects.yml - contribute/nixos.md Changes: ===================================== _data/projects.yml ===================================== @@ -164,6 +164,8 @@ tests: https://reproducible.nixos.org tests_external: true resources: + - name: Project board + url: https://github.com/orgs/NixOS/projects/30 - name: Open issues url: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22 - name: Open PRs ===================================== contribute/nixos.md ===================================== @@ -4,21 +4,21 @@ title: Contribute to NixOS permalink: /contribute/nixos/ --- -Join the [#reproducible-builds:nixos.org](https://matrix.to/#/#reproducible-builds:nixos.org) -channel on matrix. +## Community Discussion -To rebuild a package locally and check it matches the one from the binary cache -you can use `nix-build '' -A notion --check`. This does not 'actively' -vary the environment like reprotest does, but will catch basic reproducibility -problems. +For real-time conversations, join the [`#reproducible-builds:nixos.org`](https://matrix.to/#/#reproducible-builds:nixos.org) channel on Matrix. -See [reproducible.nixos.org](https://reproducible.nixos.org) for the status of our current milestone: -building the nixos-unstable minimal and Gnome ISO's reproducibly. More information on the -problems listed there can be found on -[this pad](https://pad.sfconservancy.org/p/nixos-reproducible-builds-progress). +## Project Status -Look for [pull requests](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%226.topic%3A+reproducible+builds%22) -and [issues](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22) -around reproducible builds. +- **Project Board**: To keep track of ongoing tasks and open issues concerning + reproducible builds, view our [GitHub Project Board](https://github.com/orgs/NixOS/projects/30). +- **Pull Requests & Issues**: Browse current [pull requests](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%226.topic%3A+reproducible+builds%22) and [issues](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22) labeled with "reproducible builds." +- **Internal Resources**: Our internal website, [reproducible.nixos.org](https://reproducible.nixos.org), provides additional information and status updates. More details on specific problems can be found on [this pad](https://pad.sfconservancy.org/p/nixos-reproducible-builds-progress). -Look into [trustix](https://github.com/nix-community/trustix). +## Reporting Issues + +Use the [issue template](https://github.com/NixOS/nixpkgs/issues/new?assignees=&labels=0.kind%3A+enhancement%2C6.topic%3A+reproducible+builds&template=unreproducible_package.md&title=) on GitHub to report your issues and hopefully, your solution. + +## Additional Projects + +- [trustix](https://github.com/nix-community/trustix) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d98341b62350f9dfc71f4ec8cd0777914031fba3 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d98341b62350f9dfc71f4ec8cd0777914031fba3 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 22:32:37 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Wed, 01 Nov 2023 22:32:37 +0000 Subject: [Git][reproducible-builds/reproducible-website][contribute/nixos/update] 4 commits: donate page: dont mention 'current' Debian release names Message-ID: <6542d205bed1_5e72e1f37083136745@godard.mail> Arnout Engelen pushed to branch contribute/nixos/update at Reproducible Builds / reproducible-website Commits: 24bf9105 by Holger Levsen at 2023-11-01T18:13:20+01:00 donate page: dont mention 'current' Debian release names Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 0343dfea by Holger Levsen at 2023-11-01T18:18:14+01:00 donate page: fix grammar Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - b8adfb0d by Bernhard M. Wiedemann at 2023-11-01T21:25:38+01:00 2023-10: +2 patches +openSUSE monthly - - - - - d56ad801 by Pol Dellaiera at 2023-11-01T22:32:32+00:00 nixos: update contribute page - - - - - 4 changed files: - _data/projects.yml - _reports/2023-10.md - contribute/nixos.md - donate.md Changes: ===================================== _data/projects.yml ===================================== @@ -164,6 +164,8 @@ tests: https://reproducible.nixos.org tests_external: true resources: + - name: Project board + url: https://github.com/orgs/NixOS/projects/30 - name: Open issues url: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22 - name: Open PRs ===================================== _reports/2023-10.md ===================================== @@ -51,5 +51,9 @@ draft: true * [`xemacs-packages`](https://build.opensuse.org/request/show/1119260) (drop date) * [`occt`](https://build.opensuse.org/request/show/1119524) (sort (not upstream)) * [`mame`](https://build.opensuse.org/request/show/1119553) (order) + * [`qemu`](https://build.opensuse.org/request/show/1121011) (date+workaround sphinx toolchain issue) + * [`hub/golang`](https://github.com/golang/go/issues/63851) (toolchain random build path) + +* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory at lists.opensuse.org/thread/4QTSQCYBMF6QZYWIB63T46ILLTVGVMMJ/) * FIXME https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756 + https://news.ycombinator.com/item?id=38057591 ===================================== contribute/nixos.md ===================================== @@ -4,21 +4,21 @@ title: Contribute to NixOS permalink: /contribute/nixos/ --- -Join the [#reproducible-builds:nixos.org](https://matrix.to/#/#reproducible-builds:nixos.org) -channel on matrix. +## Community Discussion -To rebuild a package locally and check it matches the one from the binary cache -you can use `nix-build '' -A notion --check`. This does not 'actively' -vary the environment like reprotest does, but will catch basic reproducibility -problems. +For real-time conversations, join the [`#reproducible-builds:nixos.org`](https://matrix.to/#/#reproducible-builds:nixos.org) channel on Matrix. -See [reproducible.nixos.org](https://reproducible.nixos.org) for the status of our current milestone: -building the nixos-unstable minimal and Gnome ISO's reproducibly. More information on the -problems listed there can be found on -[this pad](https://pad.sfconservancy.org/p/nixos-reproducible-builds-progress). +## Project Status -Look for [pull requests](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%226.topic%3A+reproducible+builds%22) -and [issues](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22) -around reproducible builds. +- **Project Board**: To keep track of ongoing tasks and open issues concerning + reproducible builds, view our [GitHub Project Board](https://github.com/orgs/NixOS/projects/30). +- **Pull Requests & Issues**: Browse current [pull requests](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%226.topic%3A+reproducible+builds%22) and [issues](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22) labeled with "reproducible builds." +- **Internal Resources**: Our internal website, [reproducible.nixos.org](https://reproducible.nixos.org), provides additional information and status updates. More details on specific problems can be found on [this pad](https://pad.sfconservancy.org/p/nixos-reproducible-builds-progress). -Look into [trustix](https://github.com/nix-community/trustix). +## Reporting Issues + +Use the [issue template](https://github.com/NixOS/nixpkgs/issues/new?assignees=&labels=0.kind%3A+enhancement%2C6.topic%3A+reproducible+builds&template=unreproducible_package.md&title=) on GitHub to report your issues and hopefully, your solution. + +## Additional Projects + +- [trustix](https://github.com/nix-community/trustix) ===================================== donate.md ===================================== @@ -75,11 +75,11 @@ The Reproducible Builds team has demonstrated that it is, in principle, possible to build a Linux distribution in a reproducible manner and have solved many of the issues in doing so. -However, the next release of Debian ("bullseye") is currently not yet 100% +However, the next release of Debian is currently not yet 100% reproducible and funding to support on-going maintenance of critical infrastructure will be absolutely essential to reach this goal. -This not only includes the administration of over 50 build nodes across +This not only includes the administration of around 42 build nodes across multiple architectures, it requires continuous and patient work with package maintainers and upstreams to merge reproducibility-related patches. It also includes extending the scope of [our testing @@ -93,7 +93,7 @@ their machines. Furthermore, maintaining momentum ? both in terms of public perception and in private ? around the various related projects such as *diffoscope*, etc. will -be key in ensuring a reproducible "buster" becomes a reality. +be key in ensuring reproducible builds become a reality. ### Benefits of sponsorship View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/d98341b62350f9dfc71f4ec8cd0777914031fba3...d56ad801fa405887dfb3ad3a1d7fbaa6db0f68af -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/d98341b62350f9dfc71f4ec8cd0777914031fba3...d56ad801fa405887dfb3ad3a1d7fbaa6db0f68af You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 22:35:01 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Wed, 01 Nov 2023 22:35:01 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] nixos: update contribute page Message-ID: <6542d295e6ef7_5e72e1f97c0313879c@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: d56ad801 by Pol Dellaiera at 2023-11-01T22:32:32+00:00 nixos: update contribute page - - - - - 2 changed files: - _data/projects.yml - contribute/nixos.md Changes: ===================================== _data/projects.yml ===================================== @@ -164,6 +164,8 @@ tests: https://reproducible.nixos.org tests_external: true resources: + - name: Project board + url: https://github.com/orgs/NixOS/projects/30 - name: Open issues url: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22 - name: Open PRs ===================================== contribute/nixos.md ===================================== @@ -4,21 +4,21 @@ title: Contribute to NixOS permalink: /contribute/nixos/ --- -Join the [#reproducible-builds:nixos.org](https://matrix.to/#/#reproducible-builds:nixos.org) -channel on matrix. +## Community Discussion -To rebuild a package locally and check it matches the one from the binary cache -you can use `nix-build '' -A notion --check`. This does not 'actively' -vary the environment like reprotest does, but will catch basic reproducibility -problems. +For real-time conversations, join the [`#reproducible-builds:nixos.org`](https://matrix.to/#/#reproducible-builds:nixos.org) channel on Matrix. -See [reproducible.nixos.org](https://reproducible.nixos.org) for the status of our current milestone: -building the nixos-unstable minimal and Gnome ISO's reproducibly. More information on the -problems listed there can be found on -[this pad](https://pad.sfconservancy.org/p/nixos-reproducible-builds-progress). +## Project Status -Look for [pull requests](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%226.topic%3A+reproducible+builds%22) -and [issues](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22) -around reproducible builds. +- **Project Board**: To keep track of ongoing tasks and open issues concerning + reproducible builds, view our [GitHub Project Board](https://github.com/orgs/NixOS/projects/30). +- **Pull Requests & Issues**: Browse current [pull requests](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%226.topic%3A+reproducible+builds%22) and [issues](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%226.topic%3A+reproducible+builds%22) labeled with "reproducible builds." +- **Internal Resources**: Our internal website, [reproducible.nixos.org](https://reproducible.nixos.org), provides additional information and status updates. More details on specific problems can be found on [this pad](https://pad.sfconservancy.org/p/nixos-reproducible-builds-progress). -Look into [trustix](https://github.com/nix-community/trustix). +## Reporting Issues + +Use the [issue template](https://github.com/NixOS/nixpkgs/issues/new?assignees=&labels=0.kind%3A+enhancement%2C6.topic%3A+reproducible+builds&template=unreproducible_package.md&title=) on GitHub to report your issues and hopefully, your solution. + +## Additional Projects + +- [trustix](https://github.com/nix-community/trustix) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d56ad801fa405887dfb3ad3a1d7fbaa6db0f68af -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d56ad801fa405887dfb3ad3a1d7fbaa6db0f68af You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 22:35:04 2023 From: gitlab at salsa.debian.org (Pol Dellaiera (@drupol)) Date: Wed, 01 Nov 2023 22:35:04 +0000 Subject: [Git][reproducible-builds/reproducible-website] Deleted branch contribute/nixos/update Message-ID: <6542d2983a402_5e72e1f97c03138978@godard.mail> Pol Dellaiera deleted branch contribute/nixos/update at Reproducible Builds / reproducible-website -- You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 22:38:51 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Wed, 01 Nov 2023 22:38:51 +0000 Subject: [Git][reproducible-builds/reproducible-presentations][master] 2023-11-04: beyond trusting foss: drop extra slides, typo fixes, link Message-ID: <6542d37b8486d_5e72e207f14313946f@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations Commits: 5bf9a56c by Vagrant Cascadian at 2023-11-01T15:37:13-07:00 2023-11-04: beyond trusting foss: drop extra slides, typo fixes, link about trusting trust, bootstrapping updates. - - - - - 1 changed file: - 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org Changes: ===================================== 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org ===================================== @@ -95,22 +95,6 @@ Free and Open Source Software - Share - Community -* Share what exactly - -Sharing FOSS... - -#+ATTR_BEAMER: :overlay <+-> -- source -- binaries -- files packaged for distribution - -* Where do binaries come from - -#+ATTR_BEAMER: :overlay <+-> -- Source code... -- Transformed by a toolchain... -- Into machine code - * A taste of source from bash 5.0 assoc.c: @@ -220,7 +204,7 @@ https://reproducible-builds.org/docs/env-variations/ * Deterministic time? -SOURCE_DATE_EPOCH +SOURCE_DATE_EPOCH (seconds since 1970-01-01) https://reproducible-builds.org/docs/source-date-epoch/ @@ -235,7 +219,7 @@ Providing sufficient information for independent verification: #+ATTR_BEAMER: :overlay <+-> - ... - "toolchain" packages at specific versions -- SOURCE_DATE_EPOCH (seconds since 1970-01-01) +- SOURCE_DATE_EPOCH - Works best with Free and Open Source Software! - Automated testing (QA, CI, etc.) @@ -258,7 +242,7 @@ https://diffoscope.org #+ATTR_BEAMER: :overlay <+-> - Recursive and human-readable "diff" - locates and diagnoses reproducibility issues -- used for analysing *why* something is reproducible! +- used for analysing *why* something is not reproducible! - *not* used for determining whether something is reproducible! - Supported on many distributions @@ -339,6 +323,8 @@ Reflections on Trusting Trust, 1984 https://archive.org/details/reflections-on-trusting-trust +https://research.swtch.com/nih + * Building on a solid foundation of turtles https://bootstrappable.org @@ -354,8 +340,8 @@ And a C compiler to compile the other C compiler Rust bootstrapping #+ATTR_BEAMER: :overlay <+-> -- rust 1.64 needs... -- rust 1.63 which needs... +- rust 1.73 needs... +- rust 1.72 which needs... - ... - rust 1.54 can be built with mrustc - mrustc is written in C++ @@ -412,7 +398,7 @@ https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source - Mes - TinyCC (patched) - old versions of GCC, binutils, glibc, gzip, tar ... -- modern GCC and everything +- modern GCC and almost everything * Make it live @@ -431,6 +417,7 @@ How about... ...Without an operating system? #+ATTR_BEAMER: :overlay <+-> +- ... - UEFI https://git.stikonas.eu/andrius/stage0-uefi - Bare Metal https://git.savannah.nongnu.org/cgit/stage0.git/tree/ View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/5bf9a56c76b81f3c64966eeb515d03b2f6d77f87 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/5bf9a56c76b81f3c64966eeb515d03b2f6d77f87 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 22:57:07 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Wed, 01 Nov 2023 22:57:07 +0000 Subject: [Git][reproducible-builds/reproducible-presentations][master] 2023-11-04: Beyond Trusting Foss: Correct errors in the bootstrap Message-ID: <6542d7c31ad4f_5e724b9c3b831448d@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations Commits: ccfc6b3d by Vagrant Cascadian at 2023-11-01T15:52:50-07:00 2023-11-04: Beyond Trusting Foss: Correct errors in the bootstrap chain. Thanks to stikonas! - - - - - 1 changed file: - 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org Changes: ===================================== 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org ===================================== @@ -390,11 +390,11 @@ https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source #+ATTR_BEAMER: :overlay <+-> - hex0 (357-byte binary) - hex1 -- M0 - hex2 -- M1 -- mescc-tools +- M0 +- cc_x86 - M2-Planet +- mescc-tools - Mes - TinyCC (patched) - old versions of GCC, binutils, glibc, gzip, tar ... View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/ccfc6b3d62a6d9c895bb4d1d08a80dfe53c5d6b7 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/ccfc6b3d62a6d9c895bb4d1d08a80dfe53c5d6b7 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 1 23:13:08 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Wed, 01 Nov 2023 23:13:08 +0000 Subject: [Git][reproducible-builds/reproducible-presentations][master] 2 commits: 2023-11-04: shorten diffoscope example. Message-ID: <6542db84dfceb_5e72e1f3708314666a@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations Commits: 9689cdc0 by Vagrant Cascadian at 2023-11-01T16:02:28-07:00 2023-11-04: shorten diffoscope example. - - - - - b0168395 by Vagrant Cascadian at 2023-11-01T16:12:23-07:00 2023-11-04: beyond trusting foss: Fix version. - - - - - 2 changed files: - 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org - 2023-11-04-SeaGL-Beyond-Trusting-FOSS/debian/changelog Changes: ===================================== 2023-11-04-SeaGL-Beyond-Trusting-FOSS/Beyond-Trusting-FOSS.org ===================================== @@ -241,9 +241,7 @@ https://diffoscope.org #+ATTR_BEAMER: :overlay <+-> - Recursive and human-readable "diff" -- locates and diagnoses reproducibility issues -- used for analysing *why* something is not reproducible! -- *not* used for determining whether something is reproducible! +- locates and highlights reproducibility issues - Supported on many distributions * diffoscope example ===================================== 2023-11-04-SeaGL-Beyond-Trusting-FOSS/debian/changelog ===================================== @@ -1,5 +1,5 @@ -beyond-trusting-foss (2023.11.14+seagl~1) UNRELEASED; urgency=medium +beyond-trusting-foss (2023.11.04+seagl~0) UNRELEASED; urgency=medium * Presented at SeaGL 2023. - -- Vagrant Cascadian Tue, 31 Oct 2023 13:04:22 -0700 + -- Vagrant Cascadian Wed, 01 Nov 2023 16:12:11 -0700 View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/ccfc6b3d62a6d9c895bb4d1d08a80dfe53c5d6b7...b01683958d8bc827c0af31c65bb2b48fffa7a48d -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/compare/ccfc6b3d62a6d9c895bb4d1d08a80dfe53c5d6b7...b01683958d8bc827c0af31c65bb2b48fffa7a48d You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 10:35:48 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Thu, 02 Nov 2023 10:35:48 +0000 Subject: [Git][reproducible-builds/reproducible-presentations][master] first shot at my ubuntu conference presentation Message-ID: <65437b84ba7d3_5e72e207f143187435@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-presentations Commits: 655a2233 by Mattia Rizzolo at 2023-11-02T11:35:19+01:00 first shot at my ubuntu conference presentation Signed-off-by: Mattia Rizzolo <mattia at debian.org> - - - - - 11 changed files: - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/print/paper.css - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/print/pdf.css - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/reveal.css - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/reveal.scss - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/theme/README.md - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/theme/beige.css - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/theme/black.css - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/theme/blood.css - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/theme/league.css - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/theme/moon.css - + 2023-11-04-Reproducible-Builds-for-Ubuntu/css/theme/night.css The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/655a223335b6c358e77b24f6be16cb4fc232be48 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/655a223335b6c358e77b24f6be16cb4fc232be48 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 13:20:18 2023 From: gitlab at salsa.debian.org (Evangelos Ribeiro Tzaras (@devrtz)) Date: Thu, 02 Nov 2023 13:20:18 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: Add notes about the images and filesystems session Message-ID: <6543a212d52c9_5e7222201383213437@godard.mail> Evangelos Ribeiro Tzaras pushed to branch master at Reproducible Builds / reproducible-website Commits: 0bdabb87 by Evangelos Ribeiro Tzaras at 2023-11-02T14:17:58+01:00 hamburg2023: Add notes about the images and filesystems session The session took place on 2023-11-02 in the morning. - - - - - 1 changed file: - + _events/hamburg2023/images-filesystems.md Changes: ===================================== _events/hamburg2023/images-filesystems.md ===================================== @@ -0,0 +1,61 @@ + +# Filesystem/Container images meeting + +https://reproducible-builds.org/docs/system-images/ + +## Filesystems + +- ext4 reproducibility + mkfs.ext4 is not reproducible + (because allocation of the inodes is undefined) + make_ext4fs works, but is unmaintained +- ext4 creation time ends up in headers +- UUIDs need to be seeded +- there is patches on rb ML + setting the env up + allows making ext4 reproducible (with mkfs.ext4?) +- read-only filesystems (squashfs, erofs) +- btrfs? + +## How to reproduce a full image + +- need a snapshot service (containing package versions) +- need to record sufficient information + every single package (in the correct version) + config, version for tools used, + generate manifest or read from original images +- order of packages in dpkg database + apparently there is a flag to tell apt to (re)order +- same kernel + + +## Random problems/ideas +- Upgrading a single package on a given image + (using a ro FS) + can scramble the image quiet a bit + (probably time stamp issues?) +- initrd (timestamps or ordering issues) + dracut: more likely to work with SDE + mkinitcpio/mkinitramfs: ? +- website: mention "magic" variables +- package installation needs to be reproducible + - exim4 postinst puts hostnames into some config +- Packages.xz get cached (and rebuilt on Debian) +- /etc/apt/sources.list would be different when using a snapshot service) +- /etc/passwd /etc/shadow order +- dependency on host kernel through + /proc, /dev, FS code, (fs related) kernel config options + may need to built images in a VM with a fixed kernel ?! +- mkfs.* can introduce dependency on the host system +- pycache differences (*.pyc files) + Debian does not ship bytecode, + other distros do + and stripping them down would slow things down +- Priority: important/optional ?! + this actually comes from the source package + (so no idea how/why this could change) +- diffoscope can be told to exclude timestamps + + +## Container +container images are just tarballs (something something OSI image) +(note: we didn't talk about container images too much) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0bdabb87e541cd0373cc9dc0b8e0706a299f26d4 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0bdabb87e541cd0373cc9dc0b8e0706a299f26d4 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 13:24:37 2023 From: gitlab at salsa.debian.org (Evangelos Ribeiro Tzaras (@devrtz)) Date: Thu, 02 Nov 2023 13:24:37 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: Add notes about the website (audiences) session Message-ID: <6543a31558f3b_5e72e1f370832168f8@godard.mail> Evangelos Ribeiro Tzaras pushed to branch master at Reproducible Builds / reproducible-website Commits: 07d3daf5 by Evangelos Ribeiro Tzaras at 2023-11-02T14:23:24+01:00 hamburg2023: Add notes about the website (audiences) session The session took place on 2023-11-01 in the afternoon. - - - - - 1 changed file: - + _events/hamburg2023/site-audiences.md Changes: ===================================== _events/hamburg2023/site-audiences.md ===================================== @@ -0,0 +1,82 @@ +# website meeting + +reproducible-builds.org + +TL;DR: + - the homepage is fine for developers + - but maybe not for other types of users/visitors (powerusers, end users, project managers, ...) + - doing user testing sounds valuable + +## Landing page + +- the easier/more accesible the concept of reproducible builds is explained, the better. + +- It was discussed whether the buttons "Home" "News" "Documentation" are nice enough: + one view expressed that it's fine (as you can directly get to the documentation) + +- Motto: could be reworded as it should probably include the words "security" ? + +- Some visuals to explain the concept + maybe some diagram showing how sources + (represented e.g. as a file icon with "src/*" or "*.c" label) + are build twice + (simply show two computers producing *some* binary output) + perhaps even some video? + +## Categories of visitors + +- developer encountering rb for the first time (e.g. because someone sent a patch) +- powerusers that hear about rb and want to learn more +- developers of upstream software looking for docs (so they can avoid common pitfalls); i.e. people who are already convinced of the value of rb +- vendors interested (and potentially fund) in rb +- project managers selling the idea of rb to directors/employees +- end users +- scientists + +### Do user testing (per category) +User testing would be preferable over guessing what types of users +might want. + +### Different landing page for different users/visitors? + +### For technical users +the site is probably mostly fine (there are some 404 links in the docs). +most often devs want to look up documentation (and a short path is preferrable) + +### Make the homepage more friendly to non-technical users +starting with a very (easy) introduction. + + +## Google search terms from actual visitors +most people are searching "reproducible builds" or SOURCE_DATE_EPOCH +=> does not tell us very much + +- reproducible builds +- rust reproducible +- SOURCE DATE EPOCH +- deterministic builds + +## "Contact us" section? +There **is** actually links in the fineprint at the bottom for the ML and +"Full contact info" (which links to rb.org/who/). +IRC/Matrix channels? Fediverse handles? + +- Where to put it? + Maybe under "Who is involved?" section of the page? +- Add "Contact us" to the sidebar? + +## New "Resources" section +containing Tools, Talks, ... + + +## Continuous tests should probably be renamed (?) + +## Feedback from "users" on the Fedora telegram channel + +Q: Hi folks, a quick ask from the reproducible builds community: if you visit https://reproducible-builds.org/, without knowing what reproducible builds are, is the website useful and clear? + +Asking in this chat for someone that cant pick together on their own what a reproducible build is is strange xD + +To me the explanation seems thorough and clear. I believe it also depends on the knowledge level of the user, if he's a dev or not and so on + +If the website is targeted to devs then it's okay View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/07d3daf54fc03d0ea76e7932353015691b9e8c9d -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/07d3daf54fc03d0ea76e7932353015691b9e8c9d You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 13:25:56 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 02 Nov 2023 13:25:56 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Add a "farewell" post. Message-ID: <6543a364d9adb_5e72e1f97c03218831@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: deaed8f4 by Chris Lamb at 2023-11-02T14:25:43+01:00 Add a "farewell" post. - - - - - 2 changed files: - + _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md - + images/news/2023-11-02-farewell-from-the-reproducible-builds-summit-2023/group_photo.jpg Changes: ===================================== _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md ===================================== @@ -0,0 +1,97 @@ +--- +layout: post +title: "Farewell from the Reproducible Builds Summit 2023!" +date: 2023-11-02 +categories: org +--- + +Farewell from the *Reproducible Builds* summit, which just took place from in **Hamburg, Germany**: +{: .lead} + +[![]({{ "/images/news/2023-11-02-farewell-from-the-reproducible-builds-summit-2023/group_photo.jpg" | relative_url }})]({{ "/events/hamburg2023/" | relative_url }}) + +This year, we were thrilled to host the seventh edition of this exciting event. Topics covered this year included: + +* Project updates from OpenSUSE, Fedora, Debian, ElectroBSD, Reproducible Central and NixOS +* Mapping the "big picture" +* Towards a snapshot service +* Understanding user-facing needs and personas +* Language-specific package managers +* Defining our definitions +* Creating a "Ten Commandments" of reproducibility +* Embedded systems +* Next steps in GNU Guix' reproducibility +* Signature storage and sharing +* Public verification services +* Verification use cases +* Web site audiences +* Enabling new projects to be "born reproducible" +* Collecting reproducibility success stories +* Reproducibility's relationship to SBOMs +* SBOMs for RPM-based distributions +* Filtering diffoscope output +* Reproducibility of filesystem images, filesystems and containers +* Using verification data +* A deep-dive on Fedora and Arch Linux package reproducibility +* Debian rebuild archive service discussion + +? as well as countless informal discussions and hacking sessions into the night. Projects represented at the venue included: + +
    +Debian, OpenSuSE, QubesOS, GNU Guix, Arch Linux, phosh, Mobian, PureOS, JustBuild, LibreOffice, Warpforge, OpenWrt, F-Droid, NixOS, ElectroBSD, Apache Security, Buildroot, Systemd, Apache Maven, Fedora, Privoxy, CHAINS, coreboot, GitHub, Tor Project, Ubuntu, rebuilderd, repro-env, spytrap-adb, arch-repo-status, etc. +
    + +--- + +A huge thanks to our sponsors and partners for making the event possible: + +
    +
    +
    + + Aspiration + +

    Event facilitation

    +
    +
    +
    +
    + + Mullvad + +

    Platinum sponsor

    +
    +
    +
    +
    + + openSUSE + +
    +
    +
    +
    + + Debian + +
    +
    +
    +
    + + Software Freedom Conservancy + +
    +
    +
    +
    + + allotropia software GmbH + +
    +
    +
    + +
    + +If you weren't able to make it this year, don't worry; just look out for an announcement in 2024 for the next event. ===================================== images/news/2023-11-02-farewell-from-the-reproducible-builds-summit-2023/group_photo.jpg ===================================== Binary files /dev/null and b/images/news/2023-11-02-farewell-from-the-reproducible-builds-summit-2023/group_photo.jpg differ View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/deaed8f4db5c2c804c544dcb370c091844b96ead -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/deaed8f4db5c2c804c544dcb370c091844b96ead You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 13:29:16 2023 From: gitlab at salsa.debian.org (Bernhard M. Wiedemann (@bmwiedemann-guest)) Date: Thu, 02 Nov 2023 13:29:16 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Add Hamburg summit rb-commandments Message-ID: <6543a42cadd53_5e72e207f1432196cd@godard.mail> Bernhard M. Wiedemann pushed to branch master at Reproducible Builds / reproducible-website Commits: f27e6967 by Bernhard M. Wiedemann at 2023-11-02T14:28:42+01:00 Add Hamburg summit rb-commandments from https://pad.riseup.net/p/rbsummmit2023-d2m-10commandments-keep - - - - - 1 changed file: - + _events/hamburg2023/notes/rb-commandments.md Changes: ===================================== _events/hamburg2023/notes/rb-commandments.md ===================================== @@ -0,0 +1,58 @@ +RB Ten Commandments + +original draft: + + + Commandments by the church of reproducible builds + + +1. Thou shall not record the name of thy maker nor the place of thy making (username, hostname) +2. Thou shall not record the date nor time of thy making, unless you respect the holy SDE spec (date+time) +3. Thou shall not use memory without initialization or use memory addresses to decide outcomes (ASLR) +4. Thou shall do all your work in order - not use filesystem-readdir-order nor random order of hash elements +5. Thou shall not (gamble and) record random numbers (UUID, private/public key, hash-seed, ASLR) +6. Thou shall only do one thing at a time or ensure races do no harm (parallelism) +7. Thou shall not look at build machine processor capabilities +8. Thou shall not look at build machine benchmarks for optimizations +9. Thou shall be careful with profile-guided-optimization for it can amplify any sin (non-determinism) +10. Thou shall keep your workspace env clean of timezones, locales and umasks or ensure they do no harm +11. Thou shall not access the internet during build (servers can be down, contents can change) +12. Thou shall take note of your build inputs (versions and/or hashes) + + +##Notes + +will slightly re-order existing entries to cover most common problems first +reword 11th to "allow offline builds" + +drop|soften 12th because that is what distributions do in SBOMs "only if you distribute binaries yourself" + +#8 and #9 are different, because PGO can be done deterministically and is different from benchmarking + +not cover `BUILD_PATH_PREFIX` as builders can use a constant build path with current container tech + + + +## raw notes +* build path: new rule? more in rule 1? +* random tmpdir in binary... + * part of rule 5, or new subrule? +* consider oder by frequency? +* target audience: upstream source code owners. + * (implies: don't rant at them about things distro will do, e.g. input manifest style) +* ... how can we communicate "no internet during build (but a fetch phase is fine if it's clear/separate/?)" ... to single package upstreams? (e.g. rule 11) + * "thou shalt not adulterate other computers during the build" ?? + * weird phrasing, but complicated topic so maybe weird words give pause, and that's appropriate? +* rule 11 += "have well documented fetch directory layour expectation" + * -> someone else can reasonably provide it. +* rule 11 += "or in pennace thou must make the way clear for other saints and clearhearted neighbors to provide for thy needs in their own clean ways." +* rule 11: just "Thou shall allow offline builds" +* links to theunreproduciblepackage as additional guidance for each item +* are rule 8 & 9 duplicates? + * disputed, BUT: people talk about "PGO" often enough that we give them a lightning rod. +* rule for clean your cache? might already be obvious. +* `BUILD_PATH_PREFIX` reference in #1 (or in another rule about build paths). +* are 3 and 5 dupe? + * 5 is things you control obviously + * 3 deserves callout because it is something the OS surprises you with, so we tell you about it +* move 3 down; it's rarer View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f27e69673466b5409f95c206639a5bbf9a575ab2 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f27e69673466b5409f95c206639a5bbf9a575ab2 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 13:31:40 2023 From: gitlab at salsa.debian.org (Bernhard M. Wiedemann (@bmwiedemann-guest)) Date: Thu, 02 Nov 2023 13:31:40 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Drop notes folder Message-ID: <6543a4bc9e04d_5e724b9c3b832202ab@godard.mail> Bernhard M. Wiedemann pushed to branch master at Reproducible Builds / reproducible-website Commits: 8b8438d8 by Bernhard M. Wiedemann at 2023-11-02T14:31:14+01:00 Drop notes folder is not needed here - - - - - 1 changed file: - _events/hamburg2023/notes/rb-commandments.md ? _events/hamburg2023/rb-commandments.md Changes: ===================================== _events/hamburg2023/notes/rb-commandments.md ? _events/hamburg2023/rb-commandments.md ===================================== View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/8b8438d8dfd399ce02dd6af64991e596701fd489 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/8b8438d8dfd399ce02dd6af64991e596701fd489 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 13:40:48 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 02 Nov 2023 13:40:48 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Add mapping for Hamburg 2023 notes Message-ID: <6543a6e045679_5e72e207f1432262fa@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: 42580bdf by Daan De Meyer at 2023-11-02T13:39:51+00:00 Add mapping for Hamburg 2023 notes - - - - - 1 changed file: - + _events/hamburg2023/mapping-projectsinfra.md Changes: ===================================== _events/hamburg2023/mapping-projectsinfra.md ===================================== @@ -0,0 +1,76 @@ +# RB Summit 2023 Mapping + +## Projects practicing reproducibility + +- Arch Linux +- Distrust Toolchain +- Buildroot +- Coreboot +- GNU Guix +- NixOS +- Warpforge +- ElectroBSD +- OpenWRT +- Fedora Linux +- OpenSUSE +- F-Droid +- Java jar Archives +- Debian +- TOR +- TAILS +- so toolchain +- Apache Maven +- Qubes OS +- Scala+sbt + +## What projects/platforms/libraries do we *want*/need to be reproducible? + +- Maven (artifacts without sources) +- NPM +- Rust crates +- PyPI +- Docker Directory Timestamps +- ElectroBSD, FreeBSD Ports/Packages +- Binutils +- Qt +- Python sphinx +- ar (static .a libraries) +- Gradle +- DPkg database +- PureOS/Mobian +- R-B in Ubuntu +- Compilers for embedded systems + - Aurix (Infineon) + - ARM/KEIL +- GCC (its own build and the binaries it builds) +- Python 3.9 +- Filesystems +- Clojure + - Build Tools + - Lein +- Flatpack +- Docker Images + +## Missing RB infrastructure we need to create + +- The N commandments of reproducible builds +- Alpine pkg archive +- Recording Diversity +- Debian debuginfod.debian.net should also provide sources (stripped paths seems to be part of the problem) +- Rebuild infra for custom projects +- Standard for build location like we have for SOURCE_DATE_EPOCH for time +- Debian Snapshot server +- PyPI Repository +- Firmware hashes +- Cross target reproducibility +- Guix QA testing reproducibility +- Shared tooling for reporting +- Sharing + reporting on build results +- Comparing reproducibility stats Guix packages with other projects +- Crowd sourced reproducibility status information +- Diffoscope but I can install it (fewer deps) +- Merkle tree of upstream source releases +- Reproducible vs PGO +- Build infrastructure for ElectroBSD +- Standard BUILDINFO file format +- GCC 4.7.4 bootstrapped on more arches for bootstrappable builds View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/42580bdfedc5127ed0e5aecc3231bac582602b2f -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/42580bdfedc5127ed0e5aecc3231bac582602b2f You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 13:47:32 2023 From: gitlab at salsa.debian.org (Evangelos Ribeiro Tzaras (@devrtz)) Date: Thu, 02 Nov 2023 13:47:32 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2 commits: hamburg2023: Add agenda (skeleton) Message-ID: <6543a874b8875_5e7222201383228092@godard.mail> Evangelos Ribeiro Tzaras pushed to branch master at Reproducible Builds / reproducible-website Commits: d342aa01 by Evangelos Ribeiro Tzaras at 2023-11-02T14:47:12+01:00 hamburg2023: Add agenda (skeleton) Mostly copied from venice2022. Day one is mostly done, missing is currently some content from the pads. - - - - - 9b7bc874 by Evangelos Ribeiro Tzaras at 2023-11-02T14:47:12+01:00 hamburg2023: Add metadata for the images/filesystem and homepage session - - - - - 3 changed files: - + _events/hamburg2023/agenda.md - _events/hamburg2023/images-filesystems.md - _events/hamburg2023/site-audiences.md Changes: ===================================== _events/hamburg2023/agenda.md ===================================== @@ -0,0 +1,96 @@ +--- +layout: event_detail +title: Agenda +event: hamburg2023 +order: 10 +permalink: /events/hamburg2023/agenda/ +--- + +Reproducible Builds Summit 2023 + +The following was the schedule for the 2023 Reproducible Builds Summit in Hamburg, Germany. + +Day 1 - Tuesday, October 31 +---------------------------- + +* 9.30 Opening Circle +* 10.00 Project updates + * OpenSUSE + * LINK(S) + * Rebuilding binaries (for real) + * LINK(S) + * Fedora + * LINK(S) + * Debian + * LINK(S) + * ElectroBSD + * LINK(S) + * Reproducible Central + * LINK(S) + * NixOS + * [minimal installation ISO](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756) + +* 11.15 Break +* 11.00 Mapping the Big Picture +TODO links +* 13.00 Lunch +* 14.00 Collaborative Working Sessions +TODO needs the pads as .md + * Towards a snapshot service + https://pad.riseup.net/p/rbsummmit2023-d1-snapshots-keep + * Understanding user-facing needs and personas + https://pad.riseup.net/p/rbsummmit2023-d1-userfacing-keep + * Language-specific package managers + https://pad.riseup.net/p/rbsummmit2023-d1-languagepackages-keep + * Defining our definitions + https://pad.riseup.net/p/rbsummmit2023-d1-deftinitions-keep +* 15.15 Break +* 15.30 Collaborative Working Sessions/Hack Time +* 16.30 Closing Circle +* 17.00 Adjourn + +Day 2 - Wednesday, November 1st TODO +------------------------------- + +* 9.00 Opening Circle + * The day started with a summary of Day 1 outcomes and a Day 2 Agenda Overview. +* 9.30 Collaborative Working Sessions, break-out discussions continue. + * [Documentation + Tooling]({{ "/events/venice2022/documentation+tooling/" | relative_url }}) + * [Metrics]({{ "/events/venice2022/metrics/" | relative_url }}) + * [Packaging]({{ "/events/venice2022/packaging/" | relative_url }}) + * Motivation FIXME https://pad.riseup.net/p/rbsummmit2022-motivation-keep +* 11.15 Break +* 11.15 Participant Skill Share + * Participants were encouraged to share any skill the consider relevant to the meeting scope. The session was structured so as to minimize group size and maximize 1-on-1 sharing opportunities. +* 12.30 Lunch +* 13.30 Collaborative Working Sessions + * [Source mirrors]({{ "/events/venice2022/source-mirrors/" | relative_url }}) + * SBOM FIXME https://pad.riseup.net/p/rbsummmit2022-sbom-keep + * Packaging + * Motivation II FIXME https://pad.riseup.net/p/rbsummmit2022-motivationII-keep +* 15.00 Break +* 15:15 Hacking Time +* 16.45 Closing Circle +* 17.00 Adjourn + +Day 3 - Thursday, November 2nd TODO +------------------------------ + +* 9.00 Opening Circle + * The day started with a summary of Day 2 outcomes and a Day 3 Agenda Overview. +* 9.30 Collaborative Working Sessions, break-out discussions continue. + * Verifying packages at installation discussion (in-toto): FIXME https://pad.riseup.net/p/rbsummmit2022-installation-keep + * [Taxonomy]({{ "/events/venice2022/taxonomy/" | relative_url }}) + * Debian FIXME https://pad.riseup.net/p/rbsummmit2022-debian-keep + * [Firmware]({{ "/events/venice2022/firmware/" | relative_url }}) +* 10.45 Break +* 11.00 Collaborative Working Sessions, break-out discussions continue. + * in-toto vs sbom (spdx) FIXME https://pad.riseup.net/p/rbsummmit2022-intoto-vs-sbom +* 12.30 Lunch +* 13.30 Mapping Where From Here + * The group took pause before the final session to take stock of the progress made to this point in the week and to inventory action items, next steps and other bridges to post-event collaboration. FIXME https://pad.riseup.net/p/rbsummmit2022-i-will-we-should-keep +* 16.15 Closing Circle + * Participants summarized key outcomes from the event, and discussed next steps for continuing collaboration after the meeting. +* 17.00 Adjourn + + ===================================== _events/hamburg2023/images-filesystems.md ===================================== @@ -1,3 +1,10 @@ +--- +layout: event_detail +title: Agenda +event: hamburg2023 +order: 10 +permalink: /events/hamburg2023/agenda/ +--- # Filesystem/Container images meeting ===================================== _events/hamburg2023/site-audiences.md ===================================== @@ -1,3 +1,11 @@ +--- +layout: event_detail +title: Agenda +event: hamburg2023 +order: 10 +permalink: /events/hamburg2023/agenda/ +--- + # website meeting reproducible-builds.org View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/42580bdfedc5127ed0e5aecc3231bac582602b2f...9b7bc874fdb40bfcb3ac410672b39446150866ed -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/42580bdfedc5127ed0e5aecc3231bac582602b2f...9b7bc874fdb40bfcb3ac410672b39446150866ed You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 13:48:36 2023 From: gitlab at salsa.debian.org (Bernhard M. Wiedemann (@bmwiedemann-guest)) Date: Thu, 02 Nov 2023 13:48:36 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Add Hamburg suse-opensuse-updates Message-ID: <6543a8b4ffa8_5e72222013832282ed@godard.mail> Bernhard M. Wiedemann pushed to branch master at Reproducible Builds / reproducible-website Commits: 90912b67 by Bernhard M. Wiedemann at 2023-11-02T14:48:24+01:00 Add Hamburg suse-opensuse-updates from https://pad.riseup.net/p/rbsummmit2023-SUSE-openSUSE-keep - - - - - 1 changed file: - + _events/hamburg2023/suse-opensuse-updates.md Changes: ===================================== _events/hamburg2023/suse-opensuse-updates.md ===================================== @@ -0,0 +1,33 @@ +# SUSE rb updates + + +2022-06 announced SLSA level 4 for SLE-15-SP4, merged several upstream rb-patches into SLE (SUSE Linux Enterprise) codebase around that time. https://documentation.suse.com/sbp/server-linux/html/SBP-SLSA4/index.html + +some other employees joined in advancing rb + + + +# openSUSE rb updates + + +Bernhard keeps analyzing issues, filing bug-reports, creating+submitting patches +around 700 since 2019-12 + + +Around 97% of packages reproducible by now (500 of 15000 left; 130 with significant diffs after "build-compare" filter) + + +We fixed significant issues in python3.9 + 3.10, java/maven, ... + + +* remaining toolchain issues in: + * [rpm](https://github.com/rpm-software-management/rpm/issues/2343) + * [ghc](https://github.com/opensuse-haskell/ghc-rpm-macros/pull/1) + * [mono](https://bugzilla.opensuse.org/show_bug.cgi?id=1141502) + * [golang](https://github.com/golang/go/issues/63851) + * [efl](https://git.enlightenment.org/enlightenment/efl/issues/41) + * [libpinyin](https://github.com/libpinyin/libpinyin/issues/162) + * sphinx + * numba + * ghostscript + * pdflatex View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/90912b67f4c39309d6b8b656acc663feb44804e1 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/90912b67f4c39309d6b8b656acc663feb44804e1 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 15:24:27 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Thu, 02 Nov 2023 15:24:27 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] r-b summit 2023 hamburg: update list of participating projects, now at 31 Message-ID: <6543bf2b83b7c_5e72e1f370832453f8@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: d97238fe by Holger Levsen at 2023-11-02T16:24:15+01:00 r-b summit 2023 hamburg: update list of participating projects, now at 31 Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _events/hamburg2023/index.html Changes: ===================================== _events/hamburg2023/index.html ===================================== @@ -54,7 +54,7 @@ Germany

    Participants

    There have been participants from - Apache Maven, Apache Security, Arch Linux, Buildroot, coreboot, Debian, ElectroBSD, F-Droid, Fedora, GNU Guix, JustBuild, LibreOffice, Mobian, NixOS, OpenSuSE, OpenWrt, phosh, privoxy, Pure OS, Qubes OS, systemd, Warpforge +Apache Maven, Apache Security, Arch Linux, arch-repro-status, Buildroot, CHAINS, coreboot, Debian, ElectroBSD, F-Droid, Fedora, GitHub, GNU Guix, Google Cloud, JustBuild, LibreOffice, Mobian, NixOS, OpenSuSE, OpenWrt, phosh, privoxy, Pure OS, Qubes OS, rebuilderd, Red Hat, repro-env, spytrap-adb, systemd, Ubuntu, Warpforge and more...

    View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d97238fedeebf24856ac39fd56b27c59bc4a00f9 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d97238fedeebf24856ac39fd56b27c59bc4a00f9 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 15:37:43 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Thu, 02 Nov 2023 15:37:43 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: add SUSE and openSUSE project updates Message-ID: <6543c247687ad_5e724b9c3b832497f2@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: d23b8339 by Arnout Engelen at 2023-11-02T16:37:12+01:00 hamburg2023: add SUSE and openSUSE project updates - - - - - 2 changed files: - _events/hamburg2023/agenda.md - _events/hamburg2023/suse-opensuse-updates.md Changes: ===================================== _events/hamburg2023/agenda.md ===================================== @@ -15,8 +15,7 @@ Day 1 - Tuesday, October 31 * 9.30 Opening Circle * 10.00 Project updates - * OpenSUSE - * LINK(S) + * [SUSE and openSUSE]({{ "/events/hamburg2023/suse-opensuse-updates/" | relative_url }}) * Rebuilding binaries (for real) * LINK(S) * Fedora ===================================== _events/hamburg2023/suse-opensuse-updates.md ===================================== @@ -1,13 +1,17 @@ -# SUSE rb updates +--- +layout: event_detail +title: Project updates - SUSE and openSUSE +event: hamburg2023 +order: 20 +permalink: /events/hamburg2023/suse-opensuse-updates/ +--- +## SUSE rb updates - -2022-06 announced SLSA level 4 for SLE-15-SP4, merged several upstream rb-patches into SLE (SUSE Linux Enterprise) codebase around that time. https://documentation.suse.com/sbp/server-linux/html/SBP-SLSA4/index.html +[2022-06 announced SLSA level 4 for SLE-15-SP4](https://documentation.suse.com/sbp/server-linux/html/SBP-SLSA4/index.html), merged several upstream rb-patches into SLE (SUSE Linux Enterprise) codebase around that time. some other employees joined in advancing rb - - -# openSUSE rb updates +## openSUSE rb updates Bernhard keeps analyzing issues, filing bug-reports, creating+submitting patches View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d23b83394bf83554666b358da2950d52b473e8f9 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d23b83394bf83554666b358da2950d52b473e8f9 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 15:58:56 2023 From: gitlab at salsa.debian.org (Evangelos Ribeiro Tzaras (@devrtz)) Date: Thu, 02 Nov 2023 15:58:56 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: Add event documentation index.html Message-ID: <6543c74045247_5e72e1f97c03253658@godard.mail> Evangelos Ribeiro Tzaras pushed to branch master at Reproducible Builds / reproducible-website Commits: 81874321 by Evangelos Ribeiro Tzaras at 2023-11-02T16:57:33+01:00 hamburg2023: Add event documentation index.html This includes a summary and also links to the agenda (mostly c&p from venice2022/index.html) - - - - - 1 changed file: - _events/hamburg2023/index.html Changes: ===================================== _events/hamburg2023/index.html ===================================== @@ -69,6 +69,27 @@ There will be a huge variety of topics to be discussed. To give a few examples:

  • and many many more.
    • +

    Event Documentation

    + +

    +There was a huge variety of topics discussed. To give a few examples: +

    +
      +
    • continuing design and development work on .buildinfo infrastructure
      • +
    • discussing formats and tools we can share
      • +
    • language specific respositories and package managers (e.g. PyPI, NPM, etc)
      • +
    • infrastructure needs like e.g. snapshot services, public verification serices
      • +
    • software bill of materials
      • +
    • future directions for diffoscope, reprotest & strip-nondeterminism
      • +
    • reproducible filesystem images
      • +
    • real world success stories
      • +
    • and many many more.
      • +
    +

    Location

    View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/818743215c3d352e0cc74a9461aa0c9d70565a0e -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/818743215c3d352e0cc74a9461aa0c9d70565a0e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 16:02:11 2023 From: gitlab at salsa.debian.org (Evangelos Ribeiro Tzaras (@devrtz)) Date: Thu, 02 Nov 2023 16:02:11 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: Add metadata to the Ten Commandsments Message-ID: <6543c8035ae94_5e72e1f37083254616@godard.mail> Evangelos Ribeiro Tzaras pushed to branch master at Reproducible Builds / reproducible-website Commits: b7aaa99f by Evangelos Ribeiro Tzaras at 2023-11-02T17:01:54+01:00 hamburg2023: Add metadata to the Ten Commandsments and small markdown fixes here and there - - - - - 1 changed file: - _events/hamburg2023/rb-commandments.md Changes: ===================================== _events/hamburg2023/rb-commandments.md ===================================== @@ -1,8 +1,15 @@ -RB Ten Commandments +--- +layout: event_detail +title: Agenda +event: hamburg2023 +order: 10 +permalink: /events/hamburg2023/agenda/ +--- + +# RB Ten Commandments original draft: - Commandments by the church of reproducible builds @@ -20,7 +27,7 @@ original draft: 12. Thou shall take note of your build inputs (versions and/or hashes) -##Notes +## Notes will slightly re-order existing entries to cover most common problems first reword 11th to "allow offline builds" View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b7aaa99fe218249e1f6f40d6b75c3009cb379d3f -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b7aaa99fe218249e1f6f40d6b75c3009cb379d3f You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 16:15:37 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Thu, 02 Nov 2023 16:15:37 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: day 1 Message-ID: <6543cb299d020_5e724b9c3b8325680@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: f28ef41e by Arnout Engelen at 2023-11-02T17:14:53+01:00 hamburg2023: day 1 - - - - - 10 changed files: - _events/hamburg2023/agenda.md - + _events/hamburg2023/big-picture.md - + _events/hamburg2023/definitions.md - + _events/hamburg2023/infra.md - + _events/hamburg2023/language-specific.md - + _events/hamburg2023/lists.md - + _events/hamburg2023/projects.md - + _events/hamburg2023/snapshot-service.md - + _events/hamburg2023/success-stories.md - + _events/hamburg2023/users.md Changes: ===================================== _events/hamburg2023/agenda.md ===================================== @@ -30,19 +30,13 @@ Day 1 - Tuesday, October 31 * [minimal installation ISO](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756) * 11.15 Break -* 11.00 Mapping the Big Picture -TODO links +* 11.00 [Mapping the Big Picture]({{ "/events/hamburg2023/big-picture/" | relative_url }}) * 13.00 Lunch * 14.00 Collaborative Working Sessions -TODO needs the pads as .md - * Towards a snapshot service - https://pad.riseup.net/p/rbsummmit2023-d1-snapshots-keep - * Understanding user-facing needs and personas - https://pad.riseup.net/p/rbsummmit2023-d1-userfacing-keep - * Language-specific package managers - https://pad.riseup.net/p/rbsummmit2023-d1-languagepackages-keep - * Defining our definitions - https://pad.riseup.net/p/rbsummmit2023-d1-deftinitions-keep + * [Towards a snapshot service]({{ "/events/hamburg2023/snapshot-service/" | relative_url }}) + * [Understanding user-facing needs and personas]({{ "/events/hamburg2023/users/" | relative_url }}) + * [Language-specific package managers]({{ "/events/hamburg2023/language-specific/" | relative_url }}) + * [Defining our definitions]({{ "/events/hamburg2023/definitions/" | relative_url }}) * 15.15 Break * 15.30 Collaborative Working Sessions/Hack Time * 16.30 Closing Circle ===================================== _events/hamburg2023/big-picture.md ===================================== @@ -0,0 +1,28 @@ +--- +layout: event_detail +title: Mapping the Big Picture +event: hamburg2023 +order: 23 +permalink: /events/hamburg2023/big-picture/ +--- + +Building on the mappings we did at the 2022 Reproducible Builds Summit, the group will use this time to take stock of where things stand for Reproducible Builds across a range of context, as of the Summit. We'll identify success stories, exemplars and case studies to be celebrated and amplified, while also mapping challenges, needs and unsolved problems. + +Topics, issues and ideas that surface during this session will inform how we structure the rest of the agenda. + +[Success stories]({{ "/events/hamburg2023/success-stories/" | relative_url }}) +* Real world success stories: What we know works +* Real world success stories we need or are searching for + +[Projects]({{ "/events/hamburg2023/projects/" | relative_url }}) +* Projects practicing reproducibility +* What projects/platforms/libraries do we *want*/need to be reproducible? + +[Mapping projects infra]({{ "/events/hamburg2023/infra/" | relative_url }}) +* Missing RB infrastructure we need to create + +[Mapping lists]({{ "/events/hamburg2023/lists/" | relative_url }}) +* Problems we need to discuss/solve +* Other topics we need to discuss +* Other lists we need to make +* Other projects/people we should get to the next Summit ===================================== _events/hamburg2023/definitions.md ===================================== @@ -0,0 +1,60 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Defining our definitions +event: hamburg2023 +order: 33 +permalink: /events/hamburg2023/definitions/ +--- + +We feel that definitions of terms are important to coordinate our work across projects and to be able to communicate both our successes and the work still remaining to be done. + +The current Reproducible Builds effort has two commonly cited definitions of "reproducible" -- one mentioned in the reproducible-builds.org website, and another (shorter) one which is seen on the group's teeshirts. But perhaps we need more; and perhaps it is time to revisit those and see if they still serve. + +Consensus: +- Definitions are important +- We only have one (relatively) clear definition -- "reproducible" -- but maybe we need more definitions, or some concept of "levels". +- The definition we have is evidently *not* clear enough and may have other problems -- evidenced by announcements made by various projects and distributions which recurrently report "X% reproducible", wherein: + - percentages do not appear to be meaningfully comparable across distros + - the percentages reported by projects vary over time (when the exact definition changes to be more or less strict, or something *not covered by their previous practical definition changes*) + - it appears that no systems are actually approaching "100%". + +Progress: + +Producing new definitions proves difficult. + +Brainstorming: potentially revelevant terms and concepts mentioned included: +- diverse compilation +- environmental randomization +- insignificant environment bits +- "once" "I" reproduced it (example of a weak definition that we often see used in practice!) +- bit-for-bit reproducibility (included in current definition -- we ratify that we still like this because it is specific and clear) +- late-discovered un-reproducibility (an unavoidable phenomenon that causes percentages to backslide) +- circumstantial reproducibility +- idependent reproducibility +- should we consider different Levels for Outcome Equality? +- should we consider different Levels for Input Variation? +- "only 100% reproducibility is useful" (several people agree with this, while acknolwedging the irony that no project has attained it) +- deterministic +- spurious vs tampering vs unreproducibile -- degrees (and reasons) for unreproducibility events +- "transparently reproducible" (vs "blackbox"?) +- reliable reproducibility +- several notes contain drafts of functions... + - one contains "f(S)=B" -- meaning: a function consumes source and produces a binary + - a later note contains "f(S,SE,I)=As" -- meaning: a function consumes source, source environment, (?unknown?), and produces Artifacts (perhaps multiple). +- Draft of levels? + - Level 0: unreproducible + - Level 1: Build at least twice with matching initial conditions, on the same machine, by the same person + - Level 2: Level 1 plus at least one build varying "X" things ("X" not specified) + +Observations, following brainstorming: + +- As the discussion that oriented around function sketches continued, things started with one parameter, and then people tend to want to factorize out more and more parameters. + - The distinguishing trait for what got factorized tended to be roughly "which things are difficult to change". +- Participants wanted to steer the world by changing the definitions -- in two very different directions: + - Some participants specifically identified wanting to make the definition more concrete in ways that would encourage readers to pick narrower, more attainable smaller steps towards the goal of reproducibility. + - Other participants wished to make the definition as broad and aspirational as possible (for example immediately encouraging "diverse" compilation, instead of merely repeatable setup and verification of deterministic steps from identical setup conditions). +- In this session, we were unable to immediately identify clear "levels". + - The general idea seems to be that higher levels of reproducibility should involve more variation injection... + - ... but there are many different potential specific axis for this, + - ... and there is no clear ordering in which the different classes of variation could be said to matter more than others (so, ordinal "levels" seem difficult to map to this). + ===================================== _events/hamburg2023/infra.md ===================================== @@ -0,0 +1,79 @@ +--- +layout: event_detail +title: Mapping the Big Picture - Mapping projects infra +event: hamburg2023 +order: 26 +permalink: /events/hamburg2023/infra/ +--- + +* Projects practicing reproducibility + * Arch Linux + * Distrust Toolchain + * Buildroot + * Coreboot + * GNU Guix + * NixOS + * Warpforge + * ElectroBSD + * OpenWRT + * Fedora Linux + * OpenSUSE + * F-Droid + * Java jar Archives + * Debian + * TOR + * TAILS + * so toolchain + * Apache Maven + * Qubes OS + * Scala+sbt +* What projects/platforms/libraries do we *want*/need to be reproducible? + * Maven (artifacts without sources) + * NPM + * Rust crates + * PyPI + * Docker Directory Timestamps + * ElectroBSD, FreeBSD Ports/Packages + * Binutils + * Qt + * Python sphinx + * ar (static .a libraries) + * Gradle + * DPkg database + * PureOS/Mobian + * R-B in Ubuntu + * Compilers for embedded systems + * Aurix (Infineon) + * ARM/KEIL + * GCC (its own build and the binaries it builds) + * Python 3.9 + * Filesystems + * Clojure + * Build Tools + * Lein + * Flatpack + * Docker Images +* Missing RB infrastructure we need to create + * [The N commandments of reproducible builds]({{ "/events/hamburg2023/rb-commandments/" | relative_url }}) + * Alpine pkg archive + * Recordin Diversity + * Debian debuginfod.debian.net should also provide sources (stripped paths seems to be part of the problem) + * Rebuild infra for custom projects + * Standard for build location like we have for SOURCE_DATE_EPOCH for time + * Debian Snapshot server + * PyPI Repository + * Firmware hashes + * Cross target reproducibility + * Guix QA testing reproducibility + * Shared tooling for reporting + * Sharing + reporting on build results + * Comparing reproducibility stats Guix packages with other projects + * Crowd sourced reproducibility status information + * Diffoscope but I can install it (fewer deps) + * Merkle tree of upstream source releases + * Reproducible vs PGO + * Build infrastructure for ElectroBSD + * Standard BUILDINFO file format + * GCC 4.7.4 bootstrapped on more arches for bootstrappable builds + +https://salsa.debian.org/reproducible-builds/reproducible-website/-/merge_requests/105 ===================================== _events/hamburg2023/language-specific.md ===================================== @@ -0,0 +1,34 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Language-specific package managers +event: hamburg2023 +order: 32 +permalink: /events/hamburg2023/language-specific/ +--- + +* Packaging, source or binary? Python and Rust (crates) supports both +* Crates have immutable tags, git usually does not +* Source provance is important but usually hard to get +* Score card can help +* GOSST (Google) scans packages and try to rebuild it's _content_ with + some success, results are not yet published + * If results were published, could be used to add badges to the + packages in the repositories that the package was rebuilt and + verified by a third party builder + * Could be used for cli integration to only allow install of + packages being rebuilt/verified by a third party + * Compare here is the binary/source artifact, not all metadata + * Makes it easier to adopt as maintainers do not have to change + all their CI/CD workflows +* Discussed hosted vs local builder and trustworthyness, if the buid + is being reproduced, both hosted and local builder can be trusted + * Having developers managing key materials can still be hard +* Can we tie Scorecard data into the package registry? +* Can we have workflows that triggers a rebuild on a release, and gate + the publish step with a verified rebuild? +* First action point: + * Have thirdparty builders rebuilt packages similar to what Herve + is doing for Maven Central? + + + ===================================== _events/hamburg2023/lists.md ===================================== @@ -0,0 +1,70 @@ +--- +layout: event_detail +title: Mapping the Big Picture - Mapping lists +event: hamburg2023 +order: 27 +permalink: /events/hamburg2023/lists/ +--- + +* Problems we need to discuss/solve + * NetBSD: LTO test in tests.tgz + * NetBSD: "-O bigdir" breaks it completely :( + * Reproducible Filesystem images + * Users caring + * Easy to use/understand tools for end-users + * Generated sources from graphic presentation + * comparability of graphic sources + * snapshots.debian.org for OpenWRT package source code + * Geting all sources eg. `go mod download` + * cross-compilation (even a different CPU feature is) + * Further improving knowledge sharing between distros + * Rproduce & challenge + * Diffoscope to (opt-in) ignore embedded signatures + * missing archive of build dependencies + * Github/Gitlab patches (git hash abbreviation) changing in length + * "Provenance" (Don't embed!) + * Build Artifact Retention + * Avoid fragmentation in signing formats PGP JWT WAC VC ZWK SIGSTORE NOTARY + * Reproducible profile-guided-optimization + * Undocumented build environmets +* Other topics we need to discuss + * t-shirts and other swag + * Binary tarnsparency + * Too much dependencies...? + * Bootstrappability + * What work can be Distro-Agnostic? + * Potential blog posts for reproducible-builds.org + * diffoscope improvements + * index of binaries of a distro, keyed by hash (i.e. map binary -> src) +* Other lists we need to make + * "sister" projects of reproducibility + * SLSA + * Bootstrappable Builds + * R-B hackathon organize + * List of our RB-related tooling + * List of Existing RB Infrastructure + * List of Reasons for investing in R-B + * Similar to buy-in page +* [Other projects/people we should get to the next Summit]({{ "/events/hamburg2023/projects/" | relative_url }}) + +# Other Projects / People to invite to next summit + +* Nuget Gallery +* Language Package managers (all of them!) +* Language registries (repositories) managers +* Martin Monperrus Professor @ KTH Royal Institute of Technology +* GHC devs = Haskell +* "python people" (pypi pip...) + +* Cargo +* chainguard (wolfi) +* go toolchain team +* Alpine & postmarket OS +* Software heritage +* QEMU +* Red Hat +* Google Android team +* iOS +* Yocto +* UEFI-maybe on Arm/RISC-V + ===================================== _events/hamburg2023/projects.md ===================================== @@ -0,0 +1,30 @@ +--- +layout: event_detail +title: Mapping the Big Picture - Projects +event: hamburg2023 +order: 25 +permalink: /events/hamburg2023/projects/ +--- + +Projects we want/need to be reproducible: + +- binutils +- PureOS/Mobian; RB images for phones +- filesystems +- npm +- Rust crates +- PyPI +- Docker directory timestamps +- ElectroBSD/FreeBSD Ports/Packages +- Qt +- Python Sphinx +- ar embeds mtime, uid, gid +- Gradle +- dpkg database +- RB in Ubuntu +- Compiler for embed, Aurix (Infineon), ARM/Keil +- Gcc +- Python 3.9 +- Cloiure, build-tools dependencies +- Flatpack +- Docker images ===================================== _events/hamburg2023/snapshot-service.md ===================================== @@ -0,0 +1,65 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Towards a snapshot service +event: hamburg2023 +order: 30 +permalink: /events/hamburg2023/snapshot-service/ +--- + +## binary archives: + +* Debian snapshot.debian.org - slow and unstable +* Arch (daily snapshot) +* Notalpine +* openSUSE (daily snapshot) + +## source archives +openwrt needs source tarballs with specific hash +others are mostly interested in latest sources + older binaries + +## use-cases: +* verify latest binaries +* track down supply-chain dependency problems + + +Arch: sends a month worth to internet archive, keeps index + +openSUSE: keeps archive of published x86_64 binaries (some unpublished build deps missing) in IPFS on two machines on a 16TB HDD + +Software heritage keeps sources - only git? + +pristine-tar could help to track tarballs in git + + +Debian: +Vagrant did some more work on capturing current deps + + +Need index by SHA-sum +snapshot.debian.org is fast in delivering SHA-sum + +Packages list includes SHA-sum for all packages. buildinfo only lists name+version but not SHA-sum, because dpkg-build does not have hashes. + +Frederic had a copy of snapshot.debian.org ; but operational problems + +metasnap FIXME + +build-time from buildinfo file can tell what snapshot to use. + +Need DB of name+version => SHA-sum + +Debian build-env may be partially outdated at time of build. Makes it harder to find the right versions. + +Is it possible to make snapshot.debian.org faster? Uses FUSE filesystem; uses SHA1 internally while Debian uses MD5+SHA256 so mapping needs effort +100TB archive; 80 GB per snapshot ; 1M files +need only a small subset that is used for builds. +Also needed for reproducing images. + +need more new faster servers? With distributed indexed servers. + + +Need URL that gives a specific repo state at a time. + +Fedora does not do snapshots, but koji API to fetch past name+version ; not sure how long it is kept. + +Qubes has few Debian packages ; one repo with latest versions ; another repo will all old versions ; scales OK there. ===================================== _events/hamburg2023/success-stories.md ===================================== @@ -0,0 +1,62 @@ +--- +layout: event_detail +title: Mapping the Big Picture - Success Stories +event: hamburg2023 +order: 24 +permalink: /events/hamburg2023/success-stories/ +--- + +## Real world success stories: What we know works +- clear cases + - `SOURCE_DATE_EPOCH` *widely* honored and standardized + - ElectroBSD (distribution tar balls amd64) + - near 500 Java project produce RB releases (see Reproducible Central) + - Yocto base + - NixOS minimal installation ISO reproducible + - Tails ISO + - Tor Browser is reproducible + - Debian docker images + - diverse double compilation to encounter Trusting-trust attacs + - Debian policy + - bitcoin core + - find+fix corruption bugs +- nobody knows (missing docs etc) + - zig + - go toolchain? + - android + - [Spoon](https://github.com/INRIA/spoon): An AST parsing and transformation library for Java + - openSuSE at 97% + - GitHub reproroducible build badge + - spytrap-adb + - F-Droid 90% new apps included are reproducible + - bootstrappable.org + - coreboot + - developer stories + +## Real world success stories we need or are searching for + +(RB Success Stories Desired) + +## column 1: < 100% + +* 96% binary pkg reproducible debian cloud image +* K && N trust in GNU Guix substitues by default +* Debug Packages +* Debian Install Images reproducible + +## column 2 + +* 150 java projects try fail at getting RB release (really hard to read) J +* f-droid: older apps RB verify but not yet switched +* only release reproducible packages (stage until verified) + +## column 3 + +* Reproducible compilers built with other compilers. e.g. gcc built via clang then rebuild gcc with that +* setting up CI RB system for FEdora RPMs +* Install images rebuilt on different distro +* Install images rebuilt by different organisations +* Repo reproducible as opposed to deterministic build +* Debian snapshot scalable + + ===================================== _events/hamburg2023/users.md ===================================== @@ -0,0 +1,58 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Understanding user-facing needs and personas +event: hamburg2023 +order: 31 +permalink: /events/hamburg2023/users/ +--- + +Clusters of stakeholders: +- 'end users' + - 'distro' end-users + - 'direct' (non-distro) end-users + - 'normies' + - administrators +- organizations that want to use reproducible software + - software vendors + - (oss) developer communities +- intermediaries + - distro/package managers + - verifiers + - managers/teamleaders + +Goals: +- even developers are not aware of reproducible builds. Expected much less so to end-users, but already +- initiatives such as Debian mandating reproducibility + +- example: f-droid built an apk with malware from package repository, while the original developer had a cached non-backdoored version. +- policy: most build pipelines nowadays have security compliance features, reproducibility might become a part of that. that helps developers care. +- even if source is available it can be hard to rebuild in practice. + +- integration in package managers, so you can set a policy to only install reproducible software + +- what about software does not found in distro packages + - repro-env: makes it easier to rebuild 3rd-party packages + - important that software is reproduced by people unaffiliated with the project + +- Levels of trustworthiness: + - low: source unknown, distributed by 'authority' + - medium: open source + - high: reproducible open source + +- In case of F-Droid: there F-Droid takes the role of the 3rd party reproducing/verifying the software + - extra advantage is that in case of F-Droid the APK built by F-Droid is compared + to the APK built by the upstream. + This is unfeasible for distro's, though, since distro's provide value by building + packages in a particular way to provide a consistent experience to their users + +- registry where independent 3rd party rebuilders/verifiers can upload their build results + - in-toto plugin for arch and debian would be an interesting inspiration + - how to organize/fund such rebuilders? + - integrate rebuilding functionality into distro/package managers? + - reproduce probabilistically? + - some large organizations may want to rebuild for their own use anyway + - if we make it easy for them, and entice them to share their results, + the rest of the community could piggy-back on that? + - rebuilderd? results queryable over http api + + View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f28ef41e20f61f7e48fdaf740c5e5743a4e5ac35 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f28ef41e20f61f7e48fdaf740c5e5743a4e5ac35 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 16:48:11 2023 From: gitlab at salsa.debian.org (Evangelos Ribeiro Tzaras (@devrtz)) Date: Thu, 02 Nov 2023 16:48:11 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 6 commits: hamburg2023: Add guix-todo notes Message-ID: <6543d2cb82e1e_5e72e207f1432594b4@godard.mail> Evangelos Ribeiro Tzaras pushed to branch master at Reproducible Builds / reproducible-website Commits: 4d34fe50 by Evangelos Ribeiro Tzaras at 2023-11-02T17:47:31+01:00 hamburg2023: Add guix-todo notes - - - - - 9e9b7dec by Evangelos Ribeiro Tzaras at 2023-11-02T17:47:31+01:00 hamburg2023: Add notes from the signature storage session - - - - - 18e4daa6 by Evangelos Ribeiro Tzaras at 2023-11-02T17:47:31+01:00 hamburg2023: Fix/Add metadata in a couple of pages - - - - - df804816 by Evangelos Ribeiro Tzaras at 2023-11-02T17:47:31+01:00 hamburg2023: Add notes from verification 1&2 sessions - - - - - e7202d0e by Evangelos Ribeiro Tzaras at 2023-11-02T17:47:31+01:00 hamburg2023: Add notes from "Born Reproducible 1" - - - - - 51b34f60 by Evangelos Ribeiro Tzaras at 2023-11-02T17:47:41+01:00 hamburg2023: Add agenda for day 2 - - - - - 9 changed files: - _events/hamburg2023/agenda.md - + _events/hamburg2023/born-repro.md - + _events/hamburg2023/guix-todo.md - _events/hamburg2023/images-filesystems.md - + _events/hamburg2023/public-verification.md - _events/hamburg2023/rb-commandments.md - + _events/hamburg2023/signature-storage.md - _events/hamburg2023/site-audiences.md - + _events/hamburg2023/verification-use-cases.md Changes: ===================================== _events/hamburg2023/agenda.md ===================================== @@ -45,25 +45,27 @@ Day 1 - Tuesday, October 31 Day 2 - Wednesday, November 1st TODO ------------------------------- -* 9.00 Opening Circle +* 9.30 Opening Circle * The day started with a summary of Day 1 outcomes and a Day 2 Agenda Overview. -* 9.30 Collaborative Working Sessions, break-out discussions continue. - * [Documentation + Tooling]({{ "/events/venice2022/documentation+tooling/" | relative_url }}) - * [Metrics]({{ "/events/venice2022/metrics/" | relative_url }}) - * [Packaging]({{ "/events/venice2022/packaging/" | relative_url }}) - * Motivation FIXME https://pad.riseup.net/p/rbsummmit2022-motivation-keep +* 9.45 Collaborative Working Sessions, break-out discussions continue. + * [Ten Commandments]({{ "/events/hamburg2023/rb-commandments/" | relative_url }}) + * Embedded systems FIXME (no notes in the pad) + * [Guix To-do's]({{ "/events/hamburg2023/guix-todo/" | relative_url }}) + * [Signature storage and sharing]({{ "/events/hamburg2023/signature-storage/" | relative_url }}) + * [Public verification service]({{ "/events/hamburg2023/verification1/" | relative_url }}) * 11.15 Break -* 11.15 Participant Skill Share +* 11.30 Participant Skill Share * Participants were encouraged to share any skill the consider relevant to the meeting scope. The session was structured so as to minimize group size and maximize 1-on-1 sharing opportunities. -* 12.30 Lunch -* 13.30 Collaborative Working Sessions - * [Source mirrors]({{ "/events/venice2022/source-mirrors/" | relative_url }}) - * SBOM FIXME https://pad.riseup.net/p/rbsummmit2022-sbom-keep - * Packaging - * Motivation II FIXME https://pad.riseup.net/p/rbsummmit2022-motivationII-keep -* 15.00 Break -* 15:15 Hacking Time -* 16.45 Closing Circle +* 13.00 Lunch +* 14.00 Collaborative Working Sessions + * [Verification use cases]({{ "/events/hamburg2023/verification2/" | relative_url }}) + * [Web site audiences]({{ "/events/hamburg2023/source-mirrors/" | relative_url }}) + * [Enabling new projects to be "born reproducible"]({{ "/events/hamburg2023/source-mirrors/" | relative_url }}) + * RB Success Stories FIXME (no notes in the pad) + * RB relationship to SBOM FIXME (no notes in the pad) +* 15.15 Break +* 15:30 Hacking Time +* 16.35 Closing Circle * 17.00 Adjourn Day 3 - Thursday, November 2nd TODO ===================================== _events/hamburg2023/born-repro.md ===================================== @@ -0,0 +1,38 @@ +--- +layout: event_detail +title: Born Reproducible 1 +event: hamburg2023 +order: 213 +permalink: /events/hamburg2023/site-audiences/ +--- + +# Notes + +Who is running it +Who is running builds +At what granularity are build steps defined +What os/platform are necessary to support +How (or if) non-owned build inputs are fetched/supported +What are the different "stacks" that run builders +How closely does "build input" reflect the full set of things that can inpact output +How "explicit" is the build definition + +Rebuild evidence +(re)builder indentity +Both successes and failures to rebuild + + +What are we trying to do? +Understand build diffs +Build integrity <- many similar builders +Build malice <- many different builders +Rebuild debugging/detection +* Transient mismatch +* Deterministic mismatch +Rebuild smells <- environment variation injector (e.g., build diversity fuzzer) + +What are the techniques that can help? +File system isolation +Ephemeral environment +Deterministic Scheduling +Multiple sequential rebuilds ===================================== _events/hamburg2023/guix-todo.md ===================================== @@ -0,0 +1,49 @@ +--- +layout: event_detail +title: Guix To-Do's +event: hamburg2023 +order: 203 +permalink: /events/hamburg2023/guix-todo/ +--- + +# Long term goals: + + - All packages build reproducibly + - Benefits security + - Future proofing + + - K of N trust in substitutes (where K > 1) + - Benefits security + +# Things related to reproducible builds + + - The data service info + - `guix challenge` + - `guix build --check` and `guix build --rounds` + +TODO list: + - build with disorderfs + - linter for matching substitutes (to flag non reproducible packages) + - QA checking reproducibility in patches/branches + - User submitted build results + - Prioritised list of packages/issues to fix + +# Actionable items + +## Some kind of guix buildinfo + +That you can submit to the data service to describe a build you've done. Would be useful from the build coordinator but also submitted from users. This would help to find non-reproducible packages. + +## QA doing builds to test reproducibility + +## Improve qa.guix.gnu.org/reproducible-builds + +Check and prioritise issues. + +## Track package reproducibility percentage over time + +And backfill data. + +## Implement K of N trust in substitutes + +See https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00179.html ===================================== _events/hamburg2023/images-filesystems.md ===================================== @@ -1,9 +1,9 @@ --- layout: event_detail -title: Agenda +title: Images, filesystems and containers event: hamburg2023 -order: 10 -permalink: /events/hamburg2023/agenda/ +order: 303 +permalink: /events/hamburg2023/images-filesystems/ --- # Filesystem/Container images meeting ===================================== _events/hamburg2023/public-verification.md ===================================== @@ -0,0 +1,81 @@ +--- +layout: event_detail +title: Public verification service +event: hamburg2023 +order: 205 +permalink: /events/hamburg2023/verification1/ +--- + +# Server collects build data + +- Includes Hashes of Outputs +- Info About Build Environment +- Finds out what environment factors matter + +# Use cases + +## Use data to determine what's causing builds to differ +## What percentage of X builds reproducibly + + + +# Building or rebuilding stuff + +Components are things like build environment and sources + +## Build spec + +Build spec: + - Input archive + - Patches + - Build instructions + - Target distro/OS + + +Environment: + - What's installed + - Contents of /etc + - File system types + - Initial working directory + - Environment variables + - TZ + - Locale + - Running kernel + - Hardware architecture + - Current user (UID/GID) + +Outputs: + - 'treeish' hash + - Include some file metadata, but not all + - Should timestamps be stored? + - Is-Test (delete periodically if true) + +(above is the payload) + + +Metadata: + - Name + Version + - Project URL + - Uploader + - Optional signature + - Comment + - Link to build + + Formats: + - Linked Data / RDF + - JSON + - SBOM / SPDX / CycloneDX / ... ? + - Maybe In-TOTO? + +Hook In: + - After 'Fetch' / Before 'Build' + - After 'Artifact Generation' + + +People interested in contributing to implementation: + - Herv? Boutemy (hboutemy at apache.org) + - Arnout Engelen (arnout at bzzt.net) + - Janis Peyer (janispeyer at bluewin.ch) + - Nicolas (boklm at torptoject.org) + - quae at daurnimator.com + ===================================== _events/hamburg2023/rb-commandments.md ===================================== @@ -1,9 +1,9 @@ --- layout: event_detail -title: Agenda +title: The Ten Commandments event: hamburg2023 -order: 10 -permalink: /events/hamburg2023/agenda/ +order: 201 +permalink: /events/hamburg2023/rb-commandments/ --- # RB Ten Commandments ===================================== _events/hamburg2023/signature-storage.md ===================================== @@ -0,0 +1,38 @@ +--- +layout: event_detail +title: Signature storage and sharing +event: hamburg2023 +order: 204 +permalink: /events/hamburg2023/signature-storage/ +--- + +Signature storage and sharing +----------------------------- + +* Most uses PGP keys, some uses SSH keys for commit signing (YubiKeys + support HSM management of SSH keys) +* Key discovery is not always trivial +* Unclear story around how to verify signatures +* Commit signing can be hard as certain CI/CD systems either signes + commits used in UI with their own key, or shows badges such as + "commit verified". This only works of the CI/CD knows about all the + commit sining keys, and so can show "commit not verified" which can + be false or misleading +* For package manager, Maven contains each maintainer's public key +* Similar for many distributions (knows about maintainer's public + keys) +* Android uses an allow list of developer keys +* In general, the security of allowed keys at resit is not resilient + against tampering (i.e an attack on a server) +* TUF could be used to secure trusted keys (both at rest and in + transit) +* Some pacakge repositories signs the packages (can still be signed by + the developer before publish, i.e multiple signatures) +* With PGP, keys can be rotated. New key N+1 can be signed with + current key N. Not possible with SSH keys +* Summary (for the general case): + * Key distribution is hard + * No easy verification flow + + + ===================================== _events/hamburg2023/site-audiences.md ===================================== @@ -1,9 +1,9 @@ --- layout: event_detail -title: Agenda +title: Web site audiences event: hamburg2023 -order: 10 -permalink: /events/hamburg2023/agenda/ +order: 212 +permalink: /events/hamburg2023/site-audiences/ --- # website meeting ===================================== _events/hamburg2023/verification-use-cases.md ===================================== @@ -0,0 +1,42 @@ +--- +layout: event_detail +title: Verification Use Cases +event: hamburg2023 +order: 211 +permalink: /events/hamburg2023/verification2/ +--- + +Verification use cases +---------------------- + +- have some central place for people to upload attestations? + + - put everything into one database? + + - disks are cheap, but querying data is complicated + +- how do we display data? + + - have a website? + + - a graph? + +- maybe collect them in git repos? + + - every entity runs their own repo + +- we need to be able to tell which entity did the rebuild +- do we need additional data for easier triage? + + - cpu features? + +- maybe she should keep track of the cpu features of the rebuilder? +- the buildinfo file should canonically describe a "blessed" environment +- each language package manager (cargo, npm, composer, ...) is their own "distro", from a r-b point of view +- do we want to match results between distros? + + - is this doable/useful? + + - in Arch Linux, we often know what the issue is based on a single diffoscope, the challenge is triage/fixing all root causes + +- maybe something similiar to crev? https://github.com/crev-dev/crev/ View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/f28ef41e20f61f7e48fdaf740c5e5743a4e5ac35...51b34f604ffd8bf1e51a663f198566b1f9e8c91e -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/f28ef41e20f61f7e48fdaf740c5e5743a4e5ac35...51b34f604ffd8bf1e51a663f198566b1f9e8c91e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 16:54:11 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Thu, 02 Nov 2023 16:54:11 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: day 3 notes Message-ID: <6543d433cef94_5e724b9c3b832602f9@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: 7a931ec7 by Arnout Engelen at 2023-11-02T17:53:50+01:00 hamburg2023: day 3 notes - - - - - 10 changed files: - _events/hamburg2023/agenda.md - + _events/hamburg2023/arch-huddle.md - + _events/hamburg2023/born-reproducible-2.md - + _events/hamburg2023/born-reproducible-3.md - + _events/hamburg2023/debian.md - + _events/hamburg2023/diffoscope-2.md - + _events/hamburg2023/fedora-packages.md - + _events/hamburg2023/filtering-diffoscope.md - + _events/hamburg2023/rpm-sbom.md - + _events/hamburg2023/using-verification-data.md Changes: ===================================== _events/hamburg2023/agenda.md ===================================== @@ -68,24 +68,30 @@ Day 2 - Wednesday, November 1st TODO * 16.35 Closing Circle * 17.00 Adjourn -Day 3 - Thursday, November 2nd TODO +Day 3 - Thursday, November 2nd ------------------------------ * 9.00 Opening Circle * The day started with a summary of Day 2 outcomes and a Day 3 Agenda Overview. -* 9.30 Collaborative Working Sessions, break-out discussions continue. - * Verifying packages at installation discussion (in-toto): FIXME https://pad.riseup.net/p/rbsummmit2022-installation-keep - * [Taxonomy]({{ "/events/venice2022/taxonomy/" | relative_url }}) - * Debian FIXME https://pad.riseup.net/p/rbsummmit2022-debian-keep - * [Firmware]({{ "/events/venice2022/firmware/" | relative_url }}) -* 10.45 Break -* 11.00 Collaborative Working Sessions, break-out discussions continue. - * in-toto vs sbom (spdx) FIXME https://pad.riseup.net/p/rbsummmit2022-intoto-vs-sbom +* 9.45 Collaborative Working Sessions, break-out discussions continue. + * [SBOM for rpm]({{ "/events/hamburg2023/rpm-sbom/" | relative_url }}) + * [Filtering diffoscope output]({{ "/events/hamburg2023/filtering-diffoscope/" | relative_url }}) + * [Images/Filesystems/Containers]({{ "/events/hamburg2023/images-filesystems/" | relative_url }}) + * [Born Reproducible II]({{ "/events/hamburg2023/born-reproducible-2/" | relative_url }}) + * [Using verification data]({{ "/events/hamburg2023/using-verification-data/" | relative_url }}) +* 11.15 Break +* 11.30 Collaborative Working Sessions, break-out discussions continue. + * [Born Reproducible III]({{ "/events/hamburg2023/born-reproducible-3/" | relative_url }}) + * [Verification Service III]({{ "/events/hamburg2023/verification-service-3/" | relative_url }}) + * [Fedora packages]({{ "/events/hamburg2023/fedora-packages/" | relative_url }}) + * [Arch huddle]({{ "/events/hamburg2023/arch-huddle/" | relative_url }}) + * [Diffoscope II]({{ "/events/hamburg2023/diffoscope-2/" | relative_url }}) + * [Debian]({{ "/events/hamburg2023/debian/" | relative_url }}) * 12.30 Lunch -* 13.30 Mapping Where From Here - * The group took pause before the final session to take stock of the progress made to this point in the week and to inventory action items, next steps and other bridges to post-event collaboration. FIXME https://pad.riseup.net/p/rbsummmit2022-i-will-we-should-keep -* 16.15 Closing Circle +* 14.00 Mapping next conversations and next steps + * The group paused before the final session to take stock of the progress made to this point in the week and to inventory action items, next steps and other bridges to post-event collaboration. +* 15.30 Closing Circle * Participants summarized key outcomes from the event, and discussed next steps for continuing collaboration after the meeting. -* 17.00 Adjourn +* 16.00 Adjourn / Hack Time ===================================== _events/hamburg2023/arch-huddle.md ===================================== @@ -0,0 +1,9 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Arch huddle +event: hamburg2023 +order: 307 +permalink: /events/hamburg2023/arch-huddle +--- + + ===================================== _events/hamburg2023/born-reproducible-2.md ===================================== @@ -0,0 +1,30 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Born Reproducible II +event: hamburg2023 +order: 303 +permalink: /events/hamburg2023/born-reproducible-2/ +--- + +Notes + +This session is a follow-up on session from day 2 "Born Reproducible" + +* Step #0 - Have a clean and defined build environment +* Step #1 - Know/Define: + * input + * output +* Step #2 - Record build metadata (e.g., buildinfo) +* Step #3 - Try to rebuild in a similar environment +* Step #4 - Analyse any differences +* Step #5 - Try to rebuild in a different enviroment +* Step #6 - Make it possible for users to rebuild/validate +* Step #7 - Define policy if build is unreproducible +* Step #8 - Collect build attestations +* Step #9 - Diversify Builders (e.g., identities, data centers, possibly users) +* Step #10 - Implement / Deploy Policy +* Profit! - Announce reproducibility +Communicate on every step! + + + ===================================== _events/hamburg2023/born-reproducible-3.md ===================================== @@ -0,0 +1,82 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Born reproducible III +event: hamburg2023 +order: 305 +permalink: /events/hamburg2023/born-reproducible-3 +--- + +Follow up of [Born Reproducible II]({{ "/events/hamburg2023/born-reproducible-2/" | relative_url }}) + +In this session, we were more concrete. We came up with how each step in the framework in part II could be implemented for Java (especially maven) ecosystem. + +## Reference Implementation +https://github.com/jvm-repo-rebuild/reproducible-central. + +### Step 0 +Assume that the clean environment is the GitHub action runner. Although you have more control on your system, the information you care about (like `java` version, `mvn` version) is know in GitHub action runner as well. + +### Step 1 + +- Inputs: + 1. Java source code + 2. Build configuration (`pom.xml`): Try to have a minimal working version of + that. Remove all the unecessary boilerplate code. +- Outputs: + 1. all the `jar`s and the SBOMs produced as the build output. + + `.buildspec` in the reference implementation documents all of this. + +### Step 2 +Build metadata for Java could mean to know all the transitive dependencies and system dependencies (for example, the compression tool for classfiles could be a system dependency) + +> maybe not too relevant for Java, but it was for C/android + +### Step 3 + +- Compare the artifacts listed in `output` with the ones on maven central (`rebuild.sh ` does that in reference implementation). +- `mvn package` for the first build and `mvn package` without snapshot lookup for the second build (rebuild). + +### Step 4 + +The differences could be + +- order of classfiles in archives +- absolute and relative paths of resources +- differences in classfiles +- difference in manifest files + +Reference implementation uses `diffoscope` + +### Step 5 +A different environment could be Jenkins, CircleCI, a separate GitHub action runner with a different architecture. + +> In theory, architecture should not matter as jars are supposed to be independent of this. + +### Step 6 + +- Let user's reproduce the CI based on the build step +_ Provide tooling for reproducing it. Example: [gorebuild](https://pkg.go.dev/golang.org/x/build/cmd/gorebuild) is a tool to reproduce go toolchain. + +> From here on, it gets abstract + +### Step 7 +Document why the artifacts generated are not reproducible and give reasons why they are not. For example, the signature difference. In Step 6, users could be told to strip signature before comparing. + +> Step 8,9,10 are release related so we did not discuss them in depth. + +### Step 8 +Project README should tell how to verify build attestation. + +### Step 9 +Have your CI sign the artifacts. + +### Step 10 +Implementing deploy policy is a responsibilty taken by the artifact hosting service (maven central) in Java ecosystem. For example, it checks your manifest (`pom.xml`) for certain requirements before deploying. + +Last takeaway of this session was that the framework was supported by people working in C and android ecosystems. However, commercial code is a hard problem. + + + + + ===================================== _events/hamburg2023/debian.md ===================================== @@ -0,0 +1,8 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Debian +event: hamburg2023 +order: 308 +permalink: /events/hamburg2023/debian/ +--- + ===================================== _events/hamburg2023/diffoscope-2.md ===================================== @@ -0,0 +1,8 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Diffoscope II +event: hamburg2023 +order: 308 +permalink: /events/hamburg2023/diffoscope-2/ +--- + ===================================== _events/hamburg2023/fedora-packages.md ===================================== @@ -0,0 +1,26 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Fedora packages +event: hamburg2023 +order: 306 +permalink: /events/hamburg2023/fedora-packages/ +--- + +Bernhard imported a number of packages into openSUSE's open-build-service(OBS) and used the reproducibleopensuse tools to do double-builds and verification builds and additionally compare to official Fedora binary pkgs + +Fedora does not normalize build-time in rpm-headers, so no bit-reproducible replication is possible atm. Would need some rpm %macro mechanism to override the value that is separate from $SOURCE_DATE_EPOCH. + +Additionally we found some more roadblocks: + * Fedora uses dynamic python provides that ended up missing in OBS and resulted in a failed build + * pam did not build because xpdf xpdf-libs both provided the same symbol and OBS does not have Fedoras's automatic resolution of using the first shortest name + * python .pyc file headers varied - maybe because of additional rb-related macros used + * koji only kept details from the last 2 weeks, so buildroot details for all Fedora39 packages were already expired from that cache (though are accessible in a different way) + * OBS has a different logic to create Release strings (N.M vs N.fc39) + * The name-epoch-version-release string gets embedded in `.note.package` section in all ELF files, which means it'll directly impact reproducibility. + +we tested with + * 2ping + * perl-Alien-Brotli + * python-gemfileparser2 + * pam + ===================================== _events/hamburg2023/filtering-diffoscope.md ===================================== @@ -0,0 +1,40 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Filtering diffoscope output +event: hamburg2023 +order: 301 +permalink: /events/hamburg2023/filtering-diffoscope/ +--- + +Goal: add patterns to filter out some parts of output, or filters to only show some parts of output + +Requirements: +- print info that parts output are being ignored +- indicate in return code that files are not identical + +A number of options exist: +- `--exclude` +- `--exclude-command=REGEXP`: this skips command matching REGEXP + (`--exclude-command '^readelf.*gdb_index'`) + but then diffoscope tries the next command, possibly falling back to hexdump comparison + +- output formats: `--json`, `--html`, `--htmldir`. + Multiple output formats can be use together. + +- `--load-existing-diff FILE`. + Diffoscope will produce all kinds of output from JSON. + This can be combined with 'jq' filtering or some other way to filter. + +Internally, state is a series of deeply nested dictionaries. +The comparator is called with a paths of keys. + +Issues about --exclude* already exist: +https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/130 +https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/53 +https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/52 + +Filtering by "output level" is not enough. +For example, in an RPM header, some specific fields should be ignored, but only those. + +Idea: provide a command to filter the output using a jq-like path. + ===================================== _events/hamburg2023/rpm-sbom.md ===================================== @@ -0,0 +1,56 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - SBOM for rpm +event: hamburg2023 +order: 300 +permalink: /events/hamburg2023/rpm-sbom/ +--- + +SBOM discussion led by Marek + +rpmbuild should produce buildinfo file during package-build + +currently fragmented: OBS, koji, others reinvent their own formats + +There was previous discussion with rpm maintainers. +Idea: produce separate sub-package with that buildinfo file. +format was too Debian-ish and therefore disliked by rpm maintainers. + +buildinfo-rpm can be signed the normal way +can be published to separate repo (similar to debuginfo) + + +Prior work: +* https://github.com/rpm-software-management/rpm/pull/1532 + rpmrebuild +* https://github.com/rpm-software-management/rpm/issues/2389 +* http://download.opensuse.org/update/leap/15.5/sle/x86_64/ has slsa_provenance.json in-toto format +* https://github.com/opensbom-generator/spdx-sbom-generator#module-json-example +* https://cyclonedx.org/ +* some Yocto-based medical device collects plenty data from build + +goal: + * be able to independently verify rpms / containers + * common tool for reproducing rpm packages - no matter from which distribution + * also for 3rd-party packages such as google-chrome + +Ideas: + * discuss more with upstream: what value it would provide + * let upstream come up with a PR + * have prepared shared zstd dict for efficient SBOM compression + +result/output-SBOM vs input/build-SBOM + => see also notes on Wed discussion on SBOM + SPDX + CycloneDX + in-toto file format + +consumers for SBOM files: +* CVE-scanners +* License-scanners + + +missing link for publishing required buildrequires rpm + fetching via name|shasum +* URL for provider service +* archive.org +* IPFS +* other + + ===================================== _events/hamburg2023/using-verification-data.md ===================================== @@ -0,0 +1,14 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Using verification data +event: hamburg2023 +order: 304 +permalink: /events/hamburg2023/using-verification-data +--- + +Using verification data + +Notes + + + View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/7a931ec70928b1bad95387935175e8f52cce0b00 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/7a931ec70928b1bad95387935175e8f52cce0b00 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 16:58:15 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Thu, 02 Nov 2023 16:58:15 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: consistency tweaks Message-ID: <6543d52782660_5e724b9c3b83260662@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: 052785fb by Arnout Engelen at 2023-11-02T17:57:56+01:00 hamburg2023: consistency tweaks - - - - - 7 changed files: - _events/hamburg2023/born-repro.md - _events/hamburg2023/guix-todo.md - _events/hamburg2023/images-filesystems.md - _events/hamburg2023/public-verification.md - _events/hamburg2023/rb-commandments.md - _events/hamburg2023/signature-storage.md - _events/hamburg2023/verification-use-cases.md Changes: ===================================== _events/hamburg2023/born-repro.md ===================================== @@ -1,38 +1,36 @@ --- layout: event_detail -title: Born Reproducible 1 +title: Collaborative Working Sessions - Born Reproducible I event: hamburg2023 order: 213 permalink: /events/hamburg2023/site-audiences/ --- -# Notes +- Who is running it +- Who is running builds +- At what granularity are build steps defined +- What os/platform are necessary to support +- How (or if) non-owned build inputs are fetched/supported +- What are the different "stacks" that run builders +- How closely does "build input" reflect the full set of things that can inpact output +- How "explicit" is the build definition -Who is running it -Who is running builds -At what granularity are build steps defined -What os/platform are necessary to support -How (or if) non-owned build inputs are fetched/supported -What are the different "stacks" that run builders -How closely does "build input" reflect the full set of things that can inpact output -How "explicit" is the build definition - -Rebuild evidence -(re)builder indentity -Both successes and failures to rebuild +- Rebuild evidence +- (re)builder indentity +- Both successes and failures to rebuild What are we trying to do? -Understand build diffs -Build integrity <- many similar builders -Build malice <- many different builders -Rebuild debugging/detection -* Transient mismatch -* Deterministic mismatch -Rebuild smells <- environment variation injector (e.g., build diversity fuzzer) +* Understand build diffs +* Build integrity <- many similar builders +* Build malice <- many different builders +* Rebuild debugging/detection + * Transient mismatch + * Deterministic mismatch +* Rebuild smells <- environment variation injector (e.g., build diversity fuzzer) What are the techniques that can help? -File system isolation -Ephemeral environment -Deterministic Scheduling -Multiple sequential rebuilds +* File system isolation +* Ephemeral environment +* Deterministic Scheduling +* Multiple sequential rebuilds ===================================== _events/hamburg2023/guix-todo.md ===================================== @@ -1,6 +1,6 @@ --- layout: event_detail -title: Guix To-Do's +title: Collaborative Working Sessions - Guix To-Do's event: hamburg2023 order: 203 permalink: /events/hamburg2023/guix-todo/ @@ -8,12 +8,12 @@ permalink: /events/hamburg2023/guix-todo/ # Long term goals: - - All packages build reproducibly - - Benefits security - - Future proofing - - - K of N trust in substitutes (where K > 1) - - Benefits security +- All packages build reproducibly + - Benefits security + - Future proofing + +- K of N trust in substitutes (where K > 1) + - Benefits security # Things related to reproducible builds ===================================== _events/hamburg2023/images-filesystems.md ===================================== @@ -1,13 +1,11 @@ --- layout: event_detail -title: Images, filesystems and containers +title: Collaborative Working Sessiosn - Images, filesystems and containers event: hamburg2023 order: 303 permalink: /events/hamburg2023/images-filesystems/ --- -# Filesystem/Container images meeting - https://reproducible-builds.org/docs/system-images/ ## Filesystems ===================================== _events/hamburg2023/public-verification.md ===================================== @@ -1,6 +1,6 @@ --- layout: event_detail -title: Public verification service +title: Collaborative Working Sessions - Public verification service event: hamburg2023 order: 205 permalink: /events/hamburg2023/verification1/ ===================================== _events/hamburg2023/rb-commandments.md ===================================== @@ -1,13 +1,11 @@ --- layout: event_detail -title: The Ten Commandments +title: Collaborative Working Sessions - The Ten Commandments event: hamburg2023 order: 201 permalink: /events/hamburg2023/rb-commandments/ --- -# RB Ten Commandments - original draft: Commandments by the church of reproducible builds ===================================== _events/hamburg2023/signature-storage.md ===================================== @@ -1,14 +1,11 @@ --- layout: event_detail -title: Signature storage and sharing +title: Collaborative Working Sessions - Signature storage and sharing event: hamburg2023 order: 204 permalink: /events/hamburg2023/signature-storage/ --- -Signature storage and sharing ------------------------------ - * Most uses PGP keys, some uses SSH keys for commit signing (YubiKeys support HSM management of SSH keys) * Key discovery is not always trivial ===================================== _events/hamburg2023/verification-use-cases.md ===================================== @@ -1,14 +1,11 @@ --- layout: event_detail -title: Verification Use Cases +title: Collaborative Working Sessions - Verification Use Cases event: hamburg2023 order: 211 permalink: /events/hamburg2023/verification2/ --- -Verification use cases ----------------------- - - have some central place for people to upload attestations? - put everything into one database? View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/052785fb090d39eff25b410cbcc3a3188cae2a59 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/052785fb090d39eff25b410cbcc3a3188cae2a59 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 2 17:10:55 2023 From: gitlab at salsa.debian.org (Evangelos Ribeiro Tzaras (@devrtz)) Date: Thu, 02 Nov 2023 17:10:55 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 3 commits: hamburg2023: Add notes about success stories Message-ID: <6543d81fc4aaf_5e7222201383260849@godard.mail> Evangelos Ribeiro Tzaras pushed to branch master at Reproducible Builds / reproducible-website Commits: 6cb21712 by Evangelos Ribeiro Tzaras at 2023-11-02T18:09:42+01:00 hamburg2023: Add notes about success stories - - - - - 89a1285b by Evangelos Ribeiro Tzaras at 2023-11-02T18:10:25+01:00 hamburg2023: Use consistent URLs for "born reproducible" - - - - - 5824ef7c by Evangelos Ribeiro Tzaras at 2023-11-02T18:10:34+01:00 hamburg2023: Fix links - - - - - 3 changed files: - _events/hamburg2023/agenda.md - _events/hamburg2023/born-repro.md - + _events/hamburg2023/rb-success.md Changes: ===================================== _events/hamburg2023/agenda.md ===================================== @@ -59,9 +59,9 @@ Day 2 - Wednesday, November 1st TODO * 13.00 Lunch * 14.00 Collaborative Working Sessions * [Verification use cases]({{ "/events/hamburg2023/verification2/" | relative_url }}) - * [Web site audiences]({{ "/events/hamburg2023/source-mirrors/" | relative_url }}) - * [Enabling new projects to be "born reproducible"]({{ "/events/hamburg2023/source-mirrors/" | relative_url }}) - * RB Success Stories FIXME (no notes in the pad) + * [Web site audiences]({{ "/events/hamburg2023/site-audiences/" | relative_url }}) + * [Born Reproducible I]({{ "/events/hamburg2023/born-reproducible-1/" | relative_url }}) + * [RB Success Stories]({{ "/events/hamburg2023/success/" | relative_url }}) * RB relationship to SBOM FIXME (no notes in the pad) * 15.15 Break * 15:30 Hacking Time ===================================== _events/hamburg2023/born-repro.md ===================================== @@ -3,7 +3,7 @@ layout: event_detail title: Collaborative Working Sessions - Born Reproducible I event: hamburg2023 order: 213 -permalink: /events/hamburg2023/site-audiences/ +permalink: /events/hamburg2023/born-reproducible-1/ --- - Who is running it ===================================== _events/hamburg2023/rb-success.md ===================================== @@ -0,0 +1,61 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Success stories +event: hamburg2023 +order: 214 +permalink: /events/hamburg2023/success/ +--- + +# Real world success stories: What we know works +- clear cases + - `SOURCE_DATE_EPOCH` *widely* honored and standardized + - ElectroBSD (distribution tar balls amd64) + - near 500 Java project produce RB releases (see Reproducible Central) + - Yocto base + - NixOS minimal installation ISO reproducible + - Tails ISO + - Tor Browser is reproducible + - Debian docker images + - diverse double compilation to encounter Trusting-trust attacs + - Debian policy + - bitcoin core + - find+fix corruption bugs +- nobody knows (missing docs etc) + - zig + - go toolchain? + - android + - Spoon: An AST parsing and transformation library for Java + https://github.com/INRIA/spoon + - openSuSE at 97% + - GitHub reproroducible build badge + - spytrap-adb + - F-Droid 90% new apps included are reproducible + - bootstrappable.org + - coreboot + - deveoper stories + +# Real world success stories we need or are searching for + +(RB Success Stories Desired) + +## column 1: < 100% + +* 96% binary pkg reproducible debian cloud image +* K && N trust in GNU Guix substitues by default +* Debug Packages +* Debian Install Images reproducible + +## column 2 + +* 150 java projects try fail at getting RB release (really hard to read) J +* f-droid: older apps RB verify but not yet switched +* only release reproducible packages (stage until verified) + +## column 3 + +* Reproducible compilers built with other compilers. e.g. gcc built via clang then rebuild gcc with that +* setting up CI RB system for FEdora RPMs +* Install images rebuilt on different distro +* Install images rebuilt by different organisations +* Repo reproducible as opposed to deterministic build +* Debian snapshot scalable View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/052785fb090d39eff25b410cbcc3a3188cae2a59...5824ef7c84be49fe5c27fdc626868dbec0c32b64 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/052785fb090d39eff25b410cbcc3a3188cae2a59...5824ef7c84be49fe5c27fdc626868dbec0c32b64 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 3 09:14:45 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Fri, 03 Nov 2023 09:14:45 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] farewell hamburg post: fix typo Message-ID: <6544ba0531e8f_5e72e207f143343898@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 3be7497c by Holger Levsen at 2023-11-03T10:14:03+01:00 farewell hamburg post: fix typo Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md Changes: ===================================== _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md ===================================== @@ -5,7 +5,7 @@ date: 2023-11-02 categories: org --- -Farewell from the *Reproducible Builds* summit, which just took place from in **Hamburg, Germany**: +Farewell from the *Reproducible Builds* summit, which just took place in **Hamburg, Germany**: {: .lead} [![]({{ "/images/news/2023-11-02-farewell-from-the-reproducible-builds-summit-2023/group_photo.jpg" | relative_url }})]({{ "/events/hamburg2023/" | relative_url }}) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/3be7497cda2d43cfb9a452b260b3740cfc4e1edf -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/3be7497cda2d43cfb9a452b260b3740cfc4e1edf You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 3 10:44:14 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Fri, 03 Nov 2023 10:44:14 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2 commits: hamburg2023: verification2 pad is shared across sessions Message-ID: <6544cefeebc9d_5e72222013833704af@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: 6847b214 by Arnout Engelen at 2023-11-03T11:42:00+01:00 hamburg2023: verification2 pad is shared across sessions - - - - - 17482f15 by Arnout Engelen at 2023-11-03T11:43:53+01:00 hamburg2023: more consistent titles - - - - - 4 changed files: - _events/hamburg2023/agenda.md - _events/hamburg2023/images-filesystems.md - _events/hamburg2023/site-audiences.md - _events/hamburg2023/verification-use-cases.md ? _events/hamburg2023/verification2.md Changes: ===================================== _events/hamburg2023/agenda.md ===================================== @@ -78,11 +78,11 @@ Day 3 - Thursday, November 2nd * [Filtering diffoscope output]({{ "/events/hamburg2023/filtering-diffoscope/" | relative_url }}) * [Images/Filesystems/Containers]({{ "/events/hamburg2023/images-filesystems/" | relative_url }}) * [Born Reproducible II]({{ "/events/hamburg2023/born-reproducible-2/" | relative_url }}) - * [Using verification data]({{ "/events/hamburg2023/using-verification-data/" | relative_url }}) + * [Using verification data]({{ "/events/hamburg2023/verification2/" | relative_url }}) * 11.15 Break * 11.30 Collaborative Working Sessions, break-out discussions continue. * [Born Reproducible III]({{ "/events/hamburg2023/born-reproducible-3/" | relative_url }}) - * [Verification Service III]({{ "/events/hamburg2023/verification-service-3/" | relative_url }}) + * [Verification Service III]({{ "/events/hamburg2023/verification2/" | relative_url }}) * [Fedora packages]({{ "/events/hamburg2023/fedora-packages/" | relative_url }}) * [Arch huddle]({{ "/events/hamburg2023/arch-huddle/" | relative_url }}) * [Diffoscope II]({{ "/events/hamburg2023/diffoscope-2/" | relative_url }}) ===================================== _events/hamburg2023/images-filesystems.md ===================================== @@ -1,6 +1,6 @@ --- layout: event_detail -title: Collaborative Working Sessiosn - Images, filesystems and containers +title: Collaborative Working Sessions - Images, filesystems and containers event: hamburg2023 order: 303 permalink: /events/hamburg2023/images-filesystems/ ===================================== _events/hamburg2023/site-audiences.md ===================================== @@ -1,6 +1,6 @@ --- layout: event_detail -title: Web site audiences +title: Collaborative Working Sessions - Web site audiences event: hamburg2023 order: 212 permalink: /events/hamburg2023/site-audiences/ ===================================== _events/hamburg2023/verification-use-cases.md ? _events/hamburg2023/verification2.md ===================================== View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/3be7497cda2d43cfb9a452b260b3740cfc4e1edf...17482f1533ce57adb54d2d700bec0eec28485cb4 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/3be7497cda2d43cfb9a452b260b3740cfc4e1edf...17482f1533ce57adb54d2d700bec0eec28485cb4 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 3 10:48:06 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Fri, 03 Nov 2023 10:48:06 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] r-b summit 2023 hamburg: update list of participating projects, now at 32 Message-ID: <6544cfe6cfd7_5e724b9c3b833706b3@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: ff10caeb by Holger Levsen at 2023-11-03T11:47:53+01:00 r-b summit 2023 hamburg: update list of participating projects, now at 32 Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _events/hamburg2023/index.html Changes: ===================================== _events/hamburg2023/index.html ===================================== @@ -54,7 +54,7 @@ Germany

    Participants

    There have been participants from -Apache Maven, Apache Security, Arch Linux, arch-repro-status, Buildroot, CHAINS, coreboot, Debian, ElectroBSD, F-Droid, Fedora, GitHub, GNU Guix, Google Cloud, JustBuild, LibreOffice, Mobian, NixOS, OpenSuSE, OpenWrt, phosh, privoxy, Pure OS, Qubes OS, rebuilderd, Red Hat, repro-env, spytrap-adb, systemd, Ubuntu, Warpforge +Apache Maven, Apache Security, Arch Linux, arch-repro-status, Buildroot, CHAINS, coreboot, Debian, ElectroBSD, F-Droid, Fedora, GitHub, GNU Guix, Google Cloud, JustBuild, LibreOffice, Mobian, NixOS, OpenSuSE, OpenWrt, phosh, privoxy, Pure OS, Qubes OS, rebuilderd, Red Hat, repro-env, Rust, spytrap-adb, systemd, Ubuntu, Warpforge and more...

    View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ff10caeb0296a239953ad67f2b382cb1d20c3c5a -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ff10caeb0296a239953ad67f2b382cb1d20c3c5a You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sat Nov 4 21:12:19 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Sat, 04 Nov 2023 21:12:19 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 3 commits: hamburg summit participants: s#CHAINS#CHAINS (KTH Royal Institute of Technology)#g Message-ID: <6546b3b31d5e5_5e72222013836162d3@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: d496da19 by Holger Levsen at 2023-11-04T22:07:29+01:00 hamburg summit participants: s#CHAINS#CHAINS (KTH Royal Institute of Technology)#g Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 73d6e334 by Holger Levsen at 2023-11-04T22:09:57+01:00 hamburg summit participants: add Tor Project Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - b9502d26 by Holger Levsen at 2023-11-04T22:12:07+01:00 hamburg summit participants: correct spelling: openSUSE Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 2 changed files: - _events/hamburg2023/index.html - _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md Changes: ===================================== _events/hamburg2023/index.html ===================================== @@ -54,7 +54,7 @@ Germany

    Participants

    There have been participants from -Apache Maven, Apache Security, Arch Linux, arch-repro-status, Buildroot, CHAINS, coreboot, Debian, ElectroBSD, F-Droid, Fedora, GitHub, GNU Guix, Google Cloud, JustBuild, LibreOffice, Mobian, NixOS, OpenSuSE, OpenWrt, phosh, privoxy, Pure OS, Qubes OS, rebuilderd, Red Hat, repro-env, Rust, spytrap-adb, systemd, Ubuntu, Warpforge +Apache Maven, Apache Security, Arch Linux, arch-repro-status, Buildroot, CHAINS (KTH Royal Institute of Technology), coreboot, Debian, ElectroBSD, F-Droid, Fedora, GitHub, GNU Guix, Google Cloud, JustBuild, LibreOffice, Mobian, NixOS, openSUSE, OpenWrt, phosh, privoxy, Pure OS, Qubes OS, rebuilderd, Red Hat, repro-env, Rust, spytrap-adb, systemd, Tor Project, Ubuntu, Warpforge and more...

    ===================================== _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md ===================================== @@ -38,7 +38,7 @@ This year, we were thrilled to host the seventh edition of this exciting event. ? as well as countless informal discussions and hacking sessions into the night. Projects represented at the venue included:

    -Debian, OpenSuSE, QubesOS, GNU Guix, Arch Linux, phosh, Mobian, PureOS, JustBuild, LibreOffice, Warpforge, OpenWrt, F-Droid, NixOS, ElectroBSD, Apache Security, Buildroot, Systemd, Apache Maven, Fedora, Privoxy, CHAINS, coreboot, GitHub, Tor Project, Ubuntu, rebuilderd, repro-env, spytrap-adb, arch-repo-status, etc. +Debian, openSUSE, QubesOS, GNU Guix, Arch Linux, phosh, Mobian, PureOS, JustBuild, LibreOffice, Warpforge, OpenWrt, F-Droid, NixOS, ElectroBSD, Apache Security, Buildroot, Systemd, Apache Maven, Fedora, Privoxy, CHAINS (KTH Royal Institute of Technology), coreboot, GitHub, Tor Project, Ubuntu, rebuilderd, repro-env, spytrap-adb, arch-repo-status, etc.
    --- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/ff10caeb0296a239953ad67f2b382cb1d20c3c5a...b9502d262d8101127315a7156dae00993fdb209c -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/ff10caeb0296a239953ad67f2b382cb1d20c3c5a...b9502d262d8101127315a7156dae00993fdb209c You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sat Nov 4 21:16:53 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Sat, 04 Nov 2023 21:16:53 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] correct spelling: openSUSE Message-ID: <6546b4c5d836a_5e72e1f97c0361664f@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 06361dab by Holger Levsen at 2023-11-04T22:16:44+01:00 correct spelling: openSUSE Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 7 changed files: - _events/hamburg2023/index.html - _events/hamburg2023/infra.md - _events/hamburg2023/mapping-projectsinfra.md - _events/hamburg2023/rb-success.md - _events/hamburg2023/success-stories.md - _events/venice2022/index.html - _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md Changes: ===================================== _events/hamburg2023/index.html ===================================== @@ -189,7 +189,7 @@ We are welcoming more sponsors for this event! Please
    - + openSUSE
    ===================================== _events/hamburg2023/infra.md ===================================== @@ -17,7 +17,7 @@ permalink: /events/hamburg2023/infra/ * ElectroBSD * OpenWRT * Fedora Linux - * OpenSUSE + * openSUSE * F-Droid * Java jar Archives * Debian ===================================== _events/hamburg2023/mapping-projectsinfra.md ===================================== @@ -12,7 +12,7 @@ - ElectroBSD - OpenWRT - Fedora Linux -- OpenSUSE +- openSUSE - F-Droid - Java jar Archives - Debian ===================================== _events/hamburg2023/rb-success.md ===================================== @@ -26,7 +26,7 @@ permalink: /events/hamburg2023/success/ - android - Spoon: An AST parsing and transformation library for Java https://github.com/INRIA/spoon - - openSuSE at 97% + - openSUSE at 97% - GitHub reproroducible build badge - spytrap-adb - F-Droid 90% new apps included are reproducible ===================================== _events/hamburg2023/success-stories.md ===================================== @@ -25,7 +25,7 @@ permalink: /events/hamburg2023/success-stories/ - go toolchain? - android - [Spoon](https://github.com/INRIA/spoon): An AST parsing and transformation library for Java - - openSuSE at 97% + - openSUSE at 97% - GitHub reproroducible build badge - spytrap-adb - F-Droid 90% new apps included are reproducible ===================================== _events/venice2022/index.html ===================================== @@ -150,7 +150,7 @@ Holger, Vagrant, Chris and Mattia
    - + openSUSE
    ===================================== _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md ===================================== @@ -12,7 +12,7 @@ Farewell from the *Reproducible Builds* summit, which just took place in **Hambu This year, we were thrilled to host the seventh edition of this exciting event. Topics covered this year included: -* Project updates from OpenSUSE, Fedora, Debian, ElectroBSD, Reproducible Central and NixOS +* Project updates from openSUSE, Fedora, Debian, ElectroBSD, Reproducible Central and NixOS * Mapping the "big picture" * Towards a snapshot service * Understanding user-facing needs and personas View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/06361dab2a0bc384ce0858a97c035ab31617822e -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/06361dab2a0bc384ce0858a97c035ab31617822e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sat Nov 4 22:00:52 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Sat, 04 Nov 2023 22:00:52 +0000 Subject: [Git][reproducible-builds/reproducible-presentations][master] 2023-11-04: Beyond Trusting FOSS ... final revision. Message-ID: <6546bf1411534_5e72e1f97c03621990@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-presentations Commits: 0224d7df by Vagrant Cascadian at 2023-11-04T15:00:38-07:00 2023-11-04: Beyond Trusting FOSS ... final revision. - - - - - 1 changed file: - 2023-11-04-SeaGL-Beyond-Trusting-FOSS/debian/changelog Changes: ===================================== 2023-11-04-SeaGL-Beyond-Trusting-FOSS/debian/changelog ===================================== @@ -1,5 +1,5 @@ -beyond-trusting-foss (2023.11.04+seagl~0) UNRELEASED; urgency=medium +beyond-trusting-foss (2023.11.04+seagl) unstable; urgency=medium * Presented at SeaGL 2023. - -- Vagrant Cascadian Wed, 01 Nov 2023 16:12:11 -0700 + -- Vagrant Cascadian Sat, 04 Nov 2023 10:26:56 -0700 View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/0224d7df901cf720fce36352ada78878ef18b7a2 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/0224d7df901cf720fce36352ada78878ef18b7a2 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 6 08:28:37 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Mon, 06 Nov 2023 08:28:37 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] fix some links Message-ID: <6548a3b4f025c_5e724b9c3b83785921@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: 405ef08b by Arnout Engelen at 2023-11-06T09:28:20+01:00 fix some links - - - - - 3 changed files: - _events/hamburg2023/arch-huddle.md - _events/hamburg2023/born-reproducible-3.md - _events/hamburg2023/using-verification-data.md Changes: ===================================== _events/hamburg2023/arch-huddle.md ===================================== @@ -3,7 +3,7 @@ layout: event_detail title: Collaborative Working Sessions - Arch huddle event: hamburg2023 order: 307 -permalink: /events/hamburg2023/arch-huddle +permalink: /events/hamburg2023/arch-huddle/ --- ===================================== _events/hamburg2023/born-reproducible-3.md ===================================== @@ -3,7 +3,7 @@ layout: event_detail title: Collaborative Working Sessions - Born reproducible III event: hamburg2023 order: 305 -permalink: /events/hamburg2023/born-reproducible-3 +permalink: /events/hamburg2023/born-reproducible-3/ --- Follow up of [Born Reproducible II]({{ "/events/hamburg2023/born-reproducible-2/" | relative_url }}) ===================================== _events/hamburg2023/using-verification-data.md ===================================== @@ -3,7 +3,7 @@ layout: event_detail title: Collaborative Working Sessions - Using verification data event: hamburg2023 order: 304 -permalink: /events/hamburg2023/using-verification-data +permalink: /events/hamburg2023/using-verification-data/ --- Using verification data View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/405ef08bdaf7302943db0bcc3499f7fdd34b7dc5 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/405ef08bdaf7302943db0bcc3499f7fdd34b7dc5 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 6 10:54:51 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Mon, 06 Nov 2023 10:54:51 +0000 Subject: [Git][reproducible-builds/reproducible-presentations][master] 2023-11-04: Reproducible Builds for Ubuntu - final version Message-ID: <6548c5fb3986a_5e72e1f37083825850@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-presentations Commits: d8fc8472 by Mattia Rizzolo at 2023-11-06T12:54:36+02:00 2023-11-04: Reproducible Builds for Ubuntu - final version Signed-off-by: Mattia Rizzolo <mattia at debian.org> - - - - - 1 changed file: - 2023-11-04-Reproducible-Builds-for-Ubuntu/index.html Changes: ===================================== 2023-11-04-Reproducible-Builds-for-Ubuntu/index.html ===================================== @@ -445,28 +445,84 @@ +
    +

    About actually rebuilds and verification

    +

    Because this is what actually matters: buildinfos

    +
    -
    -

    Toolchain fixes (GCC, Go, R)

    -

    Infrastructure changes

    -

    Improving developer tools

    -

    Mandating Debian packages be reproducible?

    -

    Defeating Trusting Trust…?

    +
    + 
    +Format: 1.0
+Source: libeatmydata
+Binary: eatmydata eatmydata-udeb libeatmydata1 libeatmydata1-dbgsym
+Architecture: amd64
+Version: 131-1
+Checksums-Md5:
+ 2aa285ab834acf7bf81278be8e78aeb2 6172 libeatmydata1-dbgsym_131-1_amd64.deb
+ e9ec9b65e45f3d22eaf583116bcc45d1 6980 libeatmydata1_131-1_amd64.deb
+Checksums-Sha1:
+ 13cfc33f2473c3e12299e7572b97fcd4358e861e 6172 libeatmydata1-dbgsym_131-1_amd64.deb
+ 144cb89d17e7767ddc6daf1263737d2ae38e75f6 6980 libeatmydata1_131-1_amd64.deb
+Checksums-Sha256:
+ 7a06d1b47fcc7f4784affea446b6100dc72d2a96f25137c4bcdf90ce737032ef 7472 eatmydata_131-1_all.deb
+ f3eeadb78571b0373ef3e4624d84536a7c7865e55c879445e53087b8fefaacca 6172 libeatmydata1-dbgsym_131-1_amd64.deb
+ 183de8aeaec90241574ca570500b7cdbb2662d508907974d2cadf42c03251d4d 6980 libeatmydata1_131-1_amd64.deb
+Build-Origin: Debian
+Build-Architecture: amd64
+Build-Date: Wed, 01 Nov 2023 11:10:37 +0000
+Build-Path: /build/libeatmydata-131
+Installed-Build-Depends:
+ autoconf (= 2.71-3),
+ automake (= 1:1.16.5-1.3),
+ autopoint (= 0.21-13),
+ autotools-dev (= 20220109.1),
+ base-files (= 13),
+ base-passwd (= 3.6.1),
+ bash (= 5.2.15-2+b6),
+...
+ sysvinit-utils (= 3.08-1),
+ tar (= 1.34+dfsg-1.2),
+ usr-is-merged (= 37),
+ usrmerge (= 37),
+ util-linux (= 2.39.2-5),
+ xz-utils (= 5.4.4-0.1),
+ zlib1g (= 1:1.2.13.dfsg-3)
+Environment:
+ DEB_BUILD_OPTIONS="parallel=4"
+ DPKG_GENSYMBOLS_CHECK_LEVEL="4"
+ LANG="C"
+ LC_ALL="C"
+ LC_TIME="en_US.UTF-8"
+ LD_LIBRARY_PATH="/usr/lib/libeatmydata"
+ SOURCE_DATE_EPOCH="1693822961"
+
    +
    + +
    +

    SBOM?

    +
    + +
    +

    https://bugs.launchpad.net/launchpad/+bug/1686242

    + +

    Thank you Simon Quigley!

    +
    + +
    +

    Q & A

    Get involved!

    - - - - - +
    Visit:reproducible-builds.org
    Subscribe:lists.reproducible-builds.org → rb-general
    Follow:@ReproBuilds on TwitterX
    Join:#reproducible-builds (on OFTC)
    + + + +
    Visit:reproducible-builds.org
    Subscribe:lists.reproducible-builds.org → rb-general
    Follow:@ReproBuilds on TwitterX
    Join:#reproducible-builds (on OFTC)
    -
    -

    View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/d8fc8472464329f8c6fe79d9fa415fc294b4f077 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/commit/d8fc8472464329f8c6fe79d9fa415fc294b4f077 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 6 16:12:37 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Mon, 06 Nov 2023 16:12:37 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: Add notes about Arch huddle Message-ID: <654910757b36c_5e724b9c3b83893846@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 11bfa2f9 by Orhun Parmaks?z at 2023-11-06T17:10:22+01:00 hamburg2023: Add notes about Arch huddle Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _events/hamburg2023/arch-huddle.md Changes: ===================================== _events/hamburg2023/arch-huddle.md ===================================== @@ -5,5 +5,28 @@ event: hamburg2023 order: 307 permalink: /events/hamburg2023/arch-huddle/ --- +# Making Arch Linux Debug Packages Reproducible +This should be handled in three different steps. There are questions remaining to be answered before proceeding with the integration. +## `debuginfod` + +- Is `debuginfod` secure? + - i.e. Is there authentication between `gdb` and `debuginfod`? + +?? It is theoretically possible to perform code execution through debug symbols. + +## Mirrors + +- Right now the debug packages live in a single server. We should start distributing them through mirrors and potentially have them in our archives as well. + - There is a question about storage since debug packages might take a good amount of disk space. + - "We shouldn't let the limitations of mirrors affect our design choices". + +## Integration + +Here are the tools that needs integration: + +- [rebuilderd](https://github.com/kpcyrd/rebuilderd) +- [devtools](https://gitlab.archlinux.org/archlinux/devtools) +- [repro](https://github.com/archlinux/archlinux-repro) + - We need to check hashes etc. View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/11bfa2f94e4c2e625b0393ac131bd1cafba39e1a -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/11bfa2f94e4c2e625b0393ac131bd1cafba39e1a You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 6 16:46:29 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Mon, 06 Nov 2023 16:46:29 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023 11: += https://bugs.launchpad.net/launchpad/+bug/1686242 Message-ID: <65491865d2600_5e72e207f143904544@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: b5e31114 by Holger Levsen at 2023-11-06T17:45:56+01:00 2023 11: += https://bugs.launchpad.net/launchpad/+bug/1686242 Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - + _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -0,0 +1,9 @@ +--- +layout: report +year: "2023" +month: "11" +title: "Reproducible Builds in November 2023" +draft: true +--- + +FIXME: Simon Quigley fixed https://bugs.launchpad.net/launchpad/+bug/1686242 so that Launchpad now serves .buildinfo files. View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b5e31114441aa22b20c68946d1f49582a700f449 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b5e31114441aa22b20c68946d1f49582a700f449 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 6 23:24:02 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Mon, 06 Nov 2023 23:24:02 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] jekyll: switch to default highlighter Message-ID: <654975926cb2c_5e72222013839870d5@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 5d46ea5d by Holger Levsen at 2023-11-07T00:23:01+01:00 jekyll: switch to default highlighter Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _config.yml Changes: ===================================== _config.yml ===================================== @@ -1,5 +1,5 @@ markdown: kramdown -highlighter: pygments +highlighter: rouge permalink: /news/:year/:month/:day/:title/ # Site settings View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/5d46ea5db26a4e251d9b186b876d41a67de89e82 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/5d46ea5db26a4e251d9b186b876d41a67de89e82 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 6 23:30:14 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Mon, 06 Nov 2023 23:30:14 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] venice 2022s summit: make these pages visible Message-ID: <6549770634769_5e724b9c3b83987737@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 65072a36 by Holger Levsen at 2023-11-07T00:29:14+01:00 venice 2022s summit: make these pages visible Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 3 changed files: - _events/venice2022/firmware.md - _events/venice2022/taxonomy.md - _events/venice2022/travelsupport.md Changes: ===================================== _events/venice2022/firmware.md ===================================== @@ -3,7 +3,7 @@ layout: event_detail title: Collaborative Working Sessions - Firmware event: venice2022 order: 130 -permalink: /events/venice2022/firmware +permalink: /events/venice2022/firmware/ --- Reproducible Builds Summit 2022 ===================================== _events/venice2022/taxonomy.md ===================================== @@ -3,7 +3,7 @@ layout: event_detail title: Collaborative Working Sessions - Taxonomy event: venice2022 order: 110 -permalink: /events/venice2022/taxonomy +permalink: /events/venice2022/taxonomy/ --- Reproducible Builds Summit 2022 ===================================== _events/venice2022/travelsupport.md ===================================== @@ -1,7 +1,7 @@ --- layout: default title: Venice 2022 - Travel Bursary -permalink: /events/venice2022/travelsupport +permalink: /events/venice2022/travelsupport/ event_hide: true event_date: 2022-11-01 event_date_string: November 1st-3rd 2022 View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/65072a36b3db8b3020b61acf97e9f6a84f416be4 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/65072a36b3db8b3020b61acf97e9f6a84f416be4 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Tue Nov 7 08:35:47 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Tue, 07 Nov 2023 08:35:47 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] blacklist scipy, gcc12-cross-ports and telegram-desktop everywhere Message-ID: <6549f6e3d9001_5e724b9c3b840260be@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-notes Commits: f470e834 by Holger Levsen at 2023-11-07T09:35:08+01:00 blacklist scipy, gcc12-cross-ports and telegram-desktop everywhere Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -6909,6 +6909,9 @@ gcc-12: issues: - blacklisted_on_jenkins - test_suite_logs +gcc-12-cross-ports: + issues: + - blacklisted_on_jenkins gcc-12-cross-mipsen: version: 1+c2 comments: | @@ -31176,6 +31179,7 @@ scipy: version: 1.5.4-1 issues: - randomness_in_documentation_generated_by_sphinx + - blacklisted_on_jenkins sciscipy: version: 1.0.1-2 issues: @@ -33147,6 +33151,7 @@ telegram-desktop: version: 1.0.14-1 issues: - gcc_captures_build_path + - blacklisted_on_jenkins telepathy-python: version: 0.15.19-2.1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/f470e8345709c40ec8c26de1234d92094ae4949f -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/f470e8345709c40ec8c26de1234d92094ae4949f You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Tue Nov 7 09:37:13 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Tue, 07 Nov 2023 09:37:13 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] blacklist gcc(9|10|11|13)-cross-ports everywhere as well Message-ID: <654a0549ee434_5e72e1f3708404219@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-notes Commits: aa9ade7b by Holger Levsen at 2023-11-07T10:32:13+01:00 blacklist gcc(9|10|11|13)-cross-ports everywhere as well Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -6909,7 +6909,24 @@ gcc-12: issues: - blacklisted_on_jenkins - test_suite_logs +gcc-9-cross-ports: + version: 27 + issues: + - blacklisted_on_jenkins +gcc-10-cross-ports: + version: 24 + issues: + - blacklisted_on_jenkins +gcc-11-cross-ports: + version: 18 + issues: + - blacklisted_on_jenkins gcc-12-cross-ports: + version: 17 + issues: + - blacklisted_on_jenkins +gcc-13-cross-ports: + version: 14 issues: - blacklisted_on_jenkins gcc-12-cross-mipsen: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/aa9ade7bcca8af02703f7e1bcfe65e6ff5069abb -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/aa9ade7bcca8af02703f7e1bcfe65e6ff5069abb You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Tue Nov 7 10:46:19 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Tue, 07 Nov 2023 10:46:19 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Fix project name Message-ID: <654a157bbee7e_5e724b9c3b8405415f@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 6de329b6 by Orhun Parmaks?z at 2023-11-07T11:45:55+01:00 Fix project name Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md Changes: ===================================== _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md ===================================== @@ -38,7 +38,7 @@ This year, we were thrilled to host the seventh edition of this exciting event. ? as well as countless informal discussions and hacking sessions into the night. Projects represented at the venue included:
    -Debian, openSUSE, QubesOS, GNU Guix, Arch Linux, phosh, Mobian, PureOS, JustBuild, LibreOffice, Warpforge, OpenWrt, F-Droid, NixOS, ElectroBSD, Apache Security, Buildroot, Systemd, Apache Maven, Fedora, Privoxy, CHAINS (KTH Royal Institute of Technology), coreboot, GitHub, Tor Project, Ubuntu, rebuilderd, repro-env, spytrap-adb, arch-repo-status, etc. +Debian, openSUSE, QubesOS, GNU Guix, Arch Linux, phosh, Mobian, PureOS, JustBuild, LibreOffice, Warpforge, OpenWrt, F-Droid, NixOS, ElectroBSD, Apache Security, Buildroot, Systemd, Apache Maven, Fedora, Privoxy, CHAINS (KTH Royal Institute of Technology), coreboot, GitHub, Tor Project, Ubuntu, rebuilderd, repro-env, spytrap-adb, arch-repro-status, etc.
    --- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/6de329b64ede6c1d183bc96ce0a428f02bb07813 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/6de329b64ede6c1d183bc96ce0a428f02bb07813 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 8 10:55:42 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Wed, 08 Nov 2023 10:55:42 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2 commits: 2023-09: minor changes. Message-ID: <654b692eae524_5e724b9c3b842527bc@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: 77d9ec54 by Chris Lamb at 2023-11-07T14:19:33+00:00 2023-09: minor changes. - - - - - 3c35f875 by Chris Lamb at 2023-11-08T10:47:38+00:00 2023-10: Initial draft - - - - - 14 changed files: - _reports/2023-09.md - _reports/2023-10.md - + images/reports/2023-10/codethink.png - + images/reports/2023-10/debian.png - + images/reports/2023-10/diffoscope.png - + images/reports/2023-10/nih.png - + images/reports/2023-10/nixos.png - + images/reports/2023-10/opensuse.png - + images/reports/2023-10/python-logo.png - + images/reports/2023-10/reproducible-builds.png - + images/reports/2023-10/summit.jpg - + images/reports/2023-10/sustain.jpg - + images/reports/2023-10/testframework.png - + images/reports/2023-10/time-to-fix-paper.png Changes: ===================================== _reports/2023-09.md ===================================== @@ -105,12 +105,11 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
    - ## Testing framework [![]({{ "/images/reports/2023-09/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/) -The Reproducible Builds project operates a comprehensive testing framework (available at [tests.reproducible-builds.org](https://tests.reproducible-builds.org)) in order to check packages and other artifacts for reproducibility. In August, a number of changes were made by Holger Levsen: +The Reproducible Builds project operates a comprehensive testing framework (available at [tests.reproducible-builds.org](https://tests.reproducible-builds.org)) in order to check packages and other artifacts for reproducibility. In September, a number of changes were made by Holger Levsen: * Disable `armhf` and `i386` builds due to Debian bug [#1052257](https://bugs.debian.org/1052257). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dce8e9b32)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a52db3412)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c3644e4af)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4fca345f7)] * Run *diffoscope* with a lower `ionice` priority. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ac887a9bc)] ===================================== _reports/2023-10.md ===================================== @@ -6,54 +6,190 @@ title: "Reproducible Builds in October 2023" draft: true --- -* [FIXME](https://mcis.cs.queensu.ca/publications/2023/emse_rahul.pdf) +[![]({{ "/images/reports/2023-10/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/) -* [Reproducible Builds for CPython source tarballs](https://sethmlarson.dev/security-developer-in-residence-weekly-report-14) +**Welcome to the October 2023 report from the [Reproducible Builds](https://reproducible-builds.org) project.** In these reports we outline the most important things that we have been up to over the past month. As a quick recap, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. -* [FIXME](Codethink generously replaced our old Moonshot-Slides, which they generously hosted since 2016, with new kvm arm64 hardware, which - Holger added to tests.r-b.o/debian.) +--- + +### Reproducible Builds Summit 2023 + +[![]({{ "/images/reports/2023-10/summit.jpg#right" | relative_url }})]({{ "/events/hamburg2023/" | relative_url }}) + +Between October 31st and November 2nd, we held our [seventh Reproducible Builds Summit]({{ "/events/hamburg2023/" | relative_url }}) in Hamburg, Germany! + +Our summits are a unique gathering that brings together attendees from diverse projects, united by a shared vision of advancing the Reproducible Builds effort, and this instance was no different. + +During this enriching event, participants had the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. A number of concrete outcomes from the summit will documented in the report for November 2023 and elsewhere. + +The Reproducible Builds team would like to thank our event sponsors who include [Mullvad VPN](https://mullvad.net/), [OpenSuse](https://www.opensuse.org/), [Debian](https://www.debian.org/), [Software Freedom Conservancy](https://sfconservancy.org/), [Allotropia](https://www.debian.org/) and [Aspiration Tech](https://aspirationtech.org/). + +
    + +### Reflections on *Reflections on Trusting Trust* + +[![]({{ "/images/reports/2023-10/nih.png#right" | relative_url }})](https://research.swtch.com/nih) + +[Russ Cox](https://swtch.com/~rsc/) posted a [fascinating article on his blog](https://research.swtch.com/nih) prompted by the fortieth anniversary of Ken Thompson's award-winning paper, [*Reflections on Trusting Trust*](https://dl.acm.org/doi/pdf/10.1145/358198.358210): + +> [?] In March 2023, Ken gave the closing keynote [and] during the Q&A session, someone jokingly asked about the Turing award lecture, specifically ?can you tell us right now whether you have a backdoor into every copy of *gcc* and Linux still today?? + +Although Ken reveals (or at least *claims*!) that he has no such backdoor, he does admit that he has the actual code? which Russ requests and subsequently dissects in great but accessible detail. + +
    + +### Ecosystem factors of reproducible builds + +[![]({{ "/images/reports/2023-10/time-to-fix-paper.png#right" | relative_url }})](https://mcis.cs.queensu.ca/publications) + +Rahul Bajaj, Eduardo Fernandes, Bram Adams and Ahmed E. Hassan from the [Maintenance, Construction and Intelligence of Software (MCIS)](https://mcis.cs.queensu.ca) laboratory within the [School of Computing](https://cs.queensu.ca/), [Queen's University](https://www.queensu.ca/) in Ontario, Canada have published a paper on the "*Time to fix, causes and correlation with external ecosystem factors*" of unreproducible builds. + +The authors compare various response times within the [Debian](https://debian.org/) and [Arch Linux](https://archlinux.org/) distributions including, for example: + +> Arch Linux packages become reproducible a median of 30 days quicker when compared to Debian packages, while Debian packages remain reproducible for a median of 68 days longer once fixed. + +A [full PDF of their paper](https://mcis.cs.queensu.ca/publications/2023/emse_rahul.pdf) is available online, as are many other interesting papers on [MCIS'](https://mcis.cs.queensu.ca/publications) publication page. + +
    + +### NixOS installation image reproducible + +[![]({{ "/images/reports/2023-10/nixos.png#right" | relative_url }})](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756) + +On the [NixOS Discourse instance](https://discourse.nixos.org/), Arnout Engelen (*raboof*) announced that NixOS have created an independent, bit-for-bit identical rebuilding of the `nixos-minimal` image that is used to install NixOS. [In their post](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756), Arnout details what exactly can be reproduced, and even includes some of the history of this endeavour: + +> You may remember a [2021 announcement](https://discourse.nixos.org/t/nixos-unstable-s-iso-minimal-x86-64-linux-is-100-reproducible/13723) that the minimal ISO was 100% reproducible. While back then we successfully tested that all packages were needed to build the ISO were individually reproducible, actually rebuilding the ISO still introduced differences. This was due to [some remaining problems](https://github.com/NixOS/nixpkgs/issues/125380) in the hydra cache and the way the ISO was created. By the time we fixed those, regressions had popped up (notably an upstream problem in Python 3.10), and it isn?t until this week that we were back to having everything reproducible and being able to validate the complete chain. + +Congratulations to NixOS team for reaching this important milestone! Discussion about this announcement [can be found underneath the post](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756#post_2) itself, as well as [on Hacker News](https://news.ycombinator.com/item?id=38057591). + +
    + +### CPython source tarballs now reproducible + +[![]({{ "/images/reports/2023-10/python-logo.png#right" | relative_url }})](https://github.com/python/release-tools/pull/62) + +[Seth Larson](https://sethmlarson.dev/) published a blog post [investigating the reproducibility of the CPython source tarballs](https://sethmlarson.dev/security-developer-in-residence-weekly-report-14). Using [*diffoscope*](https://diffoscope.org/), *reprotest* and other tools, Seth documents his work that led to [a pull request to make these files reproducible](https://github.com/python/release-tools/pull/62) which was merged by [?ukasz Langa](https://lukasz.langa.pl/). + +
    + +### New `arm64` hardware from Codethink + +[![]({{ "/images/reports/2023-10/codethink.png#right" | relative_url }})](https://www.codethink.co.uk/) + +Long-time sponsor of the project, [Codethink](https://www.codethink.co.uk/), have generously replaced our old "Moonshot-Slides", which they have generously hosted since 2016 with new [KVM](https://linux-kvm.org/page/Main_Page)-based `arm64` hardware. Holger Levsen integrated these new nodes to the [Reproducible Builds' continuous integration](https://tests.reproducible-builds.org/) framework. + +
    + +### Community updates + +On our [mailing list during October 2023](https://lists.reproducible-builds.org/pipermail/rb-general/2023-October/thread.html) there were a number of threads, including: -* Blog post about a talk by Ken Thompson and the original Trusting Trust attack: - Russ Cox posted https://research.swtch.com/nih and disseminates the original Ken Thompson compiler backdoor in this, together with a link https://research.swtch.com/v6/ to follow along in a simulator. - More of historical importance, but definitely interesting and relevant to this group, which is also mentioned in the posting. - The talk by Thompson which sparked all this is linked to as well at https://www.youtube.com/watch?v=kaandEt_pKw&t=643s +* Vagrant Cascadian continued a thread about the implementation details of a "snapshot" archive server required for reproducing previous builds. [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2023-October/003086.html)] + +* Akihiro Suda shared an update on [BuildKit](https://github.com/moby/buildkit), a toolkit for building [Docker](https://www.docker.com/) container images. Akihiro links to a interesting talk they recently gave at [DockerCon](https://dockercon.com/) titled [*Reproducible builds with BuildKit for software supply-chain security*](https://medium.com/nttlabs/dockercon-2023-reproducible-builds-with-buildkit-for-software-supply-chain-security-0e5aedd1aaa7). + +* Alex Zakharov started a thread discussing and proposing fixes for various tools that create [`ext4`](https://en.wikipedia.org/wiki/Ext4) filesystem images. [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2023-October/003098.html)] + +Elsewhere, Pol Dellaiera made a number of improvements to our website, including fixing typos and links [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7f3e9550)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8ab7459c)], adding a [NixOS "Flake" file](https://nixos.wiki/wiki/Flakes) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0c1a61eb)] and sorting our [publications page]({{ "/docs/publications/" | relative_url }}) by date [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d052569b)]. + +
    + +### Distribution work + +[![]({{ "/images/reports/2023-10/debian.png#right" | relative_url }})](https://debian.org/) + +*distro-info* is a Debian-oriented tool that can provide information about Debian (and Ubuntu) distributions such as their codenames (eg. *bookworm*) and so on. This month, Benjamin Drung uploaded a new version of *distro-info* that added support for the [`SOURCE_DATE_EPOCH` environment variable]({{ "/specs/source-date-epoch/" | relative_url }}) in order to close bug [#10344222](https://tracker.debian.org/distro-info). In addition, 8 reviews of packages were added, 74 were updated and 56 were removed this month, all adding to our [knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). + +Bernhard M. Wiedemann published another [monthly report about reproducibility within openSUSE](https://lists.opensuse.org/archives/list/factory at lists.opensuse.org/thread/4QTSQCYBMF6QZYWIB63T46ILLTVGVMMJ/). + +
    + +### Software development + +The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including: - * [FIXME: Benjamin Drung uploaded distro-info](https://tracker.debian.org/distro-info) 1.6 supporting [SOURCE_DATE_EPOCH](https://bugs.debian.org/1034422). - * Bernhard M. Wiedemann: - * [`elasticsearch`](https://github.com/elastic/elasticsearch-py/issues/2320) (FTBFS) - * [`kitty`](https://github.com/kovidgoyal/kitty/pull/6685) (merged, sort, tar mtime) + + * [`edje_cc`](https://git.enlightenment.org/enlightenment/efl/issues/41) (race condition) + * [`elasticsearch`](https://github.com/elastic/elasticsearch-py/issues/2320) (build failure) + * [`erlang-retest`](https://build.opensuse.org/request/show/1116208) (embedded `.zip` timestamp) + * [`fdo-client`](https://bugzilla.opensuse.org/show_bug.cgi?id=1216293) (embeds private keys) + * [`fftw3`](https://github.com/FFTW/fftw3/issues/337) (random ordering) + * [`gsoap`](https://sourceforge.net/p/gsoap2/patches/185/) (date issue) + * [`gutenprint`](https://sourceforge.net/p/gimp-print/source/merge-requests/9/) (date) + * [`hub/golang`](https://github.com/golang/go/issues/63851) (embeds random build path) + * [`Hyprland`](https://github.com/hyprwm/Hyprland/pull/3550) (filesystem issue) + * [`kitty`](https://github.com/kovidgoyal/kitty/pull/6685) (sort-related issue, `.tar` file embeds modification time) * [`libpinyin`](https://github.com/libpinyin/libpinyin/issues/162) (ASLR) - * [`maildir-utils`](https://github.com/djcb/mu/pull/2569) (date in copyright) - * [`sbcl`](https://sourceforge.net/p/sbcl/mailman/sbcl-devel/thread/3ebdd95c-c498-462f-9cfe-7d05a1ee0044%40suse.de/) (report timestamp+other) - * [`Hyprland`](https://github.com/hyprwm/Hyprland/pull/3550) (merged, filesys (find/meson)) - * [`edje_cc`](https://git.enlightenment.org/enlightenment/efl/issues/41) (race, nondeterministic order) - * [`MooseX`](https://github.com/maros/MooseX-App/pull/71) (merged, kanku toolchain, date from perl-MooseX-App) - * [`qpid`](https://github.com/apache/qpid-proton/pull/411) (merged, sort) - * [`fftw3`](https://github.com/FFTW/fftw3/issues/337) (random order) - * [`rakudo`](https://github.com/rakudo/rakudo/pull/5426) (merged, sort readdir) - * [`rakudo/moarvm`](https://github.com/rakudo/rakudo/issues/5427) (unknown, toolchain) - * [`gutenprint`](https://sourceforge.net/p/gimp-print/source/merge-requests/9/) (merged, date) - * [`OpenRGB`](https://gitlab.com/CalcProgrammer1/OpenRGB/-/issues/3675) ([fixed corruption](https://gitlab.com/CalcProgrammer1/OpenRGB/-/merge_requests/2103) filesys+parallelism) - * [`OpenRGB`](https://gitlab.com/CalcProgrammer1/OpenRGB/-/merge_requests/2101) (merged, FTBFS) + * [`maildir-utils`](https://github.com/djcb/mu/pull/2569) (date embedded in copyright) + * [`mame`](https://github.com/mamedev/mame/pull/11651) (order-related issue) + * [`mingw32-binutils`](https://build.opensuse.org/request/show/1116036) & [`mingw64-binutils`](https://build.opensuse.org/request/show/1116040) (date) + * [`MooseX`](https://github.com/maros/MooseX-App/pull/71) (date from perl-MooseX-App) + * [`occt`](https://build.opensuse.org/request/show/1119524) (sorting issue) + * [`openblas`](https://build.opensuse.org/request/show/1118201) (embeds CPU count) + * [`OpenRGB`](https://gitlab.com/CalcProgrammer1/OpenRGB/-/issues/3675) ([corruption-related issue](https://gitlab.com/CalcProgrammer1/OpenRGB/-/merge_requests/2103)) * [`python-numpy`](https://bugzilla.opensuse.org/show_bug.cgi?id=1216458) (random file names) - * [`fdo-client`](https://bugzilla.opensuse.org/show_bug.cgi?id=1216293) (private keys) - * [`SLOF`](https://gitlab.com/qemu-project/SLOF/-/merge_requests/1) (date) - * [`mame`](https://github.com/mamedev/mame/pull/11651) (order) - * [`gsoap`](https://sourceforge.net/p/gsoap2/patches/185/) (date, toolchain) - * [`python3-pyside2`](https://bugreports.qt.io/browse/PYSIDE-2508) (order) - * [`mingw32-binutils`](https://build.opensuse.org/request/show/1116036) + [`mingw64-binutils`](https://build.opensuse.org/request/show/1116040) (date, toolchain) - * [`erlang-retest`](https://build.opensuse.org/request/show/1116208) (embedded zip timestamp) * [`python-pandas`](https://build.opensuse.org/request/show/1117743) (FTBFS) * [`python-quantities`](https://build.opensuse.org/request/show/1117898) (date) - * [`spack`](https://build.opensuse.org/request/show/1118130) (cpu count) - * [`openblas`](https://build.opensuse.org/request/show/1118201) (cpu count) - * [`xemacs-packages`](https://build.opensuse.org/request/show/1119260) (drop date) - * [`occt`](https://build.opensuse.org/request/show/1119524) (sort (not upstream)) - * [`mame`](https://build.opensuse.org/request/show/1119553) (order) - * [`qemu`](https://build.opensuse.org/request/show/1121011) (date+workaround sphinx toolchain issue) - * [`hub/golang`](https://github.com/golang/go/issues/63851) (toolchain random build path) + * [`python3-pyside2`](https://bugreports.qt.io/browse/PYSIDE-2508) (order) + * [`qemu`](https://build.opensuse.org/request/show/1121011) (date and Sphinx issue) + * [`qpid`](https://github.com/apache/qpid-proton/pull/411) (sorting problem) + * [`rakudo`](https://github.com/rakudo/rakudo/pull/5426) (filesystem ordering issue) + * [`SLOF`](https://gitlab.com/qemu-project/SLOF/-/merge_requests/1) (date-related issue) + * [`spack`](https://build.opensuse.org/request/show/1118130) (CPU counting issue) + * [`xemacs-packages`](https://build.opensuse.org/request/show/1119260) (date-related issue) + +* Chris Lamb: + + * [#1053353](https://bugs.debian.org/1053353) filed against [`dacite`](https://tracker.debian.org/pkg/dacite). + * [#1053356](https://bugs.debian.org/1053356) filed against [`rtpengine`](https://tracker.debian.org/pkg/rtpengine). + +In addition, Chris Lamb fixed an issue in [*diffoscope*](https://diffoscope.org), where if the equivalent of `file -i` returns `text/plain`, fallback to comparing as a text file. This was originally filed as Debian bug [#1053668](https://bugs.debian.org/1053668)) by Niels Thykier. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/81c68d7b)] This was then uploaded to Debian (and elsewhere) as version `251`. + +
    + +### Reproducibility testing framework + +[![]({{ "/images/reports/2023-10/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/) + +The Reproducible Builds project operates a comprehensive testing framework (available at [tests.reproducible-builds.org](https://tests.reproducible-builds.org)) in order to check packages and other artifacts for reproducibility. In October, a number of changes were made by Holger Levsen: + +* Debian-related changes: + + * Refine the handling of package blacklisting, such as sending blacklisting notifications to the `#debian-reproducible-changes` IRC channel. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/07bd72f45)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/987448aba)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8fdd35cff)] + * Install `systemd-oomd` on all Debian *bookworm* nodes (re. Debian bug [#1052257](https://bugs.debian.org/1052257)). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/08785fdf3)] + * Detect more cases of failures to delete `schroots`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b32f37dbf)] + * Document various bugs in *bookworm* which are (currently) being manually worked around. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/67612f231)] + +* Node-related changes: + + * Integrate the new `arm64` machines from [Codethink](https://www.codethink.co.uk/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4411b061e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4e710ec37)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/916706239)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f7b7aa5c0)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/df2deec90)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/05b2bcd34)] + * Improve various node cleanup routines. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d41fdb63f)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/08920dc6a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7c174dc2a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/357c8120d)] + * General node maintenance. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/93765e006)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b70f0f06b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c3d527015)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1812e9c6d)] + +* Monitoring-related changes: + + * Remove unused [Munin](https://munin-monitoring.org/) monitoring plugins. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/db72c0b34)] + * Complain less visibly about "too many" installed kernels. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b75d6f5e4)] + +* Misc: + + * Enhance the firewall handling on Jenkins nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/08bf35af2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5695c235a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b02d22f00)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/aaa68e7bf)] + * Install the `fish` shell everywhere. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f460d6b44)] + + +In addition, Vagrant Cascadian added some packages and configuration for snapshot experiments. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/896f12ede)] + +
    + +--- + +If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via: + + * IRC: `#reproducible-builds` on `irc.oftc.net`. + + * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general) -* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory at lists.opensuse.org/thread/4QTSQCYBMF6QZYWIB63T46ILLTVGVMMJ/) + * Mastodon: [@reproducible_builds](https://fosstodon.org/@reproducible_builds) -* FIXME https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756 + https://news.ycombinator.com/item?id=38057591 + * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds) ===================================== images/reports/2023-10/codethink.png ===================================== Binary files /dev/null and b/images/reports/2023-10/codethink.png differ ===================================== images/reports/2023-10/debian.png ===================================== Binary files /dev/null and b/images/reports/2023-10/debian.png differ ===================================== images/reports/2023-10/diffoscope.png ===================================== Binary files /dev/null and b/images/reports/2023-10/diffoscope.png differ ===================================== images/reports/2023-10/nih.png ===================================== Binary files /dev/null and b/images/reports/2023-10/nih.png differ ===================================== images/reports/2023-10/nixos.png ===================================== Binary files /dev/null and b/images/reports/2023-10/nixos.png differ ===================================== images/reports/2023-10/opensuse.png ===================================== Binary files /dev/null and b/images/reports/2023-10/opensuse.png differ ===================================== images/reports/2023-10/python-logo.png ===================================== Binary files /dev/null and b/images/reports/2023-10/python-logo.png differ ===================================== images/reports/2023-10/reproducible-builds.png ===================================== Binary files /dev/null and b/images/reports/2023-10/reproducible-builds.png differ ===================================== images/reports/2023-10/summit.jpg ===================================== Binary files /dev/null and b/images/reports/2023-10/summit.jpg differ ===================================== images/reports/2023-10/sustain.jpg ===================================== Binary files /dev/null and b/images/reports/2023-10/sustain.jpg differ ===================================== images/reports/2023-10/testframework.png ===================================== Binary files /dev/null and b/images/reports/2023-10/testframework.png differ ===================================== images/reports/2023-10/time-to-fix-paper.png ===================================== Binary files /dev/null and b/images/reports/2023-10/time-to-fix-paper.png differ View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/6de329b64ede6c1d183bc96ce0a428f02bb07813...3c35f87572ee93641d0249929cc83bb5e80c3b77 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/6de329b64ede6c1d183bc96ce0a428f02bb07813...3c35f87572ee93641d0249929cc83bb5e80c3b77 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 8 12:46:40 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Wed, 08 Nov 2023 12:46:40 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2 commits: 2023 10: += https://reproducible-builds.org/events/hamburg2023/agenda/ Message-ID: <654b83303563a_5e724b9c3b84286071@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: db8fbbdc by Holger Levsen at 2023-11-08T13:38:42+01:00 2023 10: += https://reproducible-builds.org/events/hamburg2023/agenda/ Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - fcd990dc by Holger Levsen at 2023-11-08T13:45:49+01:00 2023 hamburg summit: turn most sentences into past Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 2 changed files: - _events/hamburg2023/index.html - _reports/2023-10.md Changes: ===================================== _events/hamburg2023/index.html ===================================== @@ -21,8 +21,8 @@ event_summary: Three days to continue the growth of the Reproducible Builds effo Marrakech 2019 and Venice 2022 - the reproducible builds folks will meet again! - And just like previous years, the heart of the workshop are three days of moderated sessions with the goals outlined just below. + the reproducible builds folks have meet again! + And just like previous years, the heart of the workshop were three days of moderated sessions with the goals outlined just below.

    Where:
    @@ -36,8 +36,8 @@ Germany

    Goals

    - As previously, the exact content of the meeting will be shaped by the participants, - these are our main goals as organizers: + As previously, the exact content of the meeting has been shaped by the participants, + these were our main goals as organizers:

    • Physically meet each other after such a long time! ;-)
      • @@ -57,17 +57,6 @@ Germany
      Apache Maven, Apache Security, Arch Linux, arch-repro-status, Buildroot, CHAINS (KTH Royal Institute of Technology), coreboot, Debian, ElectroBSD, F-Droid, Fedora, GitHub, GNU Guix, Google Cloud, JustBuild, LibreOffice, Mobian, NixOS, openSUSE, OpenWrt, phosh, privoxy, Pure OS, Qubes OS, rebuilderd, Red Hat, repro-env, Rust, spytrap-adb, systemd, Tor Project, Ubuntu, Warpforge and more...

      -

      -There will be a huge variety of topics to be discussed. To give a few examples: -

      -
        -
      • continuing design and development work on .buildinfo infrastructure (SBOM anybody?)
        • -
      • build-path issues everywhere
        • -
      • future directions for diffoscope, reprotest & strip-nondeterminism
        • -
      • discussing formats and tools we can share
        • -
      • sharing proposals for standards and documentation helpful to spreading the reproducible effort
        • -
      • and many many more.
        • -

      Event Documentation

        @@ -93,7 +82,7 @@ There was a huge variety of topics discussed. To give a few examples:

        Location

        - The event took will take place at place at dock europe e.V. + The event took took place at place at dock europe e.V. in Hamburg Altona, Germany.

        @@ -108,7 +97,7 @@ The venue is quite easily reachable by public transit, from both the airport and

        - The event space can also lodge 28 people in 2-people bedrooms. We will allocate them on request during registration. + The event space can also lodge 28 people in 2-people bedrooms which we allocated on request during registration.

        -

        + -

        Other activities

        +

        Code of Conduct

        - This event will be run under the guidance of the DebConf Code of Conduct and the Debian Code of Conduct. + This event was run under the guidance of the DebConf Code of Conduct and the Debian Code of Conduct.

        - The organisers are committed to providing an event where all participants feel safe. Attendees are expected to treat all people with respect and help create a welcoming environment. If you notice behaviour that fails to meet this standard, please speak up (aloud or in private to the organisers). + The organisers are committed to providing events where all participants feel safe. Attendees are expected to treat all people with respect and help create a welcoming environment. If you notice behaviour that fails to meet this standard, please speak up (aloud or in private to the organisers).

        Organized by

        @@ -171,7 +160,7 @@ Holger, Vagrant, Chris and Mattia

        Sponsors

        -We are welcoming more sponsors for this event! Please contact us if you want to support this event. +We are thankful for having had these sponsors for this event! Please contact us if you want to support future event like this one.

        Gold Level

        @@ -223,7 +212,7 @@ We are welcoming more sponsors for this event! Please

        Contact the organization team if you need help with getting a visa processed. -

        +

        Travel to Hamburg and the venue

        @@ -245,8 +234,8 @@ We are welcoming more sponsors for this event! Please         See this page for more instructions on how to reach the venue.

        -

        Registration

        + ===================================== _reports/2023-10.md ===================================== @@ -22,6 +22,8 @@ Our summits are a unique gathering that brings together attendees from diverse p During this enriching event, participants had the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. A number of concrete outcomes from the summit will documented in the report for November 2023 and elsewhere. +FIXME: Amazingly the agenda and all notes from all sessions are already online https://reproducible-builds.org/events/hamburg2023/agenda/. + The Reproducible Builds team would like to thank our event sponsors who include [Mullvad VPN](https://mullvad.net/), [OpenSuse](https://www.opensuse.org/), [Debian](https://www.debian.org/), [Software Freedom Conservancy](https://sfconservancy.org/), [Allotropia](https://www.debian.org/) and [Aspiration Tech](https://aspirationtech.org/).
        View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/3c35f87572ee93641d0249929cc83bb5e80c3b77...fcd990dc7a330112574031d4578ce1bae8f0b67e -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/3c35f87572ee93641d0249929cc83bb5e80c3b77...fcd990dc7a330112574031d4578ce1bae8f0b67e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 8 14:04:44 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Wed, 08 Nov 2023 14:04:44 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] more specific link, add missing word Message-ID: <654b957ce0d6_5e7413f5368430575@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: 81e76c92 by Arnout Engelen at 2023-11-08T15:04:04+01:00 more specific link, add missing word - - - - - 1 changed file: - _reports/2023-10.md Changes: ===================================== _reports/2023-10.md ===================================== @@ -58,9 +58,9 @@ A [full PDF of their paper](https://mcis.cs.queensu.ca/publications/2023/emse_ra [![]({{ "/images/reports/2023-10/nixos.png#right" | relative_url }})](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756) -On the [NixOS Discourse instance](https://discourse.nixos.org/), Arnout Engelen (*raboof*) announced that NixOS have created an independent, bit-for-bit identical rebuilding of the `nixos-minimal` image that is used to install NixOS. [In their post](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756), Arnout details what exactly can be reproduced, and even includes some of the history of this endeavour: +On the [NixOS Discourse instance](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756), Arnout Engelen (*raboof*) announced that NixOS have created an independent, bit-for-bit identical rebuilding of the `nixos-minimal` image that is used to install NixOS. [In their post](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756), Arnout details what exactly can be reproduced, and even includes some of the history of this endeavour: -> You may remember a [2021 announcement](https://discourse.nixos.org/t/nixos-unstable-s-iso-minimal-x86-64-linux-is-100-reproducible/13723) that the minimal ISO was 100% reproducible. While back then we successfully tested that all packages were needed to build the ISO were individually reproducible, actually rebuilding the ISO still introduced differences. This was due to [some remaining problems](https://github.com/NixOS/nixpkgs/issues/125380) in the hydra cache and the way the ISO was created. By the time we fixed those, regressions had popped up (notably an upstream problem in Python 3.10), and it isn?t until this week that we were back to having everything reproducible and being able to validate the complete chain. +> You may remember a [2021 announcement](https://discourse.nixos.org/t/nixos-unstable-s-iso-minimal-x86-64-linux-is-100-reproducible/13723) that the minimal ISO was 100% reproducible. While back then we successfully tested that all packages that were needed to build the ISO were individually reproducible, actually rebuilding the ISO still introduced differences. This was due to [some remaining problems](https://github.com/NixOS/nixpkgs/issues/125380) in the hydra cache and the way the ISO was created. By the time we fixed those, regressions had popped up (notably an upstream problem in Python 3.10), and it isn?t until this week that we were back to having everything reproducible and being able to validate the complete chain. Congratulations to NixOS team for reaching this important milestone! Discussion about this announcement [can be found underneath the post](https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756#post_2) itself, as well as [on Hacker News](https://news.ycombinator.com/item?id=38057591). View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/81e76c927b84180f0d27b5d683b22eb0fef5fa0e -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/81e76c927b84180f0d27b5d683b22eb0fef5fa0e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 8 14:08:50 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Wed, 08 Nov 2023 14:08:50 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Fix link to Hamburg notes Message-ID: <654b96728d8aa_5e73f189ef04308793@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: 041c5e51 by Arnout Engelen at 2023-11-08T15:07:07+01:00 Fix link to Hamburg notes - - - - - 1 changed file: - _reports/2023-10.md Changes: ===================================== _reports/2023-10.md ===================================== @@ -22,7 +22,7 @@ Our summits are a unique gathering that brings together attendees from diverse p During this enriching event, participants had the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. A number of concrete outcomes from the summit will documented in the report for November 2023 and elsewhere. -FIXME: Amazingly the agenda and all notes from all sessions are already online https://reproducible-builds.org/events/hamburg2023/agenda/. +Amazingly the agenda and all notes from all sessions are [already online](https://reproducible-builds.org/events/hamburg2023/agenda/). The Reproducible Builds team would like to thank our event sponsors who include [Mullvad VPN](https://mullvad.net/), [OpenSuse](https://www.opensuse.org/), [Debian](https://www.debian.org/), [Software Freedom Conservancy](https://sfconservancy.org/), [Allotropia](https://www.debian.org/) and [Aspiration Tech](https://aspirationtech.org/). View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/041c5e515c0e16b19075844fc3cd032f7f484dde -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/041c5e515c0e16b19075844fc3cd032f7f484dde You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 8 14:09:48 2023 From: gitlab at salsa.debian.org (Arnout Engelen (@raboof-guest)) Date: Wed, 08 Nov 2023 14:09:48 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 'openSUSE' spelling Message-ID: <654b96aca4ad2_5e7413f5368430919c@godard.mail> Arnout Engelen pushed to branch master at Reproducible Builds / reproducible-website Commits: 857f3858 by Arnout Engelen at 2023-11-08T15:09:27+01:00 'openSUSE' spelling - - - - - 2 changed files: - _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md - _reports/2023-10.md Changes: ===================================== _posts/2023-11-02-farewell-from-the-reproducible-builds-summit-2023.md ===================================== @@ -64,7 +64,7 @@ A huge thanks to our sponsors and partners for making the event possible:
    - + openSUSE
    ===================================== _reports/2023-10.md ===================================== @@ -24,7 +24,7 @@ During this enriching event, participants had the opportunity to engage in discu Amazingly the agenda and all notes from all sessions are [already online](https://reproducible-builds.org/events/hamburg2023/agenda/). -The Reproducible Builds team would like to thank our event sponsors who include [Mullvad VPN](https://mullvad.net/), [OpenSuse](https://www.opensuse.org/), [Debian](https://www.debian.org/), [Software Freedom Conservancy](https://sfconservancy.org/), [Allotropia](https://www.debian.org/) and [Aspiration Tech](https://aspirationtech.org/). +The Reproducible Builds team would like to thank our event sponsors who include [Mullvad VPN](https://mullvad.net/), [openSUSE](https://www.opensuse.org/), [Debian](https://www.debian.org/), [Software Freedom Conservancy](https://sfconservancy.org/), [Allotropia](https://www.debian.org/) and [Aspiration Tech](https://aspirationtech.org/).
    View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/857f3858c6922141341bb68e6c0ef1ddd510efb3 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/857f3858c6922141341bb68e6c0ef1ddd510efb3 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 8 16:45:17 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Wed, 08 Nov 2023 16:45:17 +0000 Subject: [Git][reproducible-builds/reproducible-lfs][master] Add my presentation to the Ubuntu Summit 2023 Message-ID: <654bbb1d5eeb7_5e7413f5368433646f@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-lfs Commits: b72a8335 by Mattia Rizzolo at 2023-11-08T18:41:51+02:00 Add my presentation to the Ubuntu Summit 2023 Signed-off-by: Mattia Rizzolo <mattia at debian.org> - - - - - 1 changed file: - + presentations/2023-11-04-Reproducible-Builds-for-Ubuntu.pdf Changes: ===================================== presentations/2023-11-04-Reproducible-Builds-for-Ubuntu.pdf ===================================== @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fa49358c88baf09c5a09e40f19c47689a7c72f513a51db65cf9050e0b2e9dc1d +size 2709203 View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-lfs/-/commit/b72a8335cd6b228aa91e444cc062af536f488b41 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-lfs/-/commit/b72a8335cd6b228aa91e444cc062af536f488b41 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 8 19:56:59 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Wed, 08 Nov 2023 19:56:59 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023-10: Add OSFC presentation. Message-ID: <654be80bb5a14_5e724b9c3b843680ec@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-website Commits: f389bdc7 by Vagrant Cascadian at 2023-11-08T11:56:14-08:00 2023-10: Add OSFC presentation. - - - - - 1 changed file: - _reports/2023-10.md Changes: ===================================== _reports/2023-10.md ===================================== @@ -94,6 +94,8 @@ On our [mailing list during October 2023](https://lists.reproducible-builds.org/ Elsewhere, Pol Dellaiera made a number of improvements to our website, including fixing typos and links [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7f3e9550)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8ab7459c)], adding a [NixOS "Flake" file](https://nixos.wiki/wiki/Flakes) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0c1a61eb)] and sorting our [publications page]({{ "/docs/publications/" | relative_url }}) by date [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d052569b)]. +Vagrant Cascadian presented [*Reproducible Builds All The Way Down*](https://www.osfc.io/2023/talks/reproducible-builds-all-the-way-down/) at the [Open Source Firmware Conference](https://www.osfc.io/). +
    ### Distribution work View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f389bdc71251907d4b063497f41ac16bec641049 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f389bdc71251907d4b063497f41ac16bec641049 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 8 20:01:24 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Wed, 08 Nov 2023 20:01:24 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023-11: Add SeaGL presentation. Message-ID: <654be9147a8f_5e72e1f97c04369618@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-website Commits: 8f394912 by Vagrant Cascadian at 2023-11-08T12:00:59-08:00 2023-11: Add SeaGL presentation. - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -7,3 +7,5 @@ draft: true --- FIXME: Simon Quigley fixed https://bugs.launchpad.net/launchpad/+bug/1686242 so that Launchpad now serves .buildinfo files. + +Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conferences/seagl2023/program/proposals/939) at [SeaGL](https://seagl.org/). View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/8f394912fc81388a334a0bae2d20123ed9c19c92 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/8f394912fc81388a334a0bae2d20123ed9c19c92 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 9 16:53:13 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 09 Nov 2023 16:53:13 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag packages with randomness_in_documentation_generated_by_sphinx Message-ID: <654d0e791097e_5e73f189ef0481179c@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 8e714e0e by Chris Lamb at 2023-11-09T14:26:47+00:00 Tag packages with randomness_in_documentation_generated_by_sphinx - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -1866,6 +1866,10 @@ blender: https://sources.debian.net/src/blender/2.72.b%2Bdfsg0-3/source/creator/buildinfo.c/?hl=40:41#L40 bugs: - 912299 +blender-doc: + version: 3.6-3 + issues: + - randomness_in_documentation_generated_by_sphinx blends: version: 0.6.92.2 comments: | @@ -6882,6 +6886,10 @@ gcc-10: - blacklisted_on_jenkins - test_suite_logs - nondeterministic_ordering_in_documentation_generated_by_doxygen +gcc-10-cross-ports: + version: 24 + issues: + - blacklisted_on_jenkins gcc-11: version: 11-20201216-2 comments: | @@ -6899,6 +6907,10 @@ gcc-11-cross-mipsen: "GNU?Modula-2??1.9.4??(20220212)" and updated copyright "Copyright?(C)?2022?Free?Software?Foundation,?Inc." and similar dates in other binaries. +gcc-11-cross-ports: + version: 18 + issues: + - blacklisted_on_jenkins gcc-12: version: 12.2.0-14 comments: | @@ -6909,26 +6921,6 @@ gcc-12: issues: - blacklisted_on_jenkins - test_suite_logs -gcc-9-cross-ports: - version: 27 - issues: - - blacklisted_on_jenkins -gcc-10-cross-ports: - version: 24 - issues: - - blacklisted_on_jenkins -gcc-11-cross-ports: - version: 18 - issues: - - blacklisted_on_jenkins -gcc-12-cross-ports: - version: 17 - issues: - - blacklisted_on_jenkins -gcc-13-cross-ports: - version: 14 - issues: - - blacklisted_on_jenkins gcc-12-cross-mipsen: version: 1+c2 comments: | @@ -6936,6 +6928,10 @@ gcc-12-cross-mipsen: "GNU?Modula-2??1.9.4??(20220212)" and updated copyright "Copyright?(C)?2022?Free?Software?Foundation,?Inc." and similar dates in other binaries. +gcc-12-cross-ports: + version: 17 + issues: + - blacklisted_on_jenkins gcc-13: version: 13-20230320-1 comments: | @@ -6963,6 +6959,10 @@ gcc-13: - blacklisted_on_jenkins - test_suite_logs - diffoscope_runs_forever +gcc-13-cross-ports: + version: 14 + issues: + - blacklisted_on_jenkins gcc-6: version: 6.1.1-3 comments: | @@ -7011,6 +7011,10 @@ gcc-9: version: 9.3.0-19 issues: - blacklisted_on_jenkins +gcc-9-cross-ports: + version: 27 + issues: + - blacklisted_on_jenkins gcc-arm-none-eabi: version: 15:10.3-2021.07-1 comments: | @@ -16818,6 +16822,10 @@ mm3d: does not honour dpkg-buildflags/CXXFLAGS issues: - gcc_captures_build_path +mmlib: + version: 1.4.2-1 + issues: + - randomness_in_documentation_generated_by_sphinx mmorph: version: 2.3.4.2-15 comments: | @@ -20493,6 +20501,10 @@ patchage: version: 1.0.0~dfsg0-0.1 issues: - gcc_captures_build_path +pathos: + version: 0.3.1-1 + issues: + - randomness_in_documentation_generated_by_sphinx pathspider: version: 0.9.0-1 comments: | @@ -23073,6 +23085,10 @@ python-http-parser: version: 0.8.3-2 issues: - gcc_captures_build_path +python-igraph: + version: 0.11.2+ds-4 + issues: + - randomness_in_documentation_generated_by_sphinx python-ilorest: version: 3.2.2+ds-1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/8e714e0ecc95dcc7af6f435dae5cec5bbe8e5bf0 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/8e714e0ecc95dcc7af6f435dae5cec5bbe8e5bf0 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 9 16:59:41 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 09 Nov 2023 16:59:41 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag govarnam with randomness_in_binaries_generated_by_golang Message-ID: <654d0ffdf1fb6_5e72e1f97c0481992a@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 92c357d6 by Chris Lamb at 2023-11-09T16:53:14+00:00 Tag govarnam with randomness_in_binaries_generated_by_golang - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -8696,6 +8696,10 @@ goval-dictionary: version: 0.0~git20180502.0.55b7f72-1 issues: - golang_compiler_captures_build_path_in_binary +govarnam: + version: 1.9.0-2 + issues: + - randomness_in_binaries_generated_by_golang govendor: version: 1.0.3+ds1-1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/92c357d63d9fd0181fb5d738999f5d68981d21bd -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/92c357d63d9fd0181fb5d738999f5d68981d21bd You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 10 10:37:55 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 10 Nov 2023 10:37:55 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag packages with captures_build_path Message-ID: <654e08034dc90_5e7484ee27c49381f7@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: c4831e76 by Chris Lamb at 2023-11-10T10:37:15+00:00 Tag packages with captures_build_path - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -6,6 +6,10 @@ version: 2.3.1-1 issues: - usr_lib_debug_dotdwz_dir_inherits_build_user +3d-ascii-viewer-c: + version: 1.3.0+ds-1 + issues: + - captures_build_path 4digits: version: 1.1.4-1 issues: @@ -144,6 +148,10 @@ acm: version: 6.0+20200416-1 issues: - captures_build_path +acme: + version: 1:0.97~svn20211115+ds-1 + issues: + - captures_build_path acmetool: version: 0.0.51-1 issues: @@ -3501,6 +3509,10 @@ cp2k: . docs partly use this value, but also party use "current-dateTime()" from some XLST library. +cpdb-libs: + version: 1.2.0-3 + issues: + - captures_build_path cpl-plugin-naco: version: 4.4.1+dfsg-3 issues: @@ -4274,6 +4286,10 @@ devio: version: 1.2-1.2 issues: - gcc_captures_build_path +dextractor: + version: 1.0-6 + issues: + - captures_build_path dh-ada-library: version: 7.6 issues: @@ -5916,6 +5932,10 @@ fig2dev: version: 1:3.2.6-2 issues: - random_id_in_pdf_generated_by_dblatex +fig2sxd: + version: 0.23-1 + issues: + - captures_build_path filament: version: 1.9.25+dfsg2-10 comments: | @@ -6830,6 +6850,10 @@ gatk-bwamem: version: 1.0.4+dfsg2-2 issues: - captures_build_path +gatk-fermilite: + version: 1.2.1+dfsg-2 + issues: + - captures_build_path gauche: version: 0.9.4-6 issues: @@ -7229,6 +7253,10 @@ geki3: version: 1.0.3-8.1 issues: - gcc_captures_build_path +genders: + version: 1.22-1 + issues: + - captures_build_path genext2fs: version: 1.4.1-4 issues: @@ -7484,6 +7512,10 @@ ginkgocadx: version: 3.8.3-1 issues: - build_id_differences_only +gio-qt: + version: 0.0.12-1 + issues: + - captures_build_path gio-sharp: version: 2.22.3-3 issues: @@ -13089,6 +13121,10 @@ libapache2-mod-ruid2: version: 0.9.8-3 issues: - different_due_to_umask +libapache2-mod-tile: + version: 0.6.1-2 + issues: + - captures_build_path libapache2-mod-watchcat: version: 1.1.2-1 issues: @@ -16004,6 +16040,10 @@ m4api: version: 0.3~0.9646fd-1 issues: - cmake_rpath_contains_build_path +mac-fdisk: + version: 0.1-18.1 + issues: + - captures_build_path mac-widgets: version: 0.10.0+svn416-dfsg1-1 issues: @@ -31648,6 +31688,10 @@ simulavr: version: 1.0.0+git20160221.e53413b-1 issues: - gcc_captures_build_path +simulpic: + version: 1:2005-1-28-10 + issues: + - captures_build_path simutrans-pak128.britain: version: 1.17-1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/c4831e7635c44a687a3b8e27b8f0ff09ec10dd39 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/c4831e7635c44a687a3b8e27b8f0ff09ec10dd39 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 10 10:38:35 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 10 Nov 2023 10:38:35 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag packages with timestamps_in_source_generated_by_rcc Message-ID: <654e082b78034_5e748491f54493834d@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: d1fa0db6 by Chris Lamb at 2023-11-10T10:37:53+00:00 Tag packages with timestamps_in_source_generated_by_rcc - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -813,6 +813,10 @@ apt-dpkg-ref: - timestamps_in_ps_generated_by_dvips - timestamps_in_dvi_generated_by_latex - random_id_in_pdf_generated_by_dblatex +apt-offline: + version: 1.8.5-1 + issues: + - timestamps_in_source_generated_by_rcc aptly: version: 0.9.7-1 issues: @@ -21458,6 +21462,10 @@ plotsauce: version: 0~0.1-1 issues: - captures_build_path_via_assert +plover: + version: 4.0.0~dev10-1 + issues: + - timestamps_in_source_generated_by_rcc plplot: version: 5.10.0+dfsg2-0.1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/d1fa0db67a186ace587e57f73877f38f94d8a313 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/d1fa0db67a186ace587e57f73877f38f94d8a313 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 10 10:47:34 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 10 Nov 2023 10:47:34 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag packages with captures_build_path_in_beam_cma_cmt_files Message-ID: <654e0a4692a6d_5e748491f544939123@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 30318080 by Chris Lamb at 2023-11-10T10:38:34+00:00 Tag packages with captures_build_path_in_beam_cma_cmt_files - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -5299,6 +5299,10 @@ erlang: version: 1:18.0-dfsg-1 issues: - timestamps_in_pdf_generated_by_apache_fop +erlang-asciideck: + version: 0.0+git20170714.48cbfe8b-4 + issues: + - captures_build_path_in_beam_cma_cmt_files erlang-cowlib: version: 1.3.0-1 comments: | @@ -33806,6 +33810,10 @@ tstools: version: 1.11-1 issues: - gcc_captures_build_path +tsung: + version: 1.7.0-3.1 + issues: + - captures_build_path_in_beam_cma_cmt_files ttf-freefont: version: 20100919-1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/30318080f6de129a6a2ce9dec52058cf1ba465b2 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/30318080f6de129a6a2ce9dec52058cf1ba465b2 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 10 10:49:10 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 10 Nov 2023 10:49:10 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag packages with timestamps_in_qhc Message-ID: <654e0aa63a4aa_5e724b9c3b849398c8@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 415cc46b by Chris Lamb at 2023-11-10T10:47:37+00:00 Tag packages with timestamps_in_qhc - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -11423,6 +11423,10 @@ kappanhang: version: 1.3-2 issues: - records_build_flags +karchive: + version: 5.107.0-1 + issues: + - timestamps_in_qhc kate: version: 4:22.04.3-1 comments: | @@ -11456,6 +11460,10 @@ kbibtex: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - cmake_rpath_contains_build_path +kbookmarks: + version: 5.107.0-1 + issues: + - timestamps_in_qhc kbuild: version: 1:0.1.9998svn2814+dfsg-2 issues: @@ -11489,6 +11497,10 @@ kcollectd: version: 0.9-4 issues: - gcc_captures_build_path +kcompletion: + version: 5.107.0-1 + issues: + - timestamps_in_qhc kconfig: version: 5.26.0-1 comments: | @@ -11515,6 +11527,14 @@ kcptun: version: 20171201+ds-1 issues: - randomness_in_binaries_generated_by_golang +kcrash: + version: 5.107.0-1 + issues: + - timestamps_in_qhc +kdav: + version: 1:5.107.0-1 + issues: + - timestamps_in_qhc kdb: version: 3.2.0-5 comments: | @@ -11923,6 +11943,10 @@ kissplice: version: 2.4.0-p1-1 issues: - gcc_captures_build_path +kitemviews: + version: 5.107.0-1 + issues: + - timestamps_in_qhc kiten: version: 4:16.08.2-1 comments: | @@ -12049,6 +12073,10 @@ knotifications: issues: - gcc_captures_build_path - ftbfs_due_to_f-file-prefix-map +knotifyconfig: + version: 5.107.0-1 + issues: + - timestamps_in_qhc knowthelist: version: 2.3.0-2 comments: | @@ -12386,6 +12414,14 @@ kpipewire: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - cmake_rpath_contains_build_path +kplotting: + version: 5.107.0-1 + issues: + - timestamps_in_qhc +kpty: + version: 5.107.0-1 + issues: + - timestamps_in_qhc kpublictransport: version: 22.04.2-1 comments: | @@ -12445,6 +12481,10 @@ kross: version: 5.26.0-1 issues: - build_id_differences_only +krunner: + version: 5.107.0-1 + issues: + - timestamps_in_qhc krusader: version: 2:2.7.2-2 issues: @@ -12564,6 +12604,10 @@ kubernetes-split-yaml: issues: - records_build_flags - randomness_in_binaries_generated_by_golang +kunitconversion: + version: 5.107.0-1 + issues: + - timestamps_in_qhc kup-backup: version: 0.6.1+dfsg-1 comments: | View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/415cc46b2c907aa4e2e79581c73c369af38fe15a -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/415cc46b2c907aa4e2e79581c73c369af38fe15a You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 10 10:50:48 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 10 Nov 2023 10:50:48 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag packages with captures_build_dir_in_qmake_prl_files Message-ID: <654e0b0876de2_5e748491f5449402bf@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 26f464eb by Chris Lamb at 2023-11-10T10:49:08+00:00 Tag packages with captures_build_dir_in_qmake_prl_files - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -14736,6 +14736,10 @@ libqes: issues: - build_id_differences_only - cmake_rpath_contains_build_path +libqglviewer: + version: 2.8.0+dfsg1-2 + issues: + - captures_build_dir_in_qmake_prl_files libqtdbusmock: version: 0.7+bzr49+repack1-1 issues: @@ -23973,6 +23977,10 @@ qmtest: version: 2.4.1-3 issues: - gcc_captures_build_path +qoauth: + version: 2.0.1~1-3 + issues: + - captures_build_dir_in_qmake_prl_files qoi: version: 0+git20220615+ds-1 issues: @@ -24257,6 +24265,10 @@ qtexengine: version: 0.3-3 issues: - timestamps_in_qmake_makefiles +qtfeedback-opensource-src: + version: 5.0~git20180903.a14bd0b-5 + issues: + - captures_build_dir_in_qmake_prl_files qtgamepad-everywhere-src: version: 5.15.2-4 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/26f464ebc1d5271bb7bb601cf7280339b8d9d200 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/26f464ebc1d5271bb7bb601cf7280339b8d9d200 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 10 10:52:07 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 10 Nov 2023 10:52:07 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag packages with randomness_in_documentation_generated_by_sphinx Message-ID: <654e0b57d0849_5e748491d604940681@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 43a98dd9 by Chris Lamb at 2023-11-10T10:50:47+00:00 Tag packages with randomness_in_documentation_generated_by_sphinx - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -16620,6 +16620,10 @@ mercurial: version: 5.3.1-1 comments: | Looks like some kind of unsorted list of symbols eg. memcpy, free, calloc, etc. +mercurial-evolve: + version: 10.5.3-4 + issues: + - randomness_in_documentation_generated_by_sphinx mergelog: version: 4.5.1-9 issues: @@ -19493,6 +19497,10 @@ octave-zeromq: version: 1.5.2-1 issues: - build_path_captured_by_octave +octavia: + version: 13.0.0-2 + issues: + - randomness_in_documentation_generated_by_sphinx octomap: version: 1.9.5+dfsg-1 issues: @@ -20733,6 +20741,10 @@ pdb-tools: version: 2.5.0-2 comments: | The diff is actually an error message caused by help2man being called with --help and some other argument... but it is unclear what this other argument is or what exactly is generating it. I cannot reproduce locally, only see this on jenkins +pdb2pqr: + version: 3.6.1+dfsg-1 + issues: + - randomness_in_documentation_generated_by_sphinx pdf-presenter-console: version: 4.0.2-2 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/43a98dd9fb702d6712ffb9a7697444e35f7aa7b4 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/43a98dd9fb702d6712ffb9a7697444e35f7aa7b4 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 10 10:54:38 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 10 Nov 2023 10:54:38 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag micro with randomness_in_binaries_generated_by_golang Message-ID: <654e0bee32fa9_5e724b9c3b849412a1@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: d5bcdfc8 by Chris Lamb at 2023-11-10T10:52:06+00:00 Tag micro with randomness_in_binaries_generated_by_golang - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -16716,6 +16716,10 @@ mia: ordering issues in generated documentation and man pages: --in-file=(input,?required);?string vs. --in-file=(required,?input);?string +micro: + version: 2.0.13-1 + issues: + - randomness_in_binaries_generated_by_golang micro-proxy: version: 20021030+debian-5 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/d5bcdfc893cb99badb3c4f5a5a2de0997ff8d23e -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/d5bcdfc893cb99badb3c4f5a5a2de0997ff8d23e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 10 10:56:13 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 10 Nov 2023 10:56:13 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag packages with captures_kernel_variant Message-ID: <654e0c4d62106_5e748491d604941425@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 365324db by Chris Lamb at 2023-11-10T10:54:38+00:00 Tag packages with captures_kernel_variant - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -23501,6 +23501,10 @@ python-psutil: issues: - randomness_in_objects_inv - sphinxdoc_translations +python-psycopg2cffi: + version: 2.8.1-2 + issues: + - captures_kernel_variant python-pyalsa: version: 1.0.29-1 issues: @@ -23863,6 +23867,10 @@ q4wine: issues: - build_id_differences_only - cmake_rpath_contains_build_path +qabcs: + version: 1.0.2-6 + issues: + - captures_kernel_variant qastools: version: 0.21.0-1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/365324db33cb34c80464299064a0fb767e678816 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/365324db33cb34c80464299064a0fb767e678816 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 10 10:57:42 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 10 Nov 2023 10:57:42 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Tag rime-scj with nondeterminism_in_files_generated_by_rime_deployer Message-ID: <654e0ca62d76e_5e748491f5449418b0@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 4d39c4c3 by Chris Lamb at 2023-11-10T10:56:13+00:00 Tag rime-scj with nondeterminism_in_files_generated_by_rime_deployer - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -30093,6 +30093,10 @@ rime-quick: version: 0.0~git20190120.3fe5911-3 issues: - nondeterminism_in_files_generated_by_rime_deployer +rime-scj: + version: 0.0~git20190120.cab5a08-2 + issues: + - nondeterminism_in_files_generated_by_rime_deployer rime-soutzoe: version: 0.0~git20190120.beeaeca-3 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/4d39c4c364e4f81455abb7840609d1700a246c4b -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/4d39c4c364e4f81455abb7840609d1700a246c4b You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sat Nov 11 10:01:53 2023 From: gitlab at salsa.debian.org (Pol Dellaiera (@drupol)) Date: Sat, 11 Nov 2023 10:01:53 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] fix: publish November report Message-ID: <654f5110d8be3_5e748491d605082680@godard.mail> Pol Dellaiera pushed to branch master at Reproducible Builds / reproducible-website Commits: 4945c50a by Pol Dellaiera at 2023-11-11T11:01:34+01:00 fix: publish November report - - - - - 1 changed file: - _reports/2023-10.md Changes: ===================================== _reports/2023-10.md ===================================== @@ -3,7 +3,8 @@ layout: report year: "2023" month: "10" title: "Reproducible Builds in October 2023" -draft: true +draft: false +date: 2023-10-08 11:47:00 --- [![]({{ "/images/reports/2023-10/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/4945c50a808a8e4d0cfda28c62314e0a98ef1bd4 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/4945c50a808a8e4d0cfda28c62314e0a98ef1bd4 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sat Nov 11 10:06:33 2023 From: gitlab at salsa.debian.org (Pol Dellaiera (@drupol)) Date: Sat, 11 Nov 2023 10:06:33 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] fix: fix date Message-ID: <654f5229bfd37_5e74a6794a05083070@godard.mail> Pol Dellaiera pushed to branch master at Reproducible Builds / reproducible-website Commits: a5589beb by Pol Dellaiera at 2023-11-11T11:03:54+01:00 fix: fix date - - - - - 1 changed file: - _reports/2023-10.md Changes: ===================================== _reports/2023-10.md ===================================== @@ -4,7 +4,7 @@ year: "2023" month: "10" title: "Reproducible Builds in October 2023" draft: false -date: 2023-10-08 11:47:00 +date: 2023-11-08 11:47:00 --- [![]({{ "/images/reports/2023-10/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/a5589bebf04fe188615e4e0039fcc2ac6482e083 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/a5589bebf04fe188615e4e0039fcc2ac6482e083 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sat Nov 11 12:36:59 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Sat, 11 Nov 2023 12:36:59 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2 commits: Revert "fix: fix date" Message-ID: <654f756bad273_5e748491d9c5097979@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 7565bd20 by Holger Levsen at 2023-11-11T13:36:43+01:00 Revert "fix: fix date" This reverts commit a5589bebf04fe188615e4e0039fcc2ac6482e083. - - - - - 51acdc8e by Holger Levsen at 2023-11-11T13:36:46+01:00 Revert "fix: publish November report" This reverts commit 4945c50a808a8e4d0cfda28c62314e0a98ef1bd4. - - - - - 1 changed file: - _reports/2023-10.md Changes: ===================================== _reports/2023-10.md ===================================== @@ -3,8 +3,7 @@ layout: report year: "2023" month: "10" title: "Reproducible Builds in October 2023" -draft: false -date: 2023-11-08 11:47:00 +draft: true --- [![]({{ "/images/reports/2023-10/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/a5589bebf04fe188615e4e0039fcc2ac6482e083...51acdc8ec34f8d0a0b8a90988255d6c1c3129026 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/a5589bebf04fe188615e4e0039fcc2ac6482e083...51acdc8ec34f8d0a0b8a90988255d6c1c3129026 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sat Nov 11 12:40:13 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Sat, 11 Nov 2023 12:40:13 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] publish October report Message-ID: <654f762db7f6a_5e748491d605098179@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: b14e2f7c by Holger Levsen at 2023-11-11T13:40:02+01:00 publish October report Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _reports/2023-10.md Changes: ===================================== _reports/2023-10.md ===================================== @@ -3,7 +3,8 @@ layout: report year: "2023" month: "10" title: "Reproducible Builds in October 2023" -draft: true +draft: false +date: 2023-11-11 12:39:23 --- [![]({{ "/images/reports/2023-10/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b14e2f7cfd505d781c269d2b9f63c792c52364b6 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b14e2f7cfd505d781c269d2b9f63c792c52364b6 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sat Nov 11 13:28:18 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Sat, 11 Nov 2023 13:28:18 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023 10: fix bug number, thanks to Paul Gevers Message-ID: <654f8172cf9a5_5e7484ee27c510443a@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 2fba7e93 by Holger Levsen at 2023-11-11T14:28:02+01:00 2023 10: fix bug number, thanks to Paul Gevers Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _reports/2023-10.md Changes: ===================================== _reports/2023-10.md ===================================== @@ -103,7 +103,7 @@ Vagrant Cascadian presented [*Reproducible Builds All The Way Down*](https://www [![]({{ "/images/reports/2023-10/debian.png#right" | relative_url }})](https://debian.org/) -*distro-info* is a Debian-oriented tool that can provide information about Debian (and Ubuntu) distributions such as their codenames (eg. *bookworm*) and so on. This month, Benjamin Drung uploaded a new version of *distro-info* that added support for the [`SOURCE_DATE_EPOCH` environment variable]({{ "/specs/source-date-epoch/" | relative_url }}) in order to close bug [#10344222](https://tracker.debian.org/distro-info). In addition, 8 reviews of packages were added, 74 were updated and 56 were removed this month, all adding to our [knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). +*distro-info* is a Debian-oriented tool that can provide information about Debian (and Ubuntu) distributions such as their codenames (eg. *bookworm*) and so on. This month, Benjamin Drung uploaded a new version of *distro-info* that added support for the [`SOURCE_DATE_EPOCH` environment variable]({{ "/specs/source-date-epoch/" | relative_url }}) in order to close bug [#1034422](https://tracker.debian.org/distro-info). In addition, 8 reviews of packages were added, 74 were updated and 56 were removed this month, all adding to our [knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Bernhard M. Wiedemann published another [monthly report about reproducibility within openSUSE](https://lists.opensuse.org/archives/list/factory at lists.opensuse.org/thread/4QTSQCYBMF6QZYWIB63T46ILLTVGVMMJ/). View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/2fba7e9342703b391a9a09b8058d6306f31733d5 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/2fba7e9342703b391a9a09b8058d6306f31733d5 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 13 12:34:55 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Mon, 13 Nov 2023 12:34:55 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: add embedded-systems notes, thanks to Hartmut Message-ID: <655217efebdf7_5e748491d6053434bf@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 7245f36c by Holger Levsen at 2023-11-13T13:33:50+01:00 hamburg2023: add embedded-systems notes, thanks to Hartmut Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 2 changed files: - _events/hamburg2023/agenda.md - + _events/hamburg2023/embedded-systems.md Changes: ===================================== _events/hamburg2023/agenda.md ===================================== @@ -49,7 +49,7 @@ Day 2 - Wednesday, November 1st TODO * The day started with a summary of Day 1 outcomes and a Day 2 Agenda Overview. * 9.45 Collaborative Working Sessions, break-out discussions continue. * [Ten Commandments]({{ "/events/hamburg2023/rb-commandments/" | relative_url }}) - * Embedded systems FIXME (no notes in the pad) + * [Embedded systems]({{ "/events/hamburg2023/embedded-systems//" | relative_url }}) * [Guix To-do's]({{ "/events/hamburg2023/guix-todo/" | relative_url }}) * [Signature storage and sharing]({{ "/events/hamburg2023/signature-storage/" | relative_url }}) * [Public verification service]({{ "/events/hamburg2023/verification1/" | relative_url }}) ===================================== _events/hamburg2023/embedded-systems.md ===================================== @@ -0,0 +1,63 @@ +--- +layout: event_detail +title: Collaborative Working Sessions - Embedded systems +event: hamburg2023 +order: 202 +permalink: /events/hamburg2023/embedded-systems/ +--- + +# What are embedded systems: + +* All systems which is not a PC, Software in a device. +* Industrial control (PLC = programmable logic control) +* Software in a toaster or dishwasher +* Small and powerful systems given: +* Small: TMS430 Series, 32 kByte ROM, 512 Byte RAM, +* Powerful: Raspi as controller +* => Focus to small systems, because powerful have often a Linux Kernel, +* Using a specific Real time operation system or not, no difference +* (If RTOS is used, it should be also reproducible) + +# Challenges + +* Different Target systems, different compilers from diff. vendors, more variablility. +* comprehensibility process how the binary is built +* traceability of build process. +* Reprod. Build should be a part of the approval procedure for a device. + +# Solutions: + +* All solutions known for gcc should be also applied to all known compiler, +* Is it done or in focus? Responsibility from the compiler vendors for this topic + +# Notes during session + +* Reproducible required: Gambling industry requires it. restrict regulation. +* look for gcc link time optimization. + +## Look for: + +* Debugging information in the object: +* 1) with the same path, different machines. +* 2) diff. path on diff machines +* If the path is a symbolic link (or Junction in Windows), the Compiler should not resolve the symbolic linked path, then the path is able to make unique. +* Use Option remove debug symbols. +* Always use the same compiler version. + + +* Build info file is not very well standardized? Look for https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles +* Have a script for all stuff of build inputs +* Language for sorting its a topic to the build system. (for linker), use always US-ASCII-sorting +* Optimizations should not randomized or have start seed. SDE Source date epoch as seed. +* Parallel compilation makes problems? Order of files. + +gcc is reproducible by default. with the same source path. Or have not debug symbols. +build-id. + +## Changing and testing: Test effort. + +What about changing sources in a small way, reprod. build gives only small changes, test only the differences: + +* Have to be more as one binary for the solutions. using dll libs ? +* Use static link, compare object files. Look from where comes the difference + View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/7245f36c4d100ad7fbdc0553a2eae12999f14730 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/7245f36c4d100ad7fbdc0553a2eae12999f14730 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 13 13:25:33 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Mon, 13 Nov 2023 13:25:33 +0000 Subject: [Git][reproducible-builds/reproducible-website] Pushed new tag 2022-04 Message-ID: <655223cddcb50_5e748491d6053515f4@godard.mail> Chris Lamb pushed new tag 2022-04 at Reproducible Builds / reproducible-website -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/tree/2022-04 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 13 13:25:36 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Mon, 13 Nov 2023 13:25:36 +0000 Subject: [Git][reproducible-builds/reproducible-website] Pushed new tag 2022-11 Message-ID: <655223d076c2a_5e748491d6053517e5@godard.mail> Chris Lamb pushed new tag 2022-11 at Reproducible Builds / reproducible-website -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/tree/2022-11 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 13 13:25:39 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Mon, 13 Nov 2023 13:25:39 +0000 Subject: [Git][reproducible-builds/reproducible-website] Pushed new tag 2023-10 Message-ID: <655223d3978ad_5e74d4c890053519fa@godard.mail> Chris Lamb pushed new tag 2023-10 at Reproducible Builds / reproducible-website -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/tree/2023-10 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 13 14:22:54 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Mon, 13 Nov 2023 14:22:54 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] add video of my talk at https://foss-north.se/2023 Message-ID: <6552313e83c3c_5e74bdffdf453572c2@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 071341a7 by Holger Levsen at 2023-11-13T15:22:42+01:00 add video of my talk at https://foss-north.se/2023 Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _data/presentations.yml Changes: ===================================== _data/presentations.yml ===================================== @@ -56,6 +56,8 @@ date: 2023-04-24 location: Gothenburg, Sweden url: https://foss-north.se/2023/speakers-and-talks.html#hlevsen + video: + youtube: NEdfHZh-yOw slides: https://reproducible-builds.org/_lfs/presentations/2023-04-24-foss-north.se-R-B-the-first-10-years - title: Reproducible Builds - An independently-verifiable path from source code to software View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/071341a77769cbbff5c1ef8e53c14db077fe6623 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/071341a77769cbbff5c1ef8e53c14db077fe6623 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Tue Nov 14 09:36:24 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Tue, 14 Nov 2023 09:36:24 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Add patch for python-ansible-pygments Message-ID: <65533f9839f21_5e74bdffdf45474627@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 699bc6a3 by Chris Lamb at 2023-11-14T09:35:26+00:00 Add patch for python-ansible-pygments - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -22845,6 +22845,10 @@ python-anndata: version: 0.7.5+ds-2 issues: - captures_build_path_in_hd5_database_files +python-ansible-pygments: + version: 0.1.1-6 + bugs: + - 1055919 python-ara: version: 1.5.7-1 bugs: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/699bc6a3cc0627452441a9f42ae314fac397f1a8 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/699bc6a3cc0627452441a9f42ae314fac397f1a8 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Tue Nov 14 09:56:52 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Tue, 14 Nov 2023 09:56:52 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Add patch for bidict Message-ID: <655344647b090_5e74a6794a054813be@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: db8180d2 by Chris Lamb at 2023-11-14T09:55:36+00:00 Add patch for bidict - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -1657,6 +1657,10 @@ bibtool: issues: - random_order_of_pdf_ids_generated_by_latex - random_id_in_pdf_generated_by_dblatex +bidict: + version: 0.22.1-1 + bugs: + - 1055920 bidiui: version: 0.9.7-1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/db8180d2007693bc2e25fabd43a1386458b73883 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/db8180d2007693bc2e25fabd43a1386458b73883 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Tue Nov 14 10:52:04 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Tue, 14 Nov 2023 10:52:04 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Lets drop this FIXME for now. Message-ID: <6553515423c5a_5e748491d60550038d@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: 9535f5a4 by Chris Lamb at 2023-11-14T10:51:47+00:00 Lets drop this FIXME for now. - - - - - 1 changed file: - contribute/index.md Changes: ===================================== contribute/index.md ===================================== @@ -40,10 +40,6 @@ Various distributions have efforts to become more reproducible: * [GNU Guix]({{ "/contribute/guix/" | relative_url }}) * [NixOS]({{ "/contribute/nixos/" | relative_url }}) -## Contribute to diffoscope, reprotest, disorderfs and strip-nondeterminism - -{FIXME} - ## Donate Another way to help is to financially support our project. We welcome any View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/9535f5a4b38418478bc0cdb0cd4cab60b0aa038d -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/9535f5a4b38418478bc0cdb0cd4cab60b0aa038d You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Tue Nov 14 23:40:17 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Tue, 14 Nov 2023 23:40:17 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] kuttypy: Mark with bin_sh_is_bash. Message-ID: <655405617770f_5e7561c888c56497de@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-notes Commits: 84c1063c by Vagrant Cascadian at 2023-11-14T15:39:29-08:00 kuttypy: Mark with bin_sh_is_bash. - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -12626,8 +12626,12 @@ kuserfeedback: - timestamps_in_source_generated_by_rcc kuttypy: version: 1.0-2 + comments: | + Uses echo implementation that is dependent on the running shell + https://sources.debian.org/src/kuttypy/2.1.1-4/Makefile/#L30 issues: - timestamps_in_source_generated_by_rcc + - bin_sh_is_bash kvirc: version: 4.2.0-2 comments: | View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/84c1063ce708fb8f4d94e9454ee8859b2d9d8686 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/84c1063ce708fb8f4d94e9454ee8859b2d9d8686 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 15 07:50:30 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Wed, 15 Nov 2023 07:50:30 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] kuttypy: += #1055969 Message-ID: <655478467557_5e7561c87ec56761bc@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-notes Commits: 27247709 by Holger Levsen at 2023-11-15T08:50:09+01:00 kuttypy: += #1055969 Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -12632,6 +12632,8 @@ kuttypy: issues: - timestamps_in_source_generated_by_rcc - bin_sh_is_bash + bugs: + - 1055969 kvirc: version: 4.2.0-2 comments: | View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/2724770950d1337aa0749bae8aaf7c5b5ec7728a -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/2724770950d1337aa0749bae8aaf7c5b5ec7728a You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 15 15:56:52 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Wed, 15 Nov 2023 15:56:52 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023 11: mention Vagrant's seagl.org slides can be build reproducibly Message-ID: <6554ea445b44_5e758013670581324b@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 26bcecf6 by Holger Levsen at 2023-11-15T16:56:41+01:00 2023 11: mention Vagrant's seagl.org slides can be build reproducibly Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -8,4 +8,4 @@ draft: true FIXME: Simon Quigley fixed https://bugs.launchpad.net/launchpad/+bug/1686242 so that Launchpad now serves .buildinfo files. -Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conferences/seagl2023/program/proposals/939) at [SeaGL](https://seagl.org/). +Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conferences/seagl2023/program/proposals/939) at [SeaGL](https://seagl.org/). The [slides for his talk](https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2023-11-04-SeaGL-Beyond-Trusting-FOSS) can be build reproducibly, resulting in in cfde2f8a0b7e6ec9b85377eeac0661d728b70f34 as sha1sum for the PDF when build on Debian bookworm and in c21fab273232c550ce822c4b0d9988e6c49aa2c3 when build on Debian sid as of today. View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/26bcecf625433873674d5d80ad1c09a931061c3d -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/26bcecf625433873674d5d80ad1c09a931061c3d You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 15 17:32:15 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Wed, 15 Nov 2023 17:32:15 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] history: include minutes from dc13-bof Message-ID: <6555009f24b5f_5e758004468583591e@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 0dd0ada4 by Holger Levsen at 2023-11-15T18:31:20+01:00 history: include minutes from dc13-bof downloaded from https://wiki.debian.org/ReproducibleBuilds/History?action=AttachFile&do=get&target=dc13-bof-reproducible-builds.txt thanks to iyanmv for pointing out the link was not working. Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 2 changed files: - + _docs/history-dc13-minutes.txt - _docs/history.md Changes: ===================================== _docs/history-dc13-minutes.txt ===================================== @@ -0,0 +1,379 @@ +apt-get install gobby-infinote +gobby -c gobby.debian.org -n +debconf13/bof/reproducible-builds + +Byte-for-byte identical reproducible builds? +============================================ + +BoF at DebConf13 / Vaumarcus, Switzerland; chair: Lunar + +Abstract: + + The Bitcoin client and the upcoming Tor Browser Bundle 3.0 series + are using a build system that produces ?deterministic builds? ? + packages which are byte-for-byte identical no matter who actually + builds them, or what hardware they use. The idea is that current + popular software development practices simply cannot survive + targeted attacks of the scale and scope that we are seeing today. + With ?deterministic builds?, any individual can use an anonymity + network to download publicly signed and audited source code and + reproduce the builds exactly, without being subject to such + targeted attacks. If they notice any differences, they can alert + the public builders/signers, hopefully anonymously. + + Is such ideas applicable to Debian? To what extent? What would be + the first stones to pave the way toward reproducible builds of + Debian packages? + +Foreword +-------- + +Huge, huge thanks to Asheesh for helping me prepare this BoF. + +Agenda +------ + + ?Good news everyone! We are are going to get pwned!? + ? Professor Farnsworth + +1. Go around: why do you care? (5-10 min.) +2. Mike Perry's work on the Tor Browser Bundle (5 min.) +3. Asheesh's experiments (5 min.) +4. On the technical side, there's two aspects to the problem: + a. at the package level: How do we guarantee that given the same + source package and the same build environment, we get the same + binary results? (5-10 min.) + b. at the archive level: How to record the build environment of a + package (and enable its reproduction at a later time)? + (5 min.) +5. What's next? (15 min.) + +Experience from making the Tor Browser Bundle builds reproducible +----------------------------------------------------------------- + +Mike Perry worked on making the Tor Browser Bundle builds +reproducible. That's hard work: Tor Browser is based on Firefox +(huge code base) and is built for Linux, Mac OS X and Windows. + + - How: + - Uses Gitian from Bitcoin + - Thin layer around Ubuntu virtualization tools + - Spins up a ubuntu VM with fixed hostname, username, + path, and fake timestamps (via faketime) + - List packages and architecture + - Runs a bash script you specify + - Cross compiles for Windows (mingw-w64) and Mac (toolchain4) + - Took about 3-4 days per OS to write a working descriptor set + for Tor, Firefox and bundling/localization + - 2 weeks after starting, I was producing matching repeat builds + on my own hardware + - Issues: + - FIPS-140 mode has non-deterministic sigs on Linux + - Millisecond timestamps encoded by Firefox + - Mystery 3 bytes of randomness on Windows. Bitstomped + - 6 more weeks of work to get the builds to match externally + - Filesytem reordering + - Affects Zip, Tar, .a, and even aspects of Firefox scripts + - created wrappers for archives + - Firefox ordering enforced via sorting inputs in Firefox scripts + - Localization LC_ALL leaks + - Alters sort order + - Permissions differences + - Even though I set umask... + +To sum it up: the key that needs to be controled are the hostname, +username, build path, OS locale, uname output, toolchain version, +and time. We can either make everything deterministic or record on first build and the replay on subsequent builds. + +Results from Asheesh's experiments +---------------------------------- + +Asheesh jumped on the idea and played with the hello package. +Rebuilt using faketime on top of fakeroot. + +* When you rebuild that way, the data.tar.gz of the built Debian + package has the same contents +* Same with control.tar.gz + +However, the data.tar.gz and control.tar.gz *both* don't match each +other. This is because of a semi-bug in dpkg, we need convince dpkg +to fix the 'not calling gzip -n' issue. + +* ELF binaries like /usr/bin/hello in the "hello" package + contain *no* timestamp that needs to be stripped. +* gzip files need '-n' to be passed to gzip for avoiding embedding a + timestamp. +* xz and bzip2 don't have this problem. I'm too pressed for time to + write a test script, but I did test it. +* dedup.debian.net can be used to detect duplicates, especially if + we hack it to detect files that change between uploads of a package, + rather than just between packages. + - future work: ssdeep hashes, which could be useful for finding files + that should be duplicates but aren't + +NOTE that this might instead be because the *timestamps* of files within +control.tar.gz and data.tar.gz.. testing that theory... I have not finished +testing this theory, sadly, but here is a shell script I use to set up a lab: + +http://rose.makesad.us/~paulproteus/tmp/extract_both.sh + - please provide an index for the PTS :) + +Package level issues +-------------------- + +### time + + * Remove/strip the timestamps for build results. + * Use faketime (reports faked system time to programs). Time could be + automatically set to the time of the last debian/changelog entry. + * Base timestamps on timestamps of the source code, which should be unchanged + * Record time on first build and replay them later (see below). + +(In most case, recording the time of the build is actually +wrong. For documentation, what matters is the time of the last +change in the source package and not the time of the build +itself.) + +### Build path + + * Debian buildds use per-build temporary path names; so that any paths accidentally embedded in binaries do not exist on end-user systems (potential security issue). + * Stripping the path with debugedit (???) + * Correct solution: patch out where path appears -> use paths relative to the builddir + instead of having a common build directory for everyone. + (Because having encoded paths can hide real bugs, anyway.) + +### OS locale + + * Use LANG=C.UTF-8 ? -> LC_ALL=C.UTF-8 + * Let's make dpkg-buildpackage export this value + (or another wrapper? because dpkg-buildpackage is not + the policy canonical way to build all packages; + but debian/rules is painful) + Lets make this an option so that users see translated messages + and the buildds all build with English + * Change the policy to make dpkg-buildpackage be the canonical + solution to build package. + +### hostname, uname output, username + +liblietome? + +But kernel version is part of the build environment, so +we might need to record that somewhere else. Are kernels used on buildds always available? Or are some using non-standard kernels? + +### toolchain version + + * part of the system state and build info + +### file ordering issues + +Need to patch the build systems to add proper `sort` calls. + +### Randomisation + + * Define seed? + * ASLR? + +### pid numbers + +Let's patch that out if needed. + +### Others issues? + + +Archive level issues +-------------------- + +Not all packages are built on the buildds so the build environment isn't going to be the same (for now). + +.changes file are not currently kept except on mailing lists. + +We want .changes files: they are signed by the maintainer. + +If we keep .changes file, we can add a `XC-Built-Environment` field. +It would add to the .changes files something like: + +Built-Environment: + apt (= 0.9.9.4), aptitude (= 0.6.8.2-1), aptitude-common (= 0.6.8.2-1), + base-files (= 7.2), base-passwd (= 3.5.26), bash (= 4.2+dfsg-1), + binutils (= 2.23.52.20130727-1), bsdutils (= 1:2.20.1-5.5), + build-essential (= 11.6), bzip2 (= 1.0.6-4), ccache (= 3.1.9-1), + coreutils (= 8.21-1), cpp (= 4:4.8.1-2), cpp-4.6 (= 4.6.4-4), + cpp-4.7 (= 4.7.3-6), cpp-4.8 (= 4.8.1-8), dash (= 0.5.7-3), + debconf (= 1.5.50), debconf-i18n (= 1.5.50), + debian-archive-keyring (= 2012.4), debianutils (= 4.4), + diffutils (= 1:3.2-8), dpkg (= 1.17.1), dpkg-dev (= 1.17.1), + e2fslibs (= 1.42.8-1), e2fsprogs (= 1.42.8-1), fakeroot (= 1.19-2), + findutils (= 4.4.2-6), g++ (= 4:4.8.1-2), g++-4.6 (= 4.6.4-4), + g++-4.8 (= 4.8.1-8), gcc (= 4:4.8.1-2), gcc-4.4-base (= 4.4.7-4), + gcc-4.5-base (= 4.5.4-1), gcc-4.6 (= 4.6.4-4), gcc-4.6-base (= 4.6.4-4), + gcc-4.7 (= 4.7.3-6), gcc-4.7-base (= 4.7.3-6), gcc-4.8 (= 4.8.1-8), + gcc-4.8-base (= 4.8.1-8), gnupg (= 1.4.14-1), gpgv (= 1.4.14-1), + grep (= 2.14-2), gzip (= 1.6-1), hostname (= 3.13), + initscripts (= 2.88dsf-43), insserv (= 1.14.0-5), less (= 458-2), + libacl1 (= 2.2.52-1), libapt-pkg4.12 (= 0.9.9.4), libasan0 (= 4.8.1-8), + libatomic1 (= 4.8.1-8), libattr1 (= 1:2.4.47-1), libblkid1 (= 2.20.1-5.5), + libboost-iostreams1.49.0 (= 1.49.0-4), libbz2-1.0 (= 1.0.6-4), + libc-bin (= 2.17-92), libc-dev-bin (= 2.17-92), libc6 (= 2.17-92), + libc6-dev (= 2.17-92), libcap2 (= 1:2.22-1.2), + libclass-isa-perl (= 0.36-5), libcloog-isl4 (= 0.18.0-2), + libcloog-ppl1 (= 0.16.1-3), libcomerr2 (= 1.42.8-1), + libcwidget3 (= 0.5.16-3.4), libdb5.1 (= 5.1.29-6), libdpkg-perl (= 1.17.1), + libept1.4.12 (= 1.0.9), libfile-fcntllock-perl (= 0.14-2), + libgcc-4.7-dev (= 4.7.3-6), libgcc-4.8-dev (= 4.8.1-8), + libgcc1 (= 1:4.8.1-8), libgdbm3 (= 1.8.3-12), libgmp10 (= 2:5.1.2+dfsg-2), + libgmpxx4ldbl (= 2:5.1.2+dfsg-2), libgomp1 (= 4.8.1-8), + libgpm2 (= 1.20.4-6.1), libisl10 (= 0.11.2-1), libitm1 (= 4.8.1-8), + liblocale-gettext-perl (= 1.05-7+b1), liblzma5 (= 5.1.1alpha+20120614-2), + libmount1 (= 2.20.1-5.5), libmpc2 (= 0.9-4), libmpc3 (= 1.0.1-1), + libmpfr4 (= 3.1.1-1), libncurses5 (= 5.9+20130608-1), + libncursesw5 (= 5.9+20130608-1), libpam-modules (= 1.1.3-9), + libpam-modules-bin (= 1.1.3-9), libpam-runtime (= 1.1.3-9), + libpam0g (= 1.1.3-9), libpcre3 (= 1:8.31-2), libppl-c4 (= 1:1.0-7), + libppl12 (= 1:1.0-7), libquadmath0 (= 4.8.1-8), + libreadline6 (= 6.2+dfsg-0.1), libselinux1 (= 2.1.13-2), + libsemanage-common (= 2.1.10-2), libsemanage1 (= 2.1.10-2), + libsepol1 (= 2.1.9-2), libsigc++-2.0-0c2a (= 2.2.10-0.2), + libslang2 (= 2.2.4-15), libsqlite3-0 (= 3.7.17-1), + libss2 (= 1.42.8-1), libstdc++-4.8-dev (= 4.8.1-8), + libstdc++6 (= 4.8.1-8), libstdc++6-4.6-dev (= 4.6.4-4), + libswitch-perl (= 2.16-2), libtext-charwidth-perl (= 0.04-7+b1), + libtext-iconv-perl (= 1.7-5), libtext-wrapi18n-perl (= 0.06-7), + libtimedate-perl (= 1.2000-1), libtinfo5 (= 5.9+20130608-1), + libtsan0 (= 4.8.1-8), libusb-0.1-4 (= 2:0.1.12-23.2), + libustr-1.0-1 (= 1.0.4-3), libuuid1 (= 2.20.1-5.5), + libxapian22 (= 1.2.15-2), linux-libc-dev (= 3.10.3-1), + login (= 1:4.1.5.1-1), lsb-base (= 4.1+Debian12), + make (= 3.81-8.2), mawk (= 1.3.3-17), mount (= 2.20.1-5.5), + multiarch-support (= 2.17-92), ncurses-base (= 5.9+20130608-1), + ncurses-bin (= 5.9+20130608-1), passwd (= 1:4.1.5.1-1), patch (= 2.7.1-3), + perl (= 5.14.2-21), + perl-base (= 5.14.2-21), perl-modules (= 5.14.2-21), + readline-common (= 6.2+dfsg-0.1), screen (= 4.1.0~20120320gitdb59704-9), + sed (= 4.2.2-2), sensible-utils (= 0.0.9), sysv-rc (= 2.88dsf-43), + sysvinit (= 2.88dsf-43), sysvinit-utils (= 2.88dsf-43), + tar (= 1.26+dfsg-6), tzdata (= 2013d-1), ucf (= 3.0027+nmu1), + util-linux (= 2.20.1-5.5), vim (= 2:7.3.923-3), vim-common (= 2:7.3.923-3), + vim-runtime (= 2:7.3.923-3), xz-utils (= 5.1.1alpha+20120614-2), + zlib1g (= 1:1.2.8.dfsg-1) + + (Example naively generated by taking all packages installed + by pbuilder when building the `hello` package.) + + * Do we want to trim this list? How? + -> use the access time to files in the various packages + to determine what was used or not (or another mechanism + to be notified of packages that matters) + * Do we want to include arch (eg. `:amd64`) in there? Yes - multiarch means we can have cross-arch deps (but not yet - britney needs work) + +Then, the good news: snapshot.debian.org keeps binary packages! but not .changes + +make (= 3.81-8.2) + => http://snapshot.debian.org/package/make-dfsg/3.81-8.2/#make_3.81-8.2 + +Is there an easy way to script installing a specific set of +binary packages from snapshot? Yes - use a specific date in your sources.list: + +deb http://snapshot.debian.org/archive/debian/20091004T111800Z/ lenny main +deb-src http://snapshot.debian.org/archive/debian/20091004T111800Z/ lenny main +deb http://snapshot.debian.org/archive/debian-security/20091004T121501Z/ lenny/updates main +deb-src http://snapshot.debian.org/archive/debian-security/20091004T121501Z/ lenny/updates main + +What's next? +------------ + + * Do we have a ?Champion??? looks like not. :( + * Fill up a page on the wiki + * Who wants to have their package build reproducible? + - Asheesh: alpine + - Lunar: haveged + - pabs: iotop (python based) + - joeyh: debhelper :D + - lindi: magit + * [Asheesh] Convince dpkg to fix the 'not calling gzip -n' issue. + * Another change needed in dpkg: tar --numeric-owner --owner=0 + * [Asheesh, Helmut] Attempt to code a downstream version of dedup.debian.net + that lets us detect when files change between uploads of a package, + and then run it on the archive. + * Automated archive-wide testing of this issue and export to the PTS + * [rbalint, lindi] libfaketime updates? + advancing time in faketime with each time() call: https://github.com/wolfcw/libfaketime/pull/20 + [rbalint] replaying timestamp needs bigger changes in faketime, I'm working on those + * [fil] talk to Ganeff about keeping .changes - hash chain from the Release files needed + * Script to transform the "Built-Environment" list to + links to file in the snapshot archives. + * pbuilder like script that install all the packages in a + chroot and rebuild the package there. + * How about a sprint? Yes! + Together with Multi-Arch friends? Sponsorship from ARM? + +Other ideas: + + * Research other distros (NixOS?) + * Research + https://build.opensuse.org/package/show/openSUSE:Factory/build-compare + * Deterministic virtual machines + "ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay" http://www.eecs.umich.edu/virtual/papers/dunlap02.pdf (HTTP 403 currently :-() + "Debugging operating systems with time-traveling virtual machines" http://www.eecs.umich.edu/virtual/papers/king05_1.pdf (HTTP 403 currently :-() + "A Particular Bug Trap: Execution Replay Using Virtual Machines" http://arxiv.org/pdf/cs.DC/0310030 + "ReTrace: Collecting Execution Trace with Virtual Machine Deterministic Replay" + "Execution Replay for Multiprocessor Virtual Machines" http://www.eecs.umich.edu/~pmchen/papers/dunlap08.slides.ppt + + + +More post-BoF experiments +------------------------- + +diff --git a/debian/control b/debian/control +index 1ef9ccd..50b5221 100644 +--- a/debian/control ++++ b/debian/control +@@ -7,6 +7,7 @@ Standards-Version: 3.9.4 + Homepage: http://www.issihosts.com/haveged/ + Vcs-Git: git://git.debian.org/git/collab-maint/haveged.git + Vcs-Browser: http://git.debian.org/?p=collab-maint/haveged.git ++XC-Build-Environment: ${misc:Build-Environment} + + Package: haveged + Architecture: linux-any +diff --git a/debian/rules b/debian/rules +index 04d6fcc..cb2cdf3 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -15,3 +15,10 @@ override_dh_auto_configure: + + override_dh_strip: + dh_strip --dbg-package=libhavege1-dbg ++ ++override_dh_gencontrol: ++ COLUMNS=999 | dpkg -l | awk ' \ ++ BEGIN { printf "misc:Build-Environment=" } \ ++ /^ii/ { ORS=", "; print $$2 " (= " $$3 ")" }' | \ ++ sed -e 's/, $$//' >> debian/substvars ++ dh_gencontrol + + +This does not work as `dpkg-genchanges` does not substitute +the variable before adding the field in debian/changes! :( + ? Lunar + +But it is a trivial patch against dpkg: + +diff --git a/scripts/dpkg-genchanges.pl b/scripts/dpkg-genchanges.pl +index 0b004c7..13cedd6 100755 +--- a/scripts/dpkg-genchanges.pl ++++ b/scripts/dpkg-genchanges.pl +@@ -516,4 +516,5 @@ for my $f (keys %remove) { + delete $fields->{$f}; + } + +-$fields->output(\*STDOUT); # Note: no substitution of variables ++$fields->apply_substvars($substvars); ++$fields->output(\*STDOUT); + + + +-------------------------------------------------------- + +----------------------------------------------------------- + ===================================== _docs/history.md ===================================== @@ -44,7 +44,7 @@ about thirty attendees who were very much interested, amongst them members of the [technical committee](https://www.debian.org/devel/tech-ctte) and a few other core teams. -[Minutes](attachment:dc13-bof-reproducible-builds.txt) are +[Minutes](../history-dc13-minutes.txt) are available. After some more research during the conference, a [wiki View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0dd0ada424c3207f66dcb8e010337d1b62a6d3d7 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0dd0ada424c3207f66dcb8e010337d1b62a6d3d7 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 15 21:53:10 2023 From: gitlab at salsa.debian.org (Vagrant Cascadian (@vagrant)) Date: Wed, 15 Nov 2023 21:53:10 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] gdcm: Mark with timestamps_in_pdf_generated_by_latex. Message-ID: <65553dc643ff2_5e7561c87d85872538@godard.mail> Vagrant Cascadian pushed to branch master at Reproducible Builds / reproducible-notes Commits: d324e5fb by Vagrant Cascadian at 2023-11-15T13:52:40-08:00 gdcm: Mark with timestamps_in_pdf_generated_by_latex. - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -7197,6 +7197,7 @@ gdcm: version: 2.6.5-2 issues: - fonts_in_pdf_files + - timestamps_in_pdf_generated_by_latex gdesklets: version: 0.36.1-7 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/d324e5fb0541e0ed8227af966e3b91a0d6389586 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/d324e5fb0541e0ed8227af966e3b91a0d6389586 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 16 09:02:50 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Thu, 16 Nov 2023 09:02:50 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023 11: tests.r-b.o/debian results are included in... Message-ID: <6555dabae4224_5e75800e1ac59257c7@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: dad96886 by Holger Levsen at 2023-11-16T10:02:37+01:00 2023 11: tests.r-b.o/debian results are included in https://release.debian.org/britney/update_excuses.html for information only for now Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -9,3 +9,5 @@ draft: true FIXME: Simon Quigley fixed https://bugs.launchpad.net/launchpad/+bug/1686242 so that Launchpad now serves .buildinfo files. Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conferences/seagl2023/program/proposals/939) at [SeaGL](https://seagl.org/). The [slides for his talk](https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2023-11-04-SeaGL-Beyond-Trusting-FOSS) can be build reproducibly, resulting in in cfde2f8a0b7e6ec9b85377eeac0661d728b70f34 as sha1sum for the PDF when build on Debian bookworm and in c21fab273232c550ce822c4b0d9988e6c49aa2c3 when build on Debian sid as of today. + +FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/armhf in britney, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/dad96886eca4a9f96ef7ab8485659266f9b5fbc1 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/dad96886eca4a9f96ef7ab8485659266f9b5fbc1 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 16 09:05:41 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Thu, 16 Nov 2023 09:05:41 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023 11: s#britney#migration software# Message-ID: <6555db65ee142_5e75800446859259f@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: ae6ff137 by Holger Levsen at 2023-11-16T10:05:31+01:00 2023 11: s#britney#migration software# Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -10,4 +10,4 @@ FIXME: Simon Quigley fixed https://bugs.launchpad.net/launchpad/+bug/1686242 so Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conferences/seagl2023/program/proposals/939) at [SeaGL](https://seagl.org/). The [slides for his talk](https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2023-11-04-SeaGL-Beyond-Trusting-FOSS) can be build reproducibly, resulting in in cfde2f8a0b7e6ec9b85377eeac0661d728b70f34 as sha1sum for the PDF when build on Debian bookworm and in c21fab273232c550ce822c4b0d9988e6c49aa2c3 when build on Debian sid as of today. -FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/armhf in britney, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. +FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/armhf in the migration software, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ae6ff1370250d1e0c9dbc8fea4f77a63ff6aeda2 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ae6ff1370250d1e0c9dbc8fea4f77a63ff6aeda2 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 16 13:54:55 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 16 Nov 2023 13:54:55 +0000 Subject: [Git][reproducible-builds/diffoscope][master] As UI/UX improvement, try and avoid printing an extended traceback if... Message-ID: <65561f2ff1fa4_5e7580044685992968@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / diffoscope Commits: bb887ddb by Chris Lamb at 2023-11-16T13:53:08+00:00 As UI/UX improvement, try and avoid printing an extended traceback if diffoscope runs out of memory. However: > Note that because of the underlying memory management architecture (C?s > malloc() function), the interpreter may not always be able to completely > recover from this situation; it nevertheless raises an exception so that a > stack traceback can be printed, in case a run-away program was the cause. ? https://docs.python.org/2/library/exceptions.html#exceptions.MemoryError - - - - - 1 changed file: - diffoscope/main.py Changes: ===================================== diffoscope/main.py ===================================== @@ -773,6 +773,9 @@ def main(args=None): raise logger.error("No space left on device. Diffoscope exiting.") sys.exit(2) + except MemoryError: + logger.error("Out of memory. Diffoscope exiting.") + sys.exit(2) except KeyboardInterrupt: logger.error("Keyboard Interrupt") sys.exit(2) View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/bb887ddb6e5763b15d4ed9bb448166901dc7253f -- View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/bb887ddb6e5763b15d4ed9bb448166901dc7253f You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 16 13:58:29 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Thu, 16 Nov 2023 13:58:29 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023 11: tests.r-b.o/debian/i386 added Message-ID: <65562005add08_5e75800446859938f9@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: b64ee1da by Holger Levsen at 2023-11-16T14:58:08+01:00 2023 11: tests.r-b.o/debian/i386 added Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -10,4 +10,4 @@ FIXME: Simon Quigley fixed https://bugs.launchpad.net/launchpad/+bug/1686242 so Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conferences/seagl2023/program/proposals/939) at [SeaGL](https://seagl.org/). The [slides for his talk](https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2023-11-04-SeaGL-Beyond-Trusting-FOSS) can be build reproducibly, resulting in in cfde2f8a0b7e6ec9b85377eeac0661d728b70f34 as sha1sum for the PDF when build on Debian bookworm and in c21fab273232c550ce822c4b0d9988e6c49aa2c3 when build on Debian sid as of today. -FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/armhf in the migration software, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. +FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/i386/armhf in the migration software, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b64ee1dace903e8e4299285f48de99c70fec56e8 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/b64ee1dace903e8e4299285f48de99c70fec56e8 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 16 20:06:34 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Thu, 16 Nov 2023 20:06:34 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] add src:openjfx to blacklisted_on_jenkins Message-ID: <6556764a14f13_5e7561c87d860631f1@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-notes Commits: 6fa3222b by Holger Levsen at 2023-11-16T21:06:17+01:00 add src:openjfx to blacklisted_on_jenkins Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -19936,6 +19936,7 @@ openjfx: com/oracle/tools/packager/linux/libpackager.so issues: - random_order_in_documentation_generated_by_javadoc + - blacklisted_on_jenkins bugs: - 850921 - 874132 View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/6fa3222b9de391c9af46ec029a53ca2111b8e18e -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/6fa3222b9de391c9af46ec029a53ca2111b8e18e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 08:19:28 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 08:19:28 +0000 Subject: [Git][reproducible-builds/diffoscope][master] 2 commits: Update copyright years. Message-ID: <65572210776f0_5e7561c87d861387eb@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / diffoscope Commits: e8aa7527 by Chris Lamb at 2023-11-17T08:17:21+00:00 Update copyright years. - - - - - 8a11781e by Chris Lamb at 2023-11-17T08:18:14+00:00 releasing package diffoscope version 252 - - - - - 3 changed files: - debian/changelog - diffoscope/__init__.py - diffoscope/main.py Changes: ===================================== debian/changelog ===================================== @@ -1,8 +1,11 @@ -diffoscope (252) UNRELEASED; urgency=medium +diffoscope (252) unstable; urgency=medium - * WIP (generated upon release). + * As UI/UX improvement, try and avoid printing an extended traceback if + diffoscope runs out of memory. This may not always be possible to detect. + * Mark diffoscope as stable in setup.py (for PyPI.org). Whatever diffoscope + is, at least, not "alpha" anymore. - -- Chris Lamb Fri, 13 Oct 2023 09:07:59 +0100 + -- Chris Lamb Fri, 17 Nov 2023 08:18:10 +0000 diffoscope (251) unstable; urgency=medium ===================================== diffoscope/__init__.py ===================================== @@ -17,4 +17,4 @@ # You should have received a copy of the GNU General Public License # along with diffoscope. If not, see . -VERSION = "251" +VERSION = "252" ===================================== diffoscope/main.py ===================================== @@ -4,7 +4,7 @@ # diffoscope: in-depth comparison of files, archives, and directories # # Copyright ? 2014-2015 J?r?my Bobbio -# Copyright ? 2016-2022 Chris Lamb +# Copyright ? 2016-2023 Chris Lamb # # diffoscope is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/compare/bb887ddb6e5763b15d4ed9bb448166901dc7253f...8a11781eafa3d458d1e8da5a3e1027862a21fbe5 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/compare/bb887ddb6e5763b15d4ed9bb448166901dc7253f...8a11781eafa3d458d1e8da5a3e1027862a21fbe5 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 08:19:39 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 08:19:39 +0000 Subject: [Git][reproducible-builds/diffoscope] Pushed new tag 252 Message-ID: <6557221b349b8_5e75801367061392c9@godard.mail> Chris Lamb pushed new tag 252 at Reproducible Builds / diffoscope -- View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/tree/252 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 08:19:58 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 08:19:58 +0000 Subject: [Git][reproducible-builds/diffoscope][master] Open new changelog entry for version 253. Message-ID: <6557222e1c30c_5e7594c0b7c6139553@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / diffoscope Commits: 15bb9e90 by Chris Lamb at 2023-11-17T08:19:37+00:00 Open new changelog entry for version 253. Gbp-Dch: ignore - - - - - 1 changed file: - debian/changelog Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,9 @@ +diffoscope (253) UNRELEASED; urgency=medium + + * WIP (generated upon release). + + -- Chris Lamb Fri, 17 Nov 2023 08:19:37 +0000 + diffoscope (252) unstable; urgency=medium * As UI/UX improvement, try and avoid printing an extended traceback if View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/15bb9e90ebbbdfd2e4af06769cfd52be84bb3d21 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/15bb9e90ebbbdfd2e4af06769cfd52be84bb3d21 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 08:21:11 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 08:21:11 +0000 Subject: [Git][reproducible-builds/reproducible-lfs][master] Add diffoscope 252 release tarball and signature. Message-ID: <655722775dbbe_5e7561c87d86140137@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-lfs Commits: 2b7d96bb by Chris Lamb at 2023-11-17T08:20:28+00:00 Add diffoscope 252 release tarball and signature. - - - - - 2 changed files: - + releases/diffoscope/diffoscope-252.tar.bz2 - + releases/diffoscope/diffoscope-252.tar.bz2.asc Changes: ===================================== releases/diffoscope/diffoscope-252.tar.bz2 ===================================== @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:36662fe61b594f6bf4e2f564b08586b9a3c8d6b5df366ad54a612b4ff7da05b4 +size 3095888 ===================================== releases/diffoscope/diffoscope-252.tar.bz2.asc ===================================== @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmVXIc0ACgkQHpU+J9Qx +Hlg/Rw//R94cjGG0Tmdw2Z38DlRUj3UlC3y3hO5o/rJjTPxUX5GF5JKIKM6Fql+Z +69QLohkiQRv6S1xZhvM9Kmwn/VgN+EJCh219T5+XX+xE46DGIhQgi20IkBH2m7aU +zrxzWR8OYzXiObsta7XYOeciQbs9kXPLu7MUNaVMZexpZb8CmQrbNzkbazV+Nfku +ITk4K0+vv2Bin00OBl7h7gHQQ047KRYltJBumn66+asG0o4tURpQmmVAcK/n/55g +hdjlgUBwc7d/DvHM91UhGlpXRCDtUk1efhQNVm0ZSvhACeXmEDLUHUaWoLGE5Mcl +GuOEh9UVKV6+wtS26mOVxSvNZMGGmcELY3/greumPe6/uSQzBol30VGmYqzmSNHD +YBOhtqU3QPHQS9+kCeptkw1uQeKva46bNY3/Zm+ZpOSFhNodUZDb/3Vru0jUocab +RiRpkaJzIs6wFROm2u5OiDTu7LoL2pe42Ptk5wWkTPuZhFe+yxHZAvGmB0FJr4yG +LWT6L1PiwEY9t+edjyTBOzZot9Ei/vJCfBOyiQCR9hh09unf8UKsoXDpJM7YMtX7 +TrDXUMm/EvPAnxtiBeS7XKT5RiBzb6u69wY5rHVSYxCA8C6j+g7UEULN+WnClEGq +7+y/sczJTCqd2uBIhkcy6G7t+FU1o4j+UXWB0xf1P8BhGvTv4aU= +=JRab +-----END PGP SIGNATURE----- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-lfs/-/commit/2b7d96bb51df7a8d6507394cc30a62651c79bcc7 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-lfs/-/commit/2b7d96bb51df7a8d6507394cc30a62651c79bcc7 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 08:21:43 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 08:21:43 +0000 Subject: [Git][reproducible-builds/diffoscope-website][master] Update metadata and news to match release of version 252 Message-ID: <65572297a4c28_5e7561c87d8614035e@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / diffoscope-website Commits: 968a2a9f by Chris Lamb at 2023-11-17T08:21:18+00:00 Update metadata and news to match release of version 252 - - - - - 2 changed files: - _data/diffoscope.yml - + _posts/2023-11-17-diffoscope-252-released.md Changes: ===================================== _data/diffoscope.yml ===================================== @@ -104,5 +104,5 @@ description: 'File formats supported include: Android APK files, Android boot im image files, WebAssembly binary module, XML binary schemas (.xsb), XML files, XMLB files, XZ compressed files, ZIP archives and Zstandard compressed files.' latest_release: - date: 1697183952 - version: '251' + date: 1700209090 + version: '252' ===================================== _posts/2023-11-17-diffoscope-252-released.md ===================================== @@ -0,0 +1,17 @@ +--- +layout: post +title: diffoscope 252 released +author: Chris Lamb +--- + +The diffoscope maintainers are pleased to announce the release of diffoscope +version `252`. This version includes the following changes: + +``` +* As UI/UX improvement, try and avoid printing an extended traceback if + diffoscope runs out of memory. This may not always be possible to detect. +* Mark diffoscope as stable in setup.py (for PyPI.org). Whatever diffoscope + is, at least, not "alpha" anymore. +``` + +You find out more by [visiting the project homepage](https://diffoscope.org). View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope-website/-/commit/968a2a9f3138ae8343cbacc6b5dee1f328627fc5 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope-website/-/commit/968a2a9f3138ae8343cbacc6b5dee1f328627fc5 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 08:38:03 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 08:38:03 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] 2 commits: Add new nondeterminstic_order_of_pkgconfig_dependencies_generated_by_meson toolchain issue. Message-ID: <6557266b7372d_5e7580136706140765@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 0530f2fb by Chris Lamb at 2023-11-17T08:36:45+00:00 Add new nondeterminstic_order_of_pkgconfig_dependencies_generated_by_meson toolchain issue. - - - - - 8963b6c5 by Chris Lamb at 2023-11-17T08:36:55+00:00 Tag neatvnc with nondeterminstic_order_of_pkgconfig_dependencies_generated_by_meson - - - - - 2 changed files: - issues.yml - packages.yml Changes: ===================================== issues.yml ===================================== @@ -2480,3 +2480,8 @@ timestamp_in_documentation_using_sphinx_zzzeeksphinx_theme: bugs: https://bugs.debian.org/1042955 description: | zzzeeksphinx includes a 'Documentation last generated: ${datetime.datetime.now().strftime("%c")}' +nondeterminstic_order_of_pkgconfig_dependencies_generated_by_meson: + description: | + eg. "Requires.private: pixman-1, aml >= 0.3.0, aml < 0.4.0, [?]" + vs "Requires.private: pixman-1, aml < 0.4.0, aml >= 0.3.0, [?]" + Code is in `mesonbuild/modules/pkgconfig.py` in `src:meson`. ===================================== packages.yml ===================================== @@ -17790,6 +17790,10 @@ ne10: and debian/patches/build-docs.patch. issues: - captures_build_path +neatvnc: + version: 0.7.0+dfsg-1 + issues: + - nondeterminstic_order_of_pkgconfig_dependencies_generated_by_meson nebula: version: 1.4.0-1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/6fa3222b9de391c9af46ec029a53ca2111b8e18e...8963b6c56cda589029e13756bc119f9b96016914 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/6fa3222b9de391c9af46ec029a53ca2111b8e18e...8963b6c56cda589029e13756bc119f9b96016914 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 08:46:50 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 08:46:50 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Add bug reference for new nondeterminstic_order_of_pkgconfig_dependencies_generated_by_meson issue. Message-ID: <6557287a2ec6a_5e758004468614133a@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 9300129d by Chris Lamb at 2023-11-17T08:45:52+00:00 Add bug reference for new nondeterminstic_order_of_pkgconfig_dependencies_generated_by_meson issue. - - - - - 1 changed file: - issues.yml Changes: ===================================== issues.yml ===================================== @@ -2481,6 +2481,7 @@ timestamp_in_documentation_using_sphinx_zzzeeksphinx_theme: description: | zzzeeksphinx includes a 'Documentation last generated: ${datetime.datetime.now().strftime("%c")}' nondeterminstic_order_of_pkgconfig_dependencies_generated_by_meson: + url: https://bugs.debian.org/1056117 description: | eg. "Requires.private: pixman-1, aml >= 0.3.0, aml < 0.4.0, [?]" vs "Requires.private: pixman-1, aml < 0.4.0, aml >= 0.3.0, [?]" View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/9300129d6e6c0d1ee9bf7a2b63e06b5e0b62646f -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/9300129d6e6c0d1ee9bf7a2b63e06b5e0b62646f You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 09:17:52 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 09:17:52 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] 2 commits: Add patch for radsecproxy Message-ID: <65572fc052e93_5e75800e1ac61446e0@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 3b8082d8 by Chris Lamb at 2023-11-17T08:58:30+00:00 Add patch for radsecproxy - - - - - 06be0086 by Chris Lamb at 2023-11-17T09:03:23+00:00 Add patch for taffybar - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -29670,6 +29670,10 @@ radon: version: 5.1.0-2 issues: - randomness_in_documentation_generated_by_sphinx +radsecproxy: + version: 1.10.0-1 + bugs: + - 1056118 rafkill: version: 1.2.2-5 issues: @@ -33139,6 +33143,10 @@ tachyon: This will be fixed with https://bugs.debian.org/827115 issues: - random_id_in_pdf_generated_by_dblatex +taffybar: + version: 4.0.1-1 + bugs: + - 1056119 tagainijisho: version: 1.0.2-1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/9300129d6e6c0d1ee9bf7a2b63e06b5e0b62646f...06be0086fdea101a87481d7ce3e3b60d672bf03c -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/9300129d6e6c0d1ee9bf7a2b63e06b5e0b62646f...06be0086fdea101a87481d7ce3e3b60d672bf03c You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 09:25:17 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Fri, 17 Nov 2023 09:25:17 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] hamburg2023: drop FIXME, seems we lost the notes for the "RB relationship to SBOM" session Message-ID: <6557317d33572_5e75801367061456c8@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 2fa47559 by Holger Levsen at 2023-11-17T10:25:03+01:00 hamburg2023: drop FIXME, seems we lost the notes for the "RB relationship to SBOM" session Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _events/hamburg2023/agenda.md Changes: ===================================== _events/hamburg2023/agenda.md ===================================== @@ -62,7 +62,7 @@ Day 2 - Wednesday, November 1st TODO * [Web site audiences]({{ "/events/hamburg2023/site-audiences/" | relative_url }}) * [Born Reproducible I]({{ "/events/hamburg2023/born-reproducible-1/" | relative_url }}) * [RB Success Stories]({{ "/events/hamburg2023/success/" | relative_url }}) - * RB relationship to SBOM FIXME (no notes in the pad) + * RB relationship to SBOM * 15.15 Break * 15:30 Hacking Time * 16.35 Closing Circle View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/2fa47559a524e22de86c3805e28b265a1861aae1 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/2fa47559a524e22de86c3805e28b265a1861aae1 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 11:59:00 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 11:59:00 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Correct link to Allotropia.de. Message-ID: <6557558485e14_5e7594c0b7c6170749@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: ce7609a6 by Chris Lamb at 2023-11-17T11:58:43+00:00 Correct link to Allotropia.de. - - - - - 1 changed file: - _events/hamburg2023/index.html Changes: ===================================== _events/hamburg2023/index.html ===================================== @@ -199,7 +199,7 @@ We are thankful for having had these sponsors for this event! Please
    - + allotropia software GmbH
    View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ce7609a651adc8819c8cddc26fe23ab594c2ac69 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ce7609a651adc8819c8cddc26fe23ab594c2ac69 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 12:02:18 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 12:02:18 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Use |relative_url filter on /events/hamburg2023/. Message-ID: <6557564a1b213_5e75800446861711bb@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: d6eb1651 by Chris Lamb at 2023-11-17T12:00:50+00:00 Use |relative_url filter on /events/hamburg2023/. - - - - - 1 changed file: - _events/hamburg2023/index.html Changes: ===================================== _events/hamburg2023/index.html ===================================== @@ -49,7 +49,7 @@ Germany
  • Work together and hack on solutions.
  • Discuss how reproducible builds will be usable and meaningful to users and developers alike.
    • -Reproducible Builds Summit 7 in Hamburg 2239 +Reproducible Builds Summit 7 in Hamburg 2239

    Participants

    @@ -61,7 +61,7 @@ Apache Maven, Apache Security, Arch Linux, arch-repro-status, Buildroot, CHAINS

    Event Documentation

    @@ -168,7 +168,7 @@ We are thankful for having had these sponsors for this event! Please

    - +
    @@ -179,28 +179,28 @@ We are thankful for having had these sponsors for this event! Please
    - openSUSE + openSUSE
    - Debian + Debian
    - Software Freedom Conservancy + Software Freedom Conservancy
    - allotropia software GmbH + allotropia software GmbH
    View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d6eb16511b50bd3d873bebeef3d2e9bc1a88c928 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d6eb16511b50bd3d873bebeef3d2e9bc1a88c928 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 13:30:42 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 17 Nov 2023 13:30:42 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2 commits: Drop unnecessary link to "home" on horizontal navigation buttons. Message-ID: <65576b022de53_5e75800446862031b8@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: 25cd328b by Chris Lamb at 2023-11-17T13:27:12+00:00 Drop unnecessary link to "home" on horizontal navigation buttons. - - - - - 2f50ba8a by Chris Lamb at 2023-11-17T13:30:19+00:00 Experiment with "hero" style homepage. - - - - - 3 changed files: - _includes/nav_buttons.html - assets/styles/custom.scss - index.md Changes: ===================================== _includes/nav_buttons.html ===================================== @@ -1,4 +1,4 @@ {% assign sorted_pages = site.pages | sort:"order" %}

    -{% for page in sorted_pages %}{% if page.title and page.order > 0 %}{{ page.title }}{% endif %}{% endfor %} +{% for page in sorted_pages %}{% if page.title and page.order > 0 and page.url != "/" %}{{ page.title }}{% endif %}{% endfor %}

    ===================================== assets/styles/custom.scss ===================================== @@ -114,3 +114,29 @@ main { } } } + +.hero { + background-color: #1e5b96; + left: 50%; + margin-left: -50vw; + margin-right: -50vw; + margin-top: -3rem; + max-width: 100vw; + position: relative; + right: 50%; + width: 100vw; + + padding-top: 8rem; + @media (min-width: 800px) { + padding-top: 19rem; + padding-bottom: 12rem !important; + } + + .lead { + color: #ffffffde; + + a { + color: inherit; + } + } +} ===================================== index.md ===================================== @@ -6,20 +6,24 @@ order: 10 permalink: / --- -
    - - Reproducible Builds - - -

    - Reproducible builds are a set of software development - practices that create an independently-verifiable path from source - to binary code. - - - (more) - -

    +
    +
    +
    + + Reproducible Builds + + +

    + Reproducible builds are a set of software development + practices that create an independently-verifiable path from source + to binary code. + + + (more) + +

    +
    +
    {% include nav_buttons.html %} View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/d6eb16511b50bd3d873bebeef3d2e9bc1a88c928...2f50ba8a86cc54aa200ba383bb6bce226dddffd5 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/d6eb16511b50bd3d873bebeef3d2e9bc1a88c928...2f50ba8a86cc54aa200ba383bb6bce226dddffd5 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 17 18:08:19 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Fri, 17 Nov 2023 18:08:19 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023 11: += https://en.opensuse.org/openSUSE:Reproducible_openSUSE Message-ID: <6557ac139d78e_5e7561c87d8626085f@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 28360fcb by Holger Levsen at 2023-11-17T19:08:04+01:00 2023 11: += https://en.opensuse.org/openSUSE:Reproducible_openSUSE Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -11,3 +11,5 @@ FIXME: Simon Quigley fixed https://bugs.launchpad.net/launchpad/+bug/1686242 so Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conferences/seagl2023/program/proposals/939) at [SeaGL](https://seagl.org/). The [slides for his talk](https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2023-11-04-SeaGL-Beyond-Trusting-FOSS) can be build reproducibly, resulting in in cfde2f8a0b7e6ec9b85377eeac0661d728b70f34 as sha1sum for the PDF when build on Debian bookworm and in c21fab273232c550ce822c4b0d9988e6c49aa2c3 when build on Debian sid as of today. FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/i386/armhf in the migration software, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. + +* FIXME: Bernhard M. Wiesemann reports thats [SUSE plans to create a general-purpose Linux distribution, that consists of 100% bit-reproducible packages (minus the rpm signature). It shall be based on openSUSE Tumbleweed or its Slowroll-variant.](https://en.opensuse.org/openSUSE:Reproducible_openSUSE) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/28360fcbe73ecc8e29343c8dfde961a94b0ac28d -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/28360fcbe73ecc8e29343c8dfde961a94b0ac28d You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sun Nov 19 10:52:01 2023 From: gitlab at salsa.debian.org (Bernhard M. Wiedemann (@bmwiedemann-guest)) Date: Sun, 19 Nov 2023 10:52:01 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023-11: reword Reproducible openSUSE distri text Message-ID: <6559e8d1922c1_5e7594c0b7c646437f@godard.mail> Bernhard M. Wiedemann pushed to branch master at Reproducible Builds / reproducible-website Commits: 6283230f by Bernhard M. Wiedemann at 2023-11-19T11:51:30+01:00 2023-11: reword Reproducible openSUSE distri text - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -12,4 +12,4 @@ Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conf FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/i386/armhf in the migration software, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. -* FIXME: Bernhard M. Wiesemann reports thats [SUSE plans to create a general-purpose Linux distribution, that consists of 100% bit-reproducible packages (minus the rpm signature). It shall be based on openSUSE Tumbleweed or its Slowroll-variant.](https://en.opensuse.org/openSUSE:Reproducible_openSUSE) +* FIXME: Bernhard M. Wiedemann reports that [he considers to create a general-purpose Linux distribution, that consists of 100% bit-reproducible packages (minus the rpm signature). It shall be based on openSUSE Tumbleweed or its Slowroll-variant.](https://en.opensuse.org/openSUSE:Reproducible_openSUSE) in 2024 View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/6283230fbd606bc6947ca670e4b894a4f695951e -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/6283230fbd606bc6947ca670e4b894a4f695951e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sun Nov 19 20:15:44 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Sun, 19 Nov 2023 20:15:44 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] mark nbdkit with blacklisted_on_armhf Message-ID: <655a6cf0c3dc9_5e7561c87d865568ec@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-notes Commits: ebe2ddc4 by Holger Levsen at 2023-11-19T21:15:18+01:00 mark nbdkit with blacklisted_on_armhf Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -17708,6 +17708,7 @@ nbdkit: version: 1.26.5-1 issues: - records_build_flags + - blacklisted_on_jenkins_armhf_only nbibtex: version: 0.9.18-11 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/ebe2ddc40695dc5836da9d25dc197f6d3fd848bd -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/ebe2ddc40695dc5836da9d25dc197f6d3fd848bd You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 22 09:49:33 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Wed, 22 Nov 2023 09:49:33 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Add patch for php-doc Message-ID: <655dcead1cadc_5e76bff178c702306f@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 1ad342a0 by Chris Lamb at 2023-11-22T09:48:55+00:00 Add patch for php-doc - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -21131,6 +21131,10 @@ php-apcu: version: 5.1.7+4.0.11-2 issues: - captures_build_path_via_assert +php-doc: + version: 20231111~git.f333b4a+dfsg-1 + bugs: + - 1056398 php-enum: version: 2.3.1-1 bugs: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/1ad342a07bd90341c2cc799f219141d263aaf536 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/1ad342a07bd90341c2cc799f219141d263aaf536 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 22 14:25:35 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Wed, 22 Nov 2023 14:25:35 +0000 Subject: =?UTF-8?Q?[Git][reproducible-builds/reproducible-website][master]?= =?UTF-8?Q?_Add_=28re-add=3F=29_iomart_=28ne=C3=A9_Bytemark=29_and_Digita?= =?UTF-8?Q?lOcean_to_/who/sponsors/?= Message-ID: <655e0f5f1b88_5e7594c0b7c7045794@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: 16b73a33 by Chris Lamb at 2023-11-22T14:25:06+00:00 Add (re-add?) iomart (ne? Bytemark) and DigitalOcean to /who/sponsors/ - - - - - 3 changed files: - _data/sponsors_nonfiscal.yml - + assets/images/sponsors/digitalocean.png - + assets/images/sponsors/iomart.png Changes: ===================================== _data/sponsors_nonfiscal.yml ===================================== @@ -10,3 +10,11 @@ url: https://osuosl.org/ logo: osuosl.png description: amd64 hardware and housing +- name: iomart + url: https://iomart.com + logo: iomart.png + description: try.diffoscope.org hosting +- name: DigitalOcean + url: https://www.digitalocean.com/ + logo: digitalocean.png + description: hosting buildinfo.debian.net ===================================== assets/images/sponsors/digitalocean.png ===================================== Binary files /dev/null and b/assets/images/sponsors/digitalocean.png differ ===================================== assets/images/sponsors/iomart.png ===================================== Binary files /dev/null and b/assets/images/sponsors/iomart.png differ View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/16b73a33b7e4727c07c3eccbaad034e14d8432c6 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/16b73a33b7e4727c07c3eccbaad034e14d8432c6 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 22 15:20:44 2023 From: gitlab at salsa.debian.org (Bernhard M. Wiedemann (@bmwiedemann-guest)) Date: Wed, 22 Nov 2023 15:20:44 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023-11: +17 patches Message-ID: <655e1c4c7a019_5e76c009d3c7057480@godard.mail> Bernhard M. Wiedemann pushed to branch master at Reproducible Builds / reproducible-website Commits: afbb8985 by Bernhard M. Wiedemann at 2023-11-22T16:20:17+01:00 2023-11: +17 patches - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -13,3 +13,22 @@ Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conf FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/i386/armhf in the migration software, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. * FIXME: Bernhard M. Wiedemann reports that [he considers to create a general-purpose Linux distribution, that consists of 100% bit-reproducible packages (minus the rpm signature). It shall be based on openSUSE Tumbleweed or its Slowroll-variant.](https://en.opensuse.org/openSUSE:Reproducible_openSUSE) in 2024 + +* Bernhard M. Wiedemann: + * [`amber-cli`](https://build.opensuse.org/request/show/1125191) (date) + * [`google-noto-fonts`](https://build.opensuse.org/request/show/1127255) + * [`guile-newt`](https://build.opensuse.org/request/show/1127367) (parallelism) + * [`guile-fibers`](https://build.opensuse.org/request/show/1127368) (parallelism) + * [`xen`](https://build.opensuse.org/request/show/1127661) (date+time) + * [`libguestfs`](https://bugzilla.opensuse.org/show_bug.cgi?id=1216986) (embeds build host file) + * [`hub`](https://github.com/mislav/hub/pull/3344) (random build path) + * [`bin86`](https://bugzilla.opensuse.org/show_bug.cgi?id=1217049) (FTBFS-2038) + * [`rpm`](https://github.com/rpm-software-management/rpm/pull/2762) (toolchain) + * [`llvm`](https://github.com/llvm/llvm-project/issues/72206) (toolchain/rust) + * [`kopete`](https://invent.kde.org/network/kopete/-/merge_requests/14) (ASLR/undefined behaviour) + * [`kraft`](https://github.com/dragotin/kraft/pull/215) (hostname) + * [`joker`](https://github.com/candid82/joker/pull/490) (sort, partial fix) + [`joker`](https://github.com/candid82/joker/issues/491) (hash random order) + * [`ipxe`](https://github.com/ipxe/ipxe/pull/1082) (random) + * [`rdflib`](https://github.com/RDFLib/rdflib/issues/2645) (random) + * [`whatsie`](https://github.com/keshavbhatt/whatsie/pull/146) (date) + View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/afbb8985b3935c87f1d2427ab5811080ad031d97 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/afbb8985b3935c87f1d2427ab5811080ad031d97 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 22 15:52:45 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Wed, 22 Nov 2023 15:52:45 +0000 Subject: [Git][reproducible-builds/reproducible-misc][master] clean-notes: allow for more tags when a package is blacklisted Message-ID: <655e23cd9f1c7_5e76bff178c706130@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-misc Commits: ee183cfd by Mattia Rizzolo at 2023-11-22T16:52:16+01:00 clean-notes: allow for more tags when a package is blacklisted Signed-off-by: Mattia Rizzolo <mattia at debian.org> - - - - - 1 changed file: - clean-notes Changes: ===================================== clean-notes ===================================== @@ -181,7 +181,14 @@ def check_notes_validity(notes, testedpkgs): errors = True continue if testedpkgs[pkg]["status"] == "blacklisted": - if not note.get("comments", "") and "ftbfs_in_jenkins_setup" not in note.get("issues", []): + # blacklisted packages really need to have any of these tags + # applied (and possibly also a comment describing so) + valid_tags = { + "ftbfs_in_jenkins_setup", + "blacklisted_on_jenkins", + "blacklisted_on_jenkins_armhf_only", + } + if not valid_tags.intersection(note.get("issues", [])): log.critical( "the package %s is blacklisted, but no note was found", pkg ) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-misc/-/commit/ee183cfd2782e9998753534cb269c074f215fbbb -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-misc/-/commit/ee183cfd2782e9998753534cb269c074f215fbbb You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 22 15:54:01 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Wed, 22 Nov 2023 15:54:01 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] 2 commits: Remove archived bugs Message-ID: <655e2419ec350_5e76c01e41c7061751@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-notes Commits: b450d9b6 by automatic commit from Mattia Rizzolo at 2023-11-22T15:53:09+00:00 Remove archived bugs - - - - - 250e89ff by automatic commit from Mattia Rizzolo at 2023-11-22T15:53:30+00:00 --fix-deterministic - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -6,10 +6,6 @@ version: 2.3.1-1 issues: - usr_lib_debug_dotdwz_dir_inherits_build_user -3d-ascii-viewer-c: - version: 1.3.0+ds-1 - issues: - - captures_build_path 4digits: version: 1.1.4-1 issues: @@ -114,10 +110,6 @@ accountsservice: version: 22.08.8-1 issues: - build_path_used_to_determine_version_or_package_name -ace: - version: 7.0.3+dfsg-2 - issues: - - captures_build_path acepack: version: 1.3.3.3-2 issues: @@ -144,14 +136,6 @@ acl2: issues: - blacklisted_on_jenkins - blacklisted_on_jenkins_armhf_only -acm: - version: 6.0+20200416-1 - issues: - - captures_build_path -acme: - version: 1:0.97~svn20211115+ds-1 - issues: - - captures_build_path acmetool: version: 0.0.51-1 issues: @@ -349,10 +333,6 @@ akonadi-search: issues: - build_id_differences_only - cmake_rpath_contains_build_path -akonadiconsole: - version: 4:20.08.3-1 - issues: - - timestamps_in_source_generated_by_rcc akregator: version: 4:21.08.1-1 comments: | @@ -376,10 +356,6 @@ alertmanager-irc-relay: issues: - randomness_in_binaries_generated_by_golang - records_build_flags -alevt: - version: 1:1.8.0-2 - issues: - - captures_build_path alire: version: 1.2.1-1 comments: | @@ -515,8 +491,6 @@ android-platform-frameworks-base: framework-res.apk is a zip file which contains timestamp differences, although this appears to be fixed in 13.x currently in experimental. - issues: - - timestamps_in_zip android-platform-libcore: version: 6.0.1+r10-1 issues: @@ -565,7 +539,6 @@ antimony: version: 0.9.3-1 issues: - captures_build_path_via_assert - - timestamps_in_source_generated_by_rcc antlr: version: 2.7.7+dfsg-6 issues: @@ -593,8 +566,6 @@ anytun: comments: | Embed build time and hostname: https://sources.debian.net/src/anytun/0.3.5-1/src/configure/?hl=367:368,383#L367 - issues: - - captures_build_path aodh: version: 1.0.0-11 comments: | @@ -813,10 +784,6 @@ apt-dpkg-ref: - timestamps_in_ps_generated_by_dvips - timestamps_in_dvi_generated_by_latex - random_id_in_pdf_generated_by_dblatex -apt-offline: - version: 1.8.5-1 - issues: - - timestamps_in_source_generated_by_rcc aptly: version: 0.9.7-1 issues: @@ -1046,10 +1013,6 @@ aspic: issues: - pdf_created_by_ghostscript - gcc_captures_build_path -assembly-stats: - version: 1.0.1+ds-3 - issues: - - captures_build_path assertj-core: version: 2.3.0-2 issues: @@ -1062,10 +1025,6 @@ assword: version: 0.10-2 bugs: - 891205 -asterisk-flite: - version: 3.0-4 - issues: - - captures_build_path asterisk-prompt-fr-armelle: version: 20070613-2 issues: @@ -1424,7 +1383,6 @@ baloo-kf5: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - build_id_differences_only - - timestamps_in_qhc - cmake_rpath_contains_build_path baloo-widgets: version: 21.08.0-1 @@ -1845,10 +1803,6 @@ bladerf: version: 0.2016.06-1 issues: - build_id_differences_only -blaspp: - version: 2023.08.25-2 - bugs: - - 1053263 blasr: version: 5.3-2 issues: @@ -1956,7 +1910,6 @@ bluez-qt: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - build_id_variation_requiring_further_investigation - - timestamps_in_qhc - cmake_rpath_contains_build_path - build_path_identifiers_in_documentation_generated_by_doxygen bmusb: @@ -2712,8 +2665,6 @@ cgit: version: 1.0+git2.8.3-3 comments: | Captures $HOME. - issues: - - captures_home_dir cglib: version: 3.2.4-1 issues: @@ -2765,10 +2716,6 @@ cheetah: issues: - gcc_captures_build_path - randomness_in_documentation_generated_by_sphinx -chemeq: - version: 3.6-1 - issues: - - captures_build_path chemps2: version: 1.8-1 issues: @@ -2828,7 +2775,6 @@ choqok: comments: | rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - - captures_build_path - cmake_rpath_contains_build_path chromaprint: version: 1.3.2-2 @@ -2970,8 +2916,6 @@ clfft: version: 2.12.2-3.2 issues: - cmake_rpath_contains_build_path - bugs: - - 1003375 clhep: version: 2.1.4.1-1.1 issues: @@ -3107,10 +3051,6 @@ cmor: Command to find where are set the timestamps: ack-grep -B3 snprintf.*ptr issues: - gcc_captures_build_path -cmtk: - version: 3.2.2-1.4 - issues: - - captures_build_path cmucl: version: 21a-4 comments: | @@ -3517,10 +3457,6 @@ cp2k: . docs partly use this value, but also party use "current-dateTime()" from some XLST library. -cpdb-libs: - version: 1.2.0-3 - issues: - - captures_build_path cpl-plugin-naco: version: 4.4.1+dfsg-3 issues: @@ -3529,10 +3465,6 @@ cpmtools: version: 2.20-2 issues: - build_id_differences_only -cpp-hocon: - version: 0.1.7-1 - issues: - - captures_build_path cppad: version: 2021.00.00.8-1 comments: | @@ -3621,10 +3553,6 @@ cronutils: version: 1.9-1 bugs: - 863072 -cross-toolchain-base: - version: '56' - issues: - - captures_build_path cross-toolchain-base-ports: version: '35' comments: | @@ -3732,9 +3660,6 @@ cupt: https://sources.debian.net/src/cupt/latest/doc/functionalselectors.t2t/?hl=3#L3 https://sources.debian.net/src/cupt/latest/doc/tutorial.t2t/?hl=3#L3 `%%mtime` could probably be used instead. - issues: - - timezones_manpages_podman - - captures_build_path curl: version: 7.50.1-1 issues: @@ -4214,10 +4139,6 @@ deepin-album: version: 5.9.1-1 issues: - dynstr_section_longer_by_two_bytes_which_are_NULs -deepin-deb-installer: - version: 5.8.1-1 - issues: - - captures_build_path deepin-image-viewer: version: 5.8.2-1 issues: @@ -4260,8 +4181,6 @@ denemo: packagesrcdir=`cd $srcdir && pwd` AC_DEFINE_UNQUOTED( PACKAGE_SOURCE_DIR, "${packagesrcdir}", [set package source dir]) - issues: - - captures_build_path derby: version: 10.10.2.0-1 issues: @@ -4294,10 +4213,6 @@ devio: version: 1.2-1.2 issues: - gcc_captures_build_path -dextractor: - version: 1.0-6 - issues: - - captures_build_path dh-ada-library: version: 7.6 issues: @@ -4820,10 +4735,6 @@ dune-uggrid: issues: - captures_build_path_via_assert - records_build_flags -dupeguru: - version: 4.3.1-2 - issues: - - timestamps_in_source_generated_by_rcc dustmite: version: 0~20170126.e95dff8-1 comments: | @@ -4943,7 +4854,6 @@ ecflow: Also other build path issues, possibly ecbuild related. issues: - cmake_rpath_contains_build_path - - captures_build_path echoping: version: 6.0.2-8 comments: | @@ -5150,10 +5060,6 @@ eliom: comments: | Checksum in /usr/share/doc/libeliom-ocaml-doc/client/api.docdir/html.stamp Created by ocamlbuild? https://sources.debian.net/src/eliom/4.2-1/build/doc.ml/#L12 -elisa-player: - version: 20.12.3-1 - issues: - - timestamps_in_source_generated_by_rcc elki: version: 0.7.0-2 issues: @@ -5303,18 +5209,10 @@ erlang: version: 1:18.0-dfsg-1 issues: - timestamps_in_pdf_generated_by_apache_fop -erlang-asciideck: - version: 0.0+git20170714.48cbfe8b-4 - issues: - - captures_build_path_in_beam_cma_cmt_files erlang-cowlib: version: 1.3.0-1 comments: | Apparent non-determinism in compilation of the .beam files, potentially interesting. -erlang-jiffy: - version: 0.14.6+dfsg-1 - issues: - - captures_build_path_in_beam_cma_cmt_files erlang-p1-stringprep: version: 1.0.22-1 issues: @@ -5557,10 +5455,6 @@ fassets: issues: - randomness_in_r_rdb_rds_databases - gcc_captures_build_path -fasta3: - version: 36.3.8h.2020-02-11-2 - issues: - - captures_build_path fastd: version: 18-2 issues: @@ -5779,10 +5673,6 @@ fdutils: issues: - timestamps_in_ps_generated_by_dvips - timestamps_in_dvi_generated_by_latex -feff85exafs: - version: 0.2+dfsg-2 - issues: - - captures_build_path felix-bundlerepository: version: 2.0.6-1 issues: @@ -5944,10 +5834,6 @@ fig2dev: version: 1:3.2.6-2 issues: - random_id_in_pdf_generated_by_dblatex -fig2sxd: - version: 0.23-1 - issues: - - captures_build_path filament: version: 1.9.25+dfsg2-10 comments: | @@ -5956,8 +5842,6 @@ filament: ...and disables warnings about using __DATE__ without which gcc/clang would otherwise use SOURCE_DATE_EPOCH? https://sources.debian.org/src/filament/1.9.25%2Bdfsg2-10/third_party/civetweb/src/civetweb.c/#L319 - issues: - - timestamps_from_cpp_macros fileschanged: version: 0.6.5-1.2 issues: @@ -6348,10 +6232,6 @@ foreign: issues: - randomness_in_r_rdb_rds_databases - gcc_captures_build_path -forge: - version: 0.9.0-1 - issues: - - captures_build_path form: version: 4.1-1 issues: @@ -6725,10 +6605,6 @@ galleta: version: 1.0+20040505-8 issues: - gcc_captures_build_path -gambas3: - version: 3.18.0-2 - issues: - - captures_build_path gambc: version: 4.8.8-3 issues: @@ -6858,14 +6734,6 @@ gatb-core: issues: - captures_kernel_version_via_CMAKE_SYSTEM - timestamps_in_cmake -gatk-bwamem: - version: 1.0.4+dfsg2-2 - issues: - - captures_build_path -gatk-fermilite: - version: 1.2.1+dfsg-2 - issues: - - captures_build_path gauche: version: 0.9.4-6 issues: @@ -7105,7 +6973,6 @@ gcc-riscv64-unknown-elf: issues: - captures_shell_variable_in_autofoo_script - paths_vary_due_to_usrmerge - - timestamps_in_static_libraries gcc-sh-elf: version: 2 comments: | @@ -7128,7 +6995,6 @@ gcc-xtensa-lx106: issues: - paths_vary_due_to_usrmerge - bin_sh_is_bash - - timestamps_in_static_libraries gcl: version: 2.6.12-1 issues: @@ -7254,10 +7120,6 @@ gegl: /usr/share/doc/libgegl-doc/gallery/clones.txt bugs: - 895138 -geiser: - version: 0.8.1-1 - issues: - - captures_build_path geki2: version: 2.0.3-9 issues: @@ -7266,10 +7128,6 @@ geki3: version: 1.0.3-8.1 issues: - gcc_captures_build_path -genders: - version: 1.22-1 - issues: - - captures_build_path genext2fs: version: 1.4.1-4 issues: @@ -7525,10 +7383,6 @@ ginkgocadx: version: 3.8.3-1 issues: - build_id_differences_only -gio-qt: - version: 0.0.12-1 - issues: - - captures_build_path gio-sharp: version: 2.22.3-3 issues: @@ -7639,10 +7493,6 @@ gkrellm-x86info: version: 0.0.2-9 issues: - gcc_captures_build_path -gkrellmoon: - version: 0.6-6 - issues: - - captures_build_path gkrelltop: version: 2.2.13-1 issues: @@ -7966,14 +7816,6 @@ gnucobol: version: 2.2-5 issues: - captures_build_path_via_assert -gnucobol3: - version: 3.1.2-1 - issues: - - captures_build_path -gnucobol4: - version: 4.0~early~20200606-5 - issues: - - captures_build_path gnudatalanguage: version: 0.9.6v2-3 issues: @@ -8073,7 +7915,6 @@ go-for-it: go-gir-generator: version: 2.0.2-1 issues: - - captures_build_path - randomness_in_binaries_generated_by_golang go-md2man-v2: version: 2.0.1+ds1-1 @@ -8851,10 +8692,6 @@ gqrx-sdr: version: 2.5.3-2 issues: - gcc_captures_build_path -gr-air-modes: - version: 0.0.2.65e5bd1-1 - issues: - - captures_build_path gr-dab: version: 0.3-2 issues: @@ -8974,10 +8811,6 @@ grantlee: version: 0.4.0-4 issues: - build_id_differences_only -grantlee-editor: - version: 4:20.08.3-1 - issues: - - timestamps_in_source_generated_by_rcc grantlee5: version: 5.1.0-2 comments: | @@ -9057,10 +8890,6 @@ gregmisc: version: 2.1.5-2 issues: - randomness_in_r_rdb_rds_databases -gretl: - version: 2022a-1 - issues: - - captures_build_path grhino: version: 0.16.1-3 issues: @@ -9582,10 +9411,6 @@ haskell-happstack-authenticate: version: 2.6.1-1 issues: - haskell_abi_hash_differences -haskell-haskell-gi-base: - version: 0.24.2-1 - bugs: - - 969958 haskell-hledger: version: 1.2-1 issues: @@ -10253,10 +10078,6 @@ iem-plugin-suite: version: 1.11.0-2 issues: - captures_build_path_via_assert -ifeffit: - version: 2:1.2.11d-12.2 - issues: - - captures_build_path ifrit: version: 4.1.2-5 issues: @@ -10361,7 +10182,6 @@ imagemagick: - records_build_flags - paths_vary_due_to_usrmerge bugs: - - 983302 - 983303 imagination: version: 3.6-1 @@ -10479,10 +10299,6 @@ intel-graphics-compiler: version: 1.0.12504.6-1 issues: - gcc_captures_build_path -intel-ipsec-mb: - version: 1.3-2 - issues: - - captures_build_path intel-mediasdk: version: 20.3.0-1 issues: @@ -10660,8 +10476,6 @@ isc-kea: version: 1.0.0-4 comments: | (testing/i386) build path in generated shell scripts - issues: - - captures_build_path isdnutils: version: 1:3.25+dfsg1-8 comments: | @@ -10908,10 +10722,6 @@ java-imaging-utilities: version: 0.14.3-2 issues: - random_id_in_pdf_generated_by_dblatex -java-policy: - version: 0.55 - issues: - - timestamps_in_ps_generated_by_dvips java2html: version: 0.9.2-5 issues: @@ -11265,7 +11075,6 @@ jta: jtdx: version: 2.2.159-1 issues: - - timestamps_in_source_generated_by_rcc - captures_kernel_variant jtharness: version: 5.0-2 @@ -11380,10 +11189,6 @@ kactivitymanagerd: version: 5.8.0-1 issues: - build_id_differences_only -kaddressbook: - version: 4:20.08.3-1 - issues: - - timestamps_in_source_generated_by_rcc kafs-client: version: 0.5-2 issues: @@ -11428,10 +11233,6 @@ kappanhang: version: 1.3-2 issues: - records_build_flags -karchive: - version: 5.107.0-1 - issues: - - timestamps_in_qhc kate: version: 4:22.04.3-1 comments: | @@ -11465,10 +11266,6 @@ kbibtex: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - cmake_rpath_contains_build_path -kbookmarks: - version: 5.107.0-1 - issues: - - timestamps_in_qhc kbuild: version: 1:0.1.9998svn2814+dfsg-2 issues: @@ -11502,10 +11299,6 @@ kcollectd: version: 0.9-4 issues: - gcc_captures_build_path -kcompletion: - version: 5.107.0-1 - issues: - - timestamps_in_qhc kconfig: version: 5.26.0-1 comments: | @@ -11517,7 +11310,6 @@ kconfig: kconfigwidgets: version: 5.70.0-2 issues: - - timestamps_in_qhc - build_dir_in_tags_generated_by_doxygen kcontacts: version: 5:5.77.0-2 @@ -11532,14 +11324,6 @@ kcptun: version: 20171201+ds-1 issues: - randomness_in_binaries_generated_by_golang -kcrash: - version: 5.107.0-1 - issues: - - timestamps_in_qhc -kdav: - version: 1:5.107.0-1 - issues: - - timestamps_in_qhc kdb: version: 3.2.0-5 comments: | @@ -11669,7 +11453,6 @@ keditbookmarks: comments: | rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - - timestamps_in_source_generated_by_rcc - cmake_rpath_contains_build_path keepalived: version: 1:1.2.13-1 @@ -11745,10 +11528,6 @@ kfilemetadata-kf5: - cmake_rpath_contains_build_path - build_path_identifiers_in_documentation_generated_by_doxygen - build_dir_in_tags_generated_by_doxygen -kfourinline: - version: 4:16.04.0-1 - issues: - - captures_build_path kget: version: 4:21.08.0-1 issues: @@ -11948,10 +11727,6 @@ kissplice: version: 2.4.0-p1-1 issues: - gcc_captures_build_path -kitemviews: - version: 5.107.0-1 - issues: - - timestamps_in_qhc kiten: version: 4:16.08.2-1 comments: | @@ -12078,10 +11853,6 @@ knotifications: issues: - gcc_captures_build_path - ftbfs_due_to_f-file-prefix-map -knotifyconfig: - version: 5.107.0-1 - issues: - - timestamps_in_qhc knowthelist: version: 2.3.0-2 comments: | @@ -12321,7 +12092,6 @@ kompare: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - build_id_differences_only - - timestamps_in_source_generated_by_rcc - cmake_rpath_contains_build_path konqueror: version: 4:21.08.2-1 @@ -12419,14 +12189,6 @@ kpipewire: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - cmake_rpath_contains_build_path -kplotting: - version: 5.107.0-1 - issues: - - timestamps_in_qhc -kpty: - version: 5.107.0-1 - issues: - - timestamps_in_qhc kpublictransport: version: 22.04.2-1 comments: | @@ -12486,10 +12248,6 @@ kross: version: 5.26.0-1 issues: - build_id_differences_only -krunner: - version: 5.107.0-1 - issues: - - timestamps_in_qhc krusader: version: 2:2.7.2-2 issues: @@ -12609,10 +12367,6 @@ kubernetes-split-yaml: issues: - records_build_flags - randomness_in_binaries_generated_by_golang -kunitconversion: - version: 5.107.0-1 - issues: - - timestamps_in_qhc kup-backup: version: 0.6.1+dfsg-1 comments: | @@ -12732,10 +12486,6 @@ labltk: version: 8.06.0+dfsg-3 issues: - randomness_in_ocaml_provides -labplot: - version: 2.9.0-1 - issues: - - captures_build_path labrea: version: 2.5-stable-3 issues: @@ -12795,10 +12545,6 @@ lapack: version: 3.10.0-1 issues: - nondeterministic_ordering_in_documentation_generated_by_doxygen -lapackpp: - version: 2023.08.25-1 - bugs: - - 1053205 lasi: version: 1.1.0-1.1 issues: @@ -13184,10 +12930,6 @@ libapache2-mod-ruid2: version: 0.9.8-3 issues: - different_due_to_umask -libapache2-mod-tile: - version: 0.6.1-2 - issues: - - captures_build_path libapache2-mod-watchcat: version: 1.1.2-1 issues: @@ -13463,7 +13205,6 @@ libdbusmenu: libdbusmenu-qt: version: 0.9.3+16.04.20160218-1 issues: - - captures_build_path - absolute_build_dir_in_docs_generated_by_doxygen_ref libdc1394-22: version: 2.2.4-1 @@ -13551,7 +13292,6 @@ libept: version: 1.0.14 issues: - random_order_in_static_libraries - - captures_build_path libesedb: version: 20181229-3.1 issues: @@ -14140,10 +13880,6 @@ libkf5ksieve: issues: - build_id_differences_only - cmake_rpath_contains_build_path -libkf5mailcommon: - version: 4:16.04.2-2 - issues: - - timestamps_in_h_generated_by_qdbusxml2cpp libkf5mailimporter: version: 4:21.08.1-1 comments: | @@ -14333,8 +14069,6 @@ libmediascan: comments: | embeds rpath, and even though it is removed in debian/rules this still changes the BuildID. - issues: - - captures_build_path libmemcached: version: 1.1.4-1 comments: | @@ -14493,10 +14227,6 @@ libnzb: version: 0.0.20050629-6.2 issues: - gcc_captures_build_path -libobjcryst: - version: 2021.1.2+ds1-1 - issues: - - captures_build_path libofetion: version: 2.2.2-1 issues: @@ -14747,10 +14477,6 @@ libqes: issues: - build_id_differences_only - cmake_rpath_contains_build_path -libqglviewer: - version: 2.8.0+dfsg1-2 - issues: - - captures_build_dir_in_qmake_prl_files libqtdbusmock: version: 0.7+bzr49+repack1-1 issues: @@ -14945,10 +14671,6 @@ libsigc++-2.0: version: 2.10.4-2 issues: - nondeterministic_ordering_in_documentation_generated_by_doxygen -libsimpleini: - version: 4.20+dfsg-1 - issues: - - captures_build_path libsis-jhdf5-java: version: 14.12.6-1 bugs: @@ -15054,7 +14776,6 @@ libsx: and usrmerge paths. issues: - gcc_captures_build_path - - captures_build_path - paths_vary_due_to_usrmerge bugs: - 1021860 @@ -15747,7 +15468,6 @@ lomiri-action-api: Build path embedded in /usr/share/doc/lomiri-action-doc/qml/lomiri-action-qml-api.index.gz issues: - - captures_build_path - cmake_rpath_contains_build_path bugs: - 1034129 @@ -15773,10 +15493,6 @@ lomiri-download-manager: version: 0.1.0-3 issues: - build_path_in_qdoc -lomiri-gallery-app: - version: 3.0.1-1 - issues: - - captures_build_path_via_cmake_variables lomiri-indicator-network: version: 1.0.0~git20220718.2ca3619-1 comments: | @@ -15793,10 +15509,6 @@ lomiri-notifications: version: 1.3.0~git20221006.bbc9b92-1 issues: - captures_varying_number_of_build_path_directory_components -lomiri-system-settings: - version: 1.0~git20221229.bc061a4-1 - issues: - - timestamps_in_source_generated_by_rcc lomiri-thumbnailer: version: 3.0.0-1 issues: @@ -16256,7 +15968,6 @@ manderlbot: version: 0.9.2-19 issues: - fonts_in_pdf_files - - captures_build_path_in_beam_cma_cmt_files - paths_vary_due_to_usrmerge bugs: - 1037296 @@ -16491,10 +16202,6 @@ mc: version: 3:4.8.17-1 issues: - records_build_flags -mcabber: - version: 1.1.0-2 - issues: - - timestamps_in_tex_documents mcl: version: 1:14-137+ds-1 comments: | @@ -16507,8 +16214,6 @@ mclibs: issues: - timestamps_in_ps_generated_by_dvips - captures_build_path - bugs: - - 776567 mcpl: version: 1.3.2-2 comments: | @@ -16591,10 +16296,6 @@ megaglest: version: 3.12.0-2 issues: - gcc_captures_build_path -megahit: - version: 1.2.9-2 - issues: - - captures_build_path members: version: 20080128-5 issues: @@ -16704,10 +16405,6 @@ metview: - captures_build_arch_via_ecbuild - captures_kernel_version_via_ecbuild - records_build_flags_from_ecbuild -mfem: - version: 4.5.2+ds-1 - bugs: - - 1036221 mgcv: version: 1.8-14-1 issues: @@ -16825,10 +16522,6 @@ minlog: version: 4.0.99.20100221-5.2 issues: - fonts_in_pdf_files -minuet: - version: 20.12.1-1 - issues: - - timestamps_in_source_generated_by_rcc mir: version: 1.8.0+dfsg1-18 issues: @@ -16865,7 +16558,6 @@ misc3d: misery: version: 0.2-1.1 issues: - - captures_build_path - ocaml_captures_build_path missfits: version: 2.8.0-1 @@ -17308,8 +17000,6 @@ mp4h: Embeds build duration in the documentation (in example output of a timer functionality). . Note: 1.3.1-14 and -15 seem to have been about similar issues, see changelog. - issues: - - captures_build_path mp4parser: version: 1.1.22-1 comments: | @@ -17400,8 +17090,6 @@ mrmpi: Random order of content in PDF due to star wildcard usage: https://sources.debian.net/src/mrmpi/1.0~20140404-1/debian/rules/?hl=55#L55 https://sources.debian.net/src/mrmpi/1.0~20140404-1/debian/rules/?hl=65#L65 - issues: - - timestamps_in_documentation_generated_by_htmldoc mrpt: version: 1:1.2.2-1.1 issues: @@ -17775,10 +17463,6 @@ ndpmon: version: 1.4.0-2.1 issues: - gcc_captures_build_path -ne: - version: 3.3.1-1 - issues: - - captures_build_path ne10: version: 1.2.1-3 comments: | @@ -17834,7 +17518,6 @@ neovim-qt: version: 0.2.16-1 issues: - records_build_flags - - timestamps_in_source_generated_by_rcc bugs: - 963688 net-snmp: @@ -18306,10 +17989,6 @@ node-deepmerge: version: 4.2.2-1 issues: - rollup_embeds_build_path -node-dot: - version: 1.1.3+ds-2 - issues: - - captures_build_path node-emotion: version: 11.10.7+ds1+~cs8.3.3-3 issues: @@ -18761,10 +18440,6 @@ oaklisp: version: 1.3.6-2 issues: - timestamps_in_pdf_generated_by_latex -oar: - version: 2.5.7-2 - issues: - - captures_build_path oasis: version: 0.4.4-2 bugs: @@ -19092,10 +18767,6 @@ ocaml-magic-mime: version: 1.2.0-1 issues: - ocaml_dune_captures_build_path -ocaml-mccs: - version: 1.1+10-2 - issues: - - captures_build_path_in_beam_cma_cmt_files ocaml-melt: version: 1.4.0-1 issues: @@ -19521,10 +19192,6 @@ octavia: version: 13.0.0-2 issues: - randomness_in_documentation_generated_by_sphinx -octomap: - version: 1.9.5+dfsg-1 - issues: - - timestamps_in_source_generated_by_rcc ocurl: version: 0.9.0-2 comments: | @@ -20690,10 +20357,6 @@ pcb-rnd: version: 3.1.1-1 comments: | Various modules and other subdirectories do not respect dpkg-buildflags. Some of these might be easy to patch -- such as ./scconfig/Makefile -- but it seems like some of the modules source their CFLAGS and LDFLAGS from a generated file. -pccts: - version: 1.33MR33-6.2 - issues: - - captures_build_path pcl: version: 1.11.1+dfsg-1 issues: @@ -21070,10 +20733,6 @@ pgrouting: - gcc_captures_build_path - captures_kernel_version_via_CMAKE_SYSTEM - timestamps_in_cmake -pgsphere: - version: 1.1.1+2018.10.13-1 - issues: - - captures_build_path pgsql-asn1oid: version: 0.0.20100818-3.2 issues: @@ -21225,7 +20884,6 @@ php8.2: Possible fix for timestamps in /usr/bin/phar*.phar files: https://gist.github.com/jelly/96847934239aac19c512c54ca65d6baa issues: - - captures_build_path - paths_vary_due_to_usrmerge - records_build_flags - test_suite_logs @@ -21551,10 +21209,6 @@ plotsauce: version: 0~0.1-1 issues: - captures_build_path_via_assert -plover: - version: 4.0.0~dev10-1 - issues: - - timestamps_in_source_generated_by_rcc plplot: version: 5.10.0+dfsg2-0.1 issues: @@ -21662,7 +21316,6 @@ pollen: version: 4.21-2 issues: - golang_compiler_captures_build_path_in_binary - - captures_build_path - randomness_in_binaries_generated_by_golang polspline: version: 1.1.12-2 @@ -22088,16 +21741,10 @@ proftpd-mod-fsync: leaving the path in the linker input. issues: - build_id_differences_only -proftpd-mod-geoip2: - version: 0.1-1 - issues: - - captures_build_path proftpd-mod-kafka: version: 0.1-1 comments: | Needs DPKG_EXPORT_BUILDFLAGS to ensure GCC calls in Makefile.in use prefix-map etc., but still embeds build path afterwards. - issues: - - captures_build_path proftpd-mod-msg: version: 0.4.1-1.1 comments: | @@ -22105,10 +21752,6 @@ proftpd-mod-msg: leaving the path in the linker input. issues: - build_id_differences_only -proftpd-mod-sftp-ldap: - version: 0.2-1 - issues: - - captures_build_path proftpd-mod-statsd: version: 0.1-1 issues: @@ -22352,10 +21995,6 @@ pslib: version: 0.4.5-3.1 issues: - gcc_captures_build_path -psocksxx: - version: 1.1.0-1.2 - issues: - - captures_build_path pspp: version: 0.10.2-1 issues: @@ -23970,7 +23609,6 @@ qhttpengine: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - build_id_differences_only - - timestamps_in_source_generated_by_rcc - cmake_rpath_contains_build_path - build_path_identifiers_in_documentation_generated_by_doxygen qhull: @@ -24026,14 +23664,6 @@ qmtest: version: 2.4.1-3 issues: - gcc_captures_build_path -qoauth: - version: 2.0.1~1-3 - issues: - - captures_build_dir_in_qmake_prl_files -qoi: - version: 0+git20220615+ds-1 - issues: - - captures_build_path qpdf: version: 10.6.3.0cmake1-3 comments: | @@ -24119,8 +23749,6 @@ qt6-base: Build path is embedded in QT_SOURCE_TREE present in cmake/QtBuildInternalsExtra.cmake.in source, and the resulting QtBuildInternalsExtra.cmake shipped in the package. - issues: - - captures_build_path qt6-charts: version: 6.2.2-2 comments: | @@ -24218,10 +23846,6 @@ qt6-svg: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - cmake_rpath_contains_build_path -qt6-tools: - version: 6.2.2-3 - issues: - - timestamps_in_source_generated_by_rcc qt6-virtualkeyboard: version: 6.2.2+dfsg-3 issues: @@ -24234,10 +23858,6 @@ qt6-webchannel: version: 6.2.2-3 issues: - timestamps_in_source_generated_by_rcc -qt6-websockets: - version: 6.2.2-3 - issues: - - timestamps_in_source_generated_by_rcc qt6-webview: version: 6.2.2-3 comments: | @@ -24284,10 +23904,6 @@ qtdatavis3d-everywhere-src: issues: - build_path_in_index_files_generated_by_qdoc - timestamps_in_qhc -qtdbusextended: - version: 0.0.3-6 - issues: - - captures_build_path qtdeclarative-opensource-src: version: 5.4.1-1 issues: @@ -24314,10 +23930,6 @@ qtexengine: version: 0.3-3 issues: - timestamps_in_qmake_makefiles -qtfeedback-opensource-src: - version: 5.0~git20180903.a14bd0b-5 - issues: - - captures_build_dir_in_qmake_prl_files qtgamepad-everywhere-src: version: 5.15.2-4 issues: @@ -24347,7 +23959,6 @@ qtmultimedia-opensource-src: version: 5.3.2-5 issues: - randomness_in_qdoc - - captures_build_dir_in_qmake_prl_files qtnetworkauth-everywhere-src: version: 5.11.3-2 comments: | @@ -24429,10 +24040,6 @@ qtsvg-opensource-src: issues: - randomness_in_qdoc - timestamps_in_qhc -qtsystems-opensource-src: - version: 5.0~git20181230.e3332ee3-2 - issues: - - captures_build_dir_in_qmake_prl_files qttools-opensource-src: version: 5.3.2-3 issues: @@ -24443,7 +24050,6 @@ qtvirtualkeyboard-opensource-src: version: 5.11.3+dfsg-2 issues: - build_path_in_qdoc - - timestamps_in_qhc qtwayland-opensource-src: version: 5.10.1-3 issues: @@ -24490,7 +24096,6 @@ qtxmlpatterns-opensource-src: version: 5.3.2-2 issues: - randomness_in_qdoc - - timestamps_in_qhc quadprog: version: 1.5-5-2 issues: @@ -25395,7 +25000,6 @@ r-cran-amap: r-cran-amelia: version: 1.7.3-1 issues: - - timestamps_in_description_files_generated_by_r-base-dev - randomness_in_r_rdb_rds_databases r-cran-amore: version: 0.2-15-1 @@ -29791,10 +29395,6 @@ rapache: version: 1.2.8-1 issues: - gcc_captures_build_path -rapid-photo-downloader: - version: 0.9.33-1 - issues: - - timestamps_in_source_generated_by_rcc rapmap: version: 0.3.0+dfsg-1 issues: @@ -29807,10 +29407,6 @@ raspell: version: 1.3-1 issues: - gcc_captures_build_path -rasterview: - version: 1.8-1 - issues: - - captures_build_path ratfor: version: 1.0-16 issues: @@ -29963,10 +29559,6 @@ regina-normal: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - cmake_rpath_contains_build_path -reglookup: - version: 1.0.1+svn287-4 - issues: - - captures_build_path reiser4progs: version: 1.1.0-1.1 issues: @@ -30386,10 +29978,6 @@ rotter: - gcc_captures_build_path bugs: - 1020755 -route-rnd: - version: 0.9.2-1 - issues: - - captures_build_path routino: version: 3.1.1-3 comments: | @@ -30483,7 +30071,6 @@ rtklib: version: 2.4.3+dfsg1-1 issues: - captures_build_path_via_assert - - timestamps_in_source_generated_by_rcc rtl-sdr: version: 0.5.3-11 comments: | @@ -30675,10 +30262,6 @@ ruby-filesystem: version: 0.5-5.1 issues: - gcc_captures_build_path -ruby-friendly-id: - version: 5.4.2-1 - issues: - - captures_build_path ruby-ftw: version: 0.0.44-1 bugs: @@ -31813,10 +31396,6 @@ simulavr: version: 1.0.0+git20160221.e53413b-1 issues: - gcc_captures_build_path -simulpic: - version: 1:2005-1-28-10 - issues: - - captures_build_path simutrans-pak128.britain: version: 1.17-1 issues: @@ -32337,7 +31916,6 @@ sphinx: issues: - randomness_in_documentation_generated_by_sphinx bugs: - - 1025801 - 1050693 sphinx-autoapi: version: 1.5.1-2 @@ -32661,10 +32239,6 @@ steghide: version: 0.5.1-14 issues: - captures_build_path_via_assert -stella: - version: 6.5.2-1 - issues: - - captures_build_path stellarium: version: 0.15.0-1 issues: @@ -32698,10 +32272,6 @@ stoken: version: 0.91-1 issues: - gcc_captures_build_path -stone: - version: 2.4-1 - issues: - - captures_build_path stopt: version: 5.0~rc3+dfsg-1 comments: | @@ -33542,10 +33112,6 @@ thunderbird: issues: - diffoscope_runs_forever - blacklisted_on_jenkins -thunderbolt-tools: - version: 0.9.1-1 - issues: - - timestamps_in_output_generated_by_txt2tags tidy-html5: version: 1:5.2.0-2 comments: | @@ -33736,7 +33302,6 @@ tolua++: version: 1.0.93-3 issues: - gcc_captures_build_path - - captures_build_path bugs: - 1024279 tomboy: @@ -33820,10 +33385,6 @@ toxiproxy: version: 2.0.0+dfsg1-3 issues: - golang_compiler_captures_build_path_in_binary -tpm2-pytss: - version: 1.2.0-2 - bugs: - - 1022777 trace-cmd: version: 2.6-0.1 issues: @@ -33927,10 +33488,6 @@ tstools: version: 1.11-1 issues: - gcc_captures_build_path -tsung: - version: 1.7.0-3.1 - issues: - - captures_build_path_in_beam_cma_cmt_files ttf-freefont: version: 20100919-1 issues: @@ -33975,10 +33532,6 @@ tuxcmd-modules: version: 0.6.70+ds-5 issues: - gcc_captures_build_path -tuxguitar: - version: 1.5.6+dfsg1-1 - issues: - - captures_build_path tuxpaint: version: 1:0.9.22-2 comments: | @@ -34098,10 +33651,6 @@ u1db: version: 13.10-6.2 issues: - gcc_captures_build_path -u1db-qt: - version: 0.1.7~git20210730.507a5bf-1 - issues: - - timestamps_in_qhc uanytun: version: 0.3.5-1 issues: @@ -34393,10 +33942,6 @@ userv: issues: - timestamps_in_gzip_headers - timestamps_in_ps_generated_by_dvips -userv-utils: - version: 0.6.1-2 - issues: - - captures_build_path utalk: version: 1.0.1.beta-8 issues: @@ -34504,10 +34049,6 @@ vdr-plugin-dvbsddevice: version: 2.2.0-9 issues: - captures_build_path_via_assert -vdr-plugin-dvd: - version: 0.3.6~b03+git20211216-1 - issues: - - captures_build_path vdr-plugin-epgsearch: version: 1.0.1~beta6+git20150211-4 issues: @@ -34594,10 +34135,6 @@ veusz: version: 1.21.1-1 issues: - captures_build_arch -veyon: - version: 4.5.3+repack1-1 - issues: - - timestamps_in_source_generated_by_rcc vflib3: version: 3.6.14.dfsg-3+nmu2 issues: @@ -35101,8 +34638,6 @@ wlcs: version: 1.1.0+dfsg-1 comments: | Uses -ffile-prefix-map= but still encodes the absolute build dir to some source files. - issues: - - captures_build_path wmcalc: version: 0.6-1 issues: @@ -36112,10 +35647,6 @@ zbar: version: 0.10+doc-10 issues: - gcc_captures_build_path -zeal: - version: 1:0.6.1+git20220714+6fee23-1 - bugs: - - 1015246 zed: version: 1.4-3 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/1ad342a07bd90341c2cc799f219141d263aaf536...250e89ffbb1357d83ba0696e0270e98f314719c2 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/1ad342a07bd90341c2cc799f219141d263aaf536...250e89ffbb1357d83ba0696e0270e98f314719c2 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 22 15:59:17 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Wed, 22 Nov 2023 15:59:17 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Remove some notes about now non-issue (build paths) Message-ID: <655e2555b1c8e_5e76c009d3c706339@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-notes Commits: f759391a by Mattia Rizzolo at 2023-11-22T16:59:04+01:00 Remove some notes about now non-issue (build paths) Signed-off-by: Mattia Rizzolo <mattia at debian.org> - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -485,12 +485,6 @@ android-platform-external-libunwind: version: 8.1.0+r23-2 issues: - captures_build_path_via_assert -android-platform-frameworks-base: - version: 1:10.0.0+r36-10 - comments: | - framework-res.apk is a zip file which contains timestamp - differences, although this appears to be fixed in 13.x currently - in experimental. android-platform-libcore: version: 6.0.1+r10-1 issues: @@ -2661,10 +2655,6 @@ cgal: issues: - records_build_flags - build_id_differences_only -cgit: - version: 1.0+git2.8.3-3 - comments: | - Captures $HOME. cglib: version: 3.2.4-1 issues: @@ -3653,13 +3643,6 @@ cups: version: 2.2.10-1 bugs: - 916433 -cupt: - version: 2.9.0 - comments: | - Uses txt2tags `%%date` macro in some documentation: - https://sources.debian.net/src/cupt/latest/doc/functionalselectors.t2t/?hl=3#L3 - https://sources.debian.net/src/cupt/latest/doc/tutorial.t2t/?hl=3#L3 - `%%mtime` could probably be used instead. curl: version: 7.50.1-1 issues: @@ -4172,15 +4155,6 @@ delve: version: 1.5.0-4 issues: - randomness_in_binaries_generated_by_golang -denemo: - version: 2.5.0-1 - comments: | - manually captured in configure.ac: - . - dnl Set PACKAGE_SOURCE_DIR in config.h. - packagesrcdir=`cd $srcdir && pwd` - AC_DEFINE_UNQUOTED( - PACKAGE_SOURCE_DIR, "${packagesrcdir}", [set package source dir]) derby: version: 10.10.2.0-1 issues: @@ -5834,14 +5808,6 @@ fig2dev: version: 1:3.2.6-2 issues: - random_id_in_pdf_generated_by_dblatex -filament: - version: 1.9.25+dfsg2-10 - comments: | - Uses __DATE__ intentionally... - https://sources.debian.org/src/filament/1.9.25%2Bdfsg2-10/third_party/civetweb/src/civetweb.c/#L19221 - ...and disables warnings about using __DATE__ without which - gcc/clang would otherwise use SOURCE_DATE_EPOCH? - https://sources.debian.org/src/filament/1.9.25%2Bdfsg2-10/third_party/civetweb/src/civetweb.c/#L319 fileschanged: version: 0.6.5-1.2 issues: @@ -10472,10 +10438,6 @@ isbg: Filed upstream https://gitlab.com/isbg/isbg/-/issues/151 issues: - sphinxdoc_translations -isc-kea: - version: 1.0.0-4 - comments: | - (testing/i386) build path in generated shell scripts isdnutils: version: 1:3.25+dfsg1-8 comments: | @@ -14064,11 +14026,6 @@ libmcrypt: dpkg-buildflags are not honoured during build, so -fdebug-prefix-map is not used. issues: - gcc_captures_build_path -libmediascan: - version: 0~20220401.git.34fc2d-2 - comments: | - embeds rpath, and even though it is removed in debian/rules this - still changes the BuildID. libmemcached: version: 1.1.4-1 comments: | @@ -16994,12 +16951,6 @@ mp3info: version: 0.8.5a-1 issues: - gcc_captures_build_path -mp4h: - version: 1.3.1-15 - comments: | - Embeds build duration in the documentation (in example output of a timer functionality). - . - Note: 1.3.1-14 and -15 seem to have been about similar issues, see changelog. mp4parser: version: 1.1.22-1 comments: | @@ -17084,12 +17035,6 @@ mriconvert: version: 1:2.0.8-4 issues: - gcc_captures_build_path -mrmpi: - version: 1.0~20140404-1 - comments: | - Random order of content in PDF due to star wildcard usage: - https://sources.debian.net/src/mrmpi/1.0~20140404-1/debian/rules/?hl=55#L55 - https://sources.debian.net/src/mrmpi/1.0~20140404-1/debian/rules/?hl=65#L65 mrpt: version: 1:1.2.2-1.1 issues: @@ -21741,10 +21686,6 @@ proftpd-mod-fsync: leaving the path in the linker input. issues: - build_id_differences_only -proftpd-mod-kafka: - version: 0.1-1 - comments: | - Needs DPKG_EXPORT_BUILDFLAGS to ensure GCC calls in Makefile.in use prefix-map etc., but still embeds build path afterwards. proftpd-mod-msg: version: 0.4.1-1.1 comments: | @@ -23743,12 +23684,6 @@ qt6-5compat: version: 6.3.1-2 issues: - captures_kernel_variant -qt6-base: - version: 6.2.2+dfsg-6 - comments: | - Build path is embedded in QT_SOURCE_TREE present in - cmake/QtBuildInternalsExtra.cmake.in source, and the resulting - QtBuildInternalsExtra.cmake shipped in the package. qt6-charts: version: 6.2.2-2 comments: | @@ -34634,10 +34569,6 @@ witty: version: 3.3.3+dfsg-4.1 issues: - captures_build_path -wlcs: - version: 1.1.0+dfsg-1 - comments: | - Uses -ffile-prefix-map= but still encodes the absolute build dir to some source files. wmcalc: version: 0.6-1 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/f759391a22dd78873a9c6ca7cc622cc875b442c8 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/f759391a22dd78873a9c6ca7cc622cc875b442c8 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 23 08:53:02 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 23 Nov 2023 08:53:02 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023-11 += britney option enabled to look at tests.reproducible-builds.org... Message-ID: <655f12ee7c91a_5e76c009d3c7183863@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: 586c1f89 by Chris Lamb at 2023-11-23T08:52:42+00:00 2023-11 += britney option enabled to look at tests.reproducible-builds.org <https://lists.debian.org/debian-devel-announce/2023/11/msg00003.html> - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -32,3 +32,5 @@ FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for a * [`rdflib`](https://github.com/RDFLib/rdflib/issues/2645) (random) * [`whatsie`](https://github.com/keshavbhatt/whatsie/pull/146) (date) + +* [britney option enabled to look at tests.reproducible-builds.org](https://lists.debian.org/debian-devel-announce/2023/11/msg00003.html) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/586c1f89dc9b8d124ead43af43c384dbe8efde6e -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/586c1f89dc9b8d124ead43af43c384dbe8efde6e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 23 08:53:29 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 23 Nov 2023 08:53:29 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] Merge these for now. Message-ID: <655f13091ddbe_5e76c01e41c71840e6@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: ea453d9d by Chris Lamb at 2023-11-23T08:53:09+00:00 Merge these for now. - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -10,7 +10,7 @@ FIXME: Simon Quigley fixed https://bugs.launchpad.net/launchpad/+bug/1686242 so Vagrant Cascadian presented [*Beyond Trusting FOSS*](https://osem.seagl.org/conferences/seagl2023/program/proposals/939) at [SeaGL](https://seagl.org/). The [slides for his talk](https://salsa.debian.org/reproducible-builds/reproducible-presentations/-/tree/master/2023-11-04-SeaGL-Beyond-Trusting-FOSS) can be build reproducibly, resulting in in cfde2f8a0b7e6ec9b85377eeac0661d728b70f34 as sha1sum for the PDF when build on Debian bookworm and in c21fab273232c550ce822c4b0d9988e6c49aa2c3 when build on Debian sid as of today. -FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/i386/armhf in the migration software, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. +FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for amd64/arm64/i386/armhf in the migration software, which means that data from https://tests.reproducible-builds.org/debian is collected but causes neither migration bonuses nor blocks migration yet. The information only results are visible on https://release.debian.org/britney/update_excuses.html as well as on individual packages pages on https://tracker.debian.org. ([Developer news entry](https://lists.debian.org/debian-devel-announce/2023/11/msg00003.html)) * FIXME: Bernhard M. Wiedemann reports that [he considers to create a general-purpose Linux distribution, that consists of 100% bit-reproducible packages (minus the rpm signature). It shall be based on openSUSE Tumbleweed or its Slowroll-variant.](https://en.opensuse.org/openSUSE:Reproducible_openSUSE) in 2024 @@ -33,4 +33,3 @@ FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for a * [`whatsie`](https://github.com/keshavbhatt/whatsie/pull/146) (date) -* [britney option enabled to look at tests.reproducible-builds.org](https://lists.debian.org/debian-devel-announce/2023/11/msg00003.html) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ea453d9ddef7c0a0c5531dacb36f2ed72ee989b1 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ea453d9ddef7c0a0c5531dacb36f2ed72ee989b1 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 23 10:50:48 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 23 Nov 2023 10:50:48 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] 3 commits: Add patch for openmrac-data Message-ID: <655f2e88d8b1a_5e76c01e41c71988c9@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: 229906bb by Chris Lamb at 2023-11-23T10:48:35+00:00 Add patch for openmrac-data - - - - - f4e5eab3 by Chris Lamb at 2023-11-23T10:48:38+00:00 Add patch for maildir-utils - - - - - ba868a33 by Chris Lamb at 2023-11-23T10:48:40+00:00 Add patch for pelican - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -15857,6 +15857,10 @@ mahimahi: - paths_vary_due_to_usrmerge bugs: - 977684 +maildir-utils: + version: 1.10.8-1 + bugs: + - 1056572 maildirsync: version: 1.2-1.1 issues: @@ -19632,6 +19636,10 @@ openmpi: - records_build_flags bugs: - 904626 +openmrac-data: + version: 1.1-2 + bugs: + - 1056573 openms: version: 2.0.0-4 comments: | @@ -20433,6 +20441,10 @@ pekwm: version: 0.1.17-3 bugs: - 915845 +pelican: + version: 4.9.1+dfsg-1 + bugs: + - 1056571 pente: version: 2.2.5-8 comments: | View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/f759391a22dd78873a9c6ca7cc622cc875b442c8...ba868a3323a637352c0b1b3ca6c35670d3f4e8b0 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/f759391a22dd78873a9c6ca7cc622cc875b442c8...ba868a3323a637352c0b1b3ca6c35670d3f4e8b0 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 23 12:29:10 2023 From: gitlab at salsa.debian.org (Bernhard M. Wiedemann (@bmwiedemann-guest)) Date: Thu, 23 Nov 2023 12:29:10 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023-11: +1 patch Message-ID: <655f4596e6048_5e76c009d3c7231957@godard.mail> Bernhard M. Wiedemann pushed to branch master at Reproducible Builds / reproducible-website Commits: eaec87e6 by Bernhard M. Wiedemann at 2023-11-23T13:28:45+01:00 2023-11: +1 patch - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -31,5 +31,7 @@ FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for a * [`ipxe`](https://github.com/ipxe/ipxe/pull/1082) (random) * [`rdflib`](https://github.com/RDFLib/rdflib/issues/2645) (random) * [`whatsie`](https://github.com/keshavbhatt/whatsie/pull/146) (date) +* Cathy Hu: + * [selinux-policy/policycoreutils](https://github.com/SELinuxProject/selinux/commit/84e0884260c550ef840de6d09573444d93fb209a) (toolchain, sort) View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/eaec87e639598e024ad859e7df0cef545ecf9177 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/eaec87e639598e024ad859e7df0cef545ecf9177 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 24 00:01:40 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Fri, 24 Nov 2023 00:01:40 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] --fix-deterministic Message-ID: <655fe7e46dd93_5e76f810b2c7416285@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-notes Commits: 40ed1c4f by automatic commit from Mattia Rizzolo at 2023-11-24T00:01:26+00:00 --fix-deterministic - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -1119,8 +1119,6 @@ auctex: comments: | Contains timestamp in README.Debian. issues: - - timestamps_in_emacs_autoloads - - timestamps_in_pdf_generated_by_latex - random_id_in_pdf_generated_by_dblatex bugs: - 990300 @@ -19419,7 +19417,6 @@ opencascade: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON. issues: - records_build_flags - - captures_build_path - build_path_identifiers_in_documentation_generated_by_doxygen - cmake_rpath_contains_build_path opencc: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/40ed1c4f58f7f4fbcec7b5dde4cd150c4725df1d -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/40ed1c4f58f7f4fbcec7b5dde4cd150c4725df1d You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 24 11:19:16 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 24 Nov 2023 11:19:16 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] /docs/source-date-epoch/: Improve the CMake documentation Message-ID: <656086b4ab590_5e76f82e34874945dc@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website Commits: ee0d0e19 by Chris Lamb at 2023-11-24T11:18:51+00:00 /docs/source-date-epoch/: Improve the CMake documentation - - - - - 1 changed file: - _docs/source-date-epoch.md Changes: ===================================== _docs/source-date-epoch.md ===================================== @@ -159,9 +159,9 @@ The above will work with either GNU or BSD date, and fallback to ignore `SOURCE_ STRING(TIMESTAMP BUILD_DATE "%Y-%m-%d" UTC) ``` -... works with CMake versions 2.8.11 and higher, but it only respects -`SOURCE_DATE_EPOCH` since version 3.8.0. If you do not have a modern CMake but -need reproducibility you can use the less-preferred variant: +... will compile with CMake versions 2.8.11 and higher ([released May 2013](https://cmake.org/pipermail/cmake/2013-May/054792.html)), but it only respects `SOURCE_DATE_EPOCH` since version 3.8.0 ([April 2017](https://cmake.org/pipermail/cmake-developers/2017-April/029946.html)). Note that the final argument `UTC` is required or the timestamp may vary between timezones. + +If you would like to support legacy/archival versions of CMake, you can use this less-preferred variant: ``` if (DEFINED ENV{SOURCE_DATE_EPOCH}) @@ -177,8 +177,7 @@ else () endif () ``` -The above will work only with GNU `date`. See the POSIX shell example on how to -support BSD date. +Note that the above will work only with GNU `date`; see the POSIX shell example on how to support BSD date. ### Meson View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ee0d0e19993a3ba6b894a1eda540553e25b822ac -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/ee0d0e19993a3ba6b894a1eda540553e25b822ac You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Fri Nov 24 11:36:25 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Fri, 24 Nov 2023 11:36:25 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Add patch for vectorscan Message-ID: <65608ab937fd0_5e76f810b2c74982eb@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / reproducible-notes Commits: a23af7c2 by Chris Lamb at 2023-11-24T11:27:53+00:00 Add patch for vectorscan - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -34063,6 +34063,10 @@ vecmath: version: 1.5.2-5 issues: - random_order_in_documentation_generated_by_javadoc +vectorscan: + version: 5.4.11-1 + bugs: + - 1056649 velocity: version: 1.7-5 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/a23af7c2a3e1cc589abd412c8250cf0f1e648c84 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/a23af7c2a3e1cc589abd412c8250cf0f1e648c84 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sat Nov 25 00:02:07 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Sat, 25 Nov 2023 00:02:07 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] --fix-deterministic Message-ID: <6561397fd1cfc_5e7594c0b7c76648e4@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-notes Commits: ba32085b by automatic commit from Mattia Rizzolo at 2023-11-25T00:01:56+00:00 --fix-deterministic - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -1110,10 +1110,6 @@ ats2-lang: version: 0.2.9-1 comments: | I think this buildpath is in utils/atscc dynload method? -attica-kf5: - version: 5.78.0-2 - issues: - - timestamps_in_qhc auctex: version: 11.87-3+deb8u1 comments: | @@ -1268,10 +1264,6 @@ awesome: version: 4.2-5 issues: - randomness_in_documentation_generated_by_lua_ldoc -aws-crt-python: - version: 0.16.8+dfsg-1 - issues: - - captures_build_path aws-nuke: version: 2.16.0-1 issues: @@ -4692,7 +4684,6 @@ dune-istl: dune-localfunctions: version: 2.4.0-1 issues: - - timestamps_in_tex_documents - fonts_in_pdf_files dune-pdelab: version: 2.4.1-1 @@ -12436,7 +12427,6 @@ lablgtk2: lablgtk3: version: 3.0~beta6-1 issues: - - captures_build_path_in_beam_cma_cmt_files - ocaml_captures_build_path lablie: version: 0.6.0-1 @@ -17731,10 +17721,6 @@ ngspice: version: 30.2-1 comments: | Looks like lyx uses the absolute build path... -ngtcp2: - version: 0~20210905-1 - issues: - - captures_build_path nickle: version: '2.91' issues: @@ -18527,7 +18513,6 @@ ocaml-ca-certs: ocaml-cairo2: version: 0.6.1+dfsg-2 issues: - - captures_build_path_in_beam_cma_cmt_files - ocaml_captures_build_path ocaml-charinfo-width: version: 1.1.0-1 @@ -23798,10 +23783,6 @@ qt6-wayland: version: 6.2.2-3 issues: - timestamps_in_source_generated_by_rcc -qt6-webchannel: - version: 6.2.2-3 - issues: - - timestamps_in_source_generated_by_rcc qt6-webview: version: 6.2.2-3 comments: | @@ -31749,10 +31730,6 @@ sopt: version: 2.0.0-1 issues: - captures_build_path_via_assert -sopwith: - version: 2.1.0-1 - issues: - - captures_build_path soqt: version: 1.6.0~e8310f-3 issues: @@ -34499,8 +34476,6 @@ whitedune: comments: | Multiple forms of build path captured, both the full path and just the SOURCE_ROOT_DIR basename; bug filed for the latter. - issues: - - captures_build_path bugs: - 863206 why3: @@ -35364,8 +35339,6 @@ xxgdb: - gcc_captures_build_path xxkb: version: 1.11.1-1 - issues: - - captures_build_path bugs: - 1021509 xxsds-dynamic: @@ -35708,7 +35681,6 @@ zulucrypt: rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON issues: - build_id_differences_only - - timestamps_in_source_generated_by_rcc - cmake_rpath_contains_build_path zvbi: version: 0.2.35-13 View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/ba32085b6e7cc43aa3c8141bd8317dc99f349bd5 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/ba32085b6e7cc43aa3c8141bd8317dc99f349bd5 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Sun Nov 26 00:01:37 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Sun, 26 Nov 2023 00:01:37 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] 2 commits: Remove archived bugs Message-ID: <65628ae18697f_5e7594c0b7c78479b1@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-notes Commits: 417f05a5 by automatic commit from Mattia Rizzolo at 2023-11-26T00:01:00+00:00 Remove archived bugs - - - - - 94f3fc9b by automatic commit from Mattia Rizzolo at 2023-11-26T00:01:27+00:00 --fix-deterministic - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -163,7 +163,6 @@ activemq-protobuf: actor-framework: version: 0.13.2-3 issues: - - timestamps_in_pdf_generated_by_latex - absolute_build_dir_in_docs_generated_by_doxygen_ref adabrowse: version: 4.0.3-10 @@ -4304,10 +4303,6 @@ dist: version: 1:3.5-236-0.1 bugs: - 915910 -distro-info: - version: '1.5' - bugs: - - 1034422 dita-ot: version: 1.5.3+dfsg-1 comments: | @@ -10373,7 +10368,6 @@ iraf: tries to fix this, but does not seem effective. Possible unsorted *.c files in Makefile. issues: - - captures_build_path - build_path_in_mip_files_generated_by_irafcl ircii: version: 20151120-1 @@ -15404,7 +15398,6 @@ lomiri: https://sources.debian.org/src/lomiri/0.1.2-3/include/paths.h.in/#L50-L58 issues: - build_dir_in_documentation_generated_by_doxygen - - captures_build_path_via_cmake_variables lomiri-action-api: version: 1.1.2-3 comments: | View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/ba32085b6e7cc43aa3c8141bd8317dc99f349bd5...94f3fc9b06723e8465abdaaa6677d6641b4dd427 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/compare/ba32085b6e7cc43aa3c8141bd8317dc99f349bd5...94f3fc9b06723e8465abdaaa6677d6641b4dd427 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Nov 27 00:01:52 2023 From: gitlab at salsa.debian.org (Mattia Rizzolo (@mattia)) Date: Mon, 27 Nov 2023 00:01:52 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] Remove archived bugs Message-ID: <6563dc7069e3e_5e771480e8880095c4@godard.mail> Mattia Rizzolo pushed to branch master at Reproducible Builds / reproducible-notes Commits: 4f5f7664 by automatic commit from Mattia Rizzolo at 2023-11-27T00:01:01+00:00 Remove archived bugs - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -10131,8 +10131,6 @@ imagemagick: issues: - records_build_flags - paths_vary_due_to_usrmerge - bugs: - - 983303 imagination: version: 3.6-1 issues: @@ -12868,8 +12866,6 @@ libapache2-mod-python: issues: - gcc_captures_build_path - apxs_captures_build_path - bugs: - - 1020815 libapache2-mod-ruid2: version: 0.9.8-3 issues: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/4f5f76648278363442c23951c92748ea56203b55 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/4f5f76648278363442c23951c92748ea56203b55 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Nov 29 15:15:52 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Wed, 29 Nov 2023 15:15:52 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023 11: += https://rebuilder-snapshot.debian.net Message-ID: <656755a8aafd7_5e7594c0b7c86287f8@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 95f33cf5 by Holger Levsen at 2023-11-29T16:14:08+01:00 2023 11: += https://rebuilder-snapshot.debian.net Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -34,4 +34,4 @@ FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for a * Cathy Hu: * [selinux-policy/policycoreutils](https://github.com/SELinuxProject/selinux/commit/84e0884260c550ef840de6d09573444d93fb209a) (toolchain, sort) - +* FIXME by Holger: announce https://rebuilder-snapshot.debian.net properly here and on list. View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/95f33cf5f0e0f1e08328f1e2ca91c03ee94683b3 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/95f33cf5f0e0f1e08328f1e2ca91c03ee94683b3 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 30 12:57:03 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 30 Nov 2023 12:57:03 +0000 Subject: [Git][reproducible-builds/diffoscope][master] Improve DOS/MBR extraction by adding support for 7z. (Closes: reproducible-builds/diffoscope#333) Message-ID: <6568869f651d7_5e76f810b2c9016428@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / diffoscope Commits: 59b86c1f by Chris Lamb at 2023-11-30T12:55:34+00:00 Improve DOS/MBR extraction by adding support for 7z. (Closes: reproducible-builds/diffoscope#333) - - - - - 5 changed files: - debian/tests/control - + diffoscope/comparators/7z.py - diffoscope/comparators/__init__.py - diffoscope/external_tools.py - + tests/comparators/test_7z.py Changes: ===================================== debian/tests/control ===================================== @@ -7,7 +7,7 @@ # $ mv debian/tests/control.tmp debian/tests/control Tests: pytest-with-recommends -Depends: python3-all, diffoscope, black, python3-pytest, python3-h5py, file, linux-image-amd64 [amd64] | linux-image-generic [amd64], aapt [amd64 arm64 armel armhf i386 mips64el mipsel], abootimg, acl, apksigcopier, apksigner, apktool [!ppc64el !s390x], binutils-multiarch, bzip2, caca-utils, colord, coreboot-utils, db-util, default-jdk-headless | default-jdk | java-sdk, device-tree-compiler, dexdump [amd64 arm64 armhf i386], docx2txt, e2fsprogs, enjarify, ffmpeg, fontforge-extras, fonttools, fp-utils [!ppc64el !s390x], genisoimage, gettext, ghc, ghostscript, giflib-tools, gnumeric, gnupg, gnupg-utils, hdf5-tools, html2text, imagemagick, jsbeautifier, libarchive-tools, libxmlb-utils, llvm, lz4 | liblz4-tool, lzip, mono-utils, ocaml-nox, odt2txt, oggvideotools [!s390x], openssh-client, openssl, pgpdump, poppler-utils, procyon-decompiler, python3-pdfminer, r-base-core, rpm2cpio, sng, sqlite3, squashfs-tools, tcpdump, u-boot-tools, unzip, wabt, xmlbeans, xxd, xz-utils, zip, zstd, androguard, python3-argcomplete, python3-binwalk, python3-defusedxml, python3-distro, python3-guestfs, python3-jsondiff, python3-progressbar, python3-pypdf, python3-debian, python3-pyxattr, python3-rpm, python3-tlsh +Depends: python3-all, diffoscope, black, python3-pytest, python3-h5py, file, linux-image-amd64 [amd64] | linux-image-generic [amd64], aapt [amd64 arm64 armel armhf i386 mips64el mipsel], abootimg, acl, apksigcopier, apksigner, apktool [!ppc64el !s390x], binutils-multiarch, bzip2, caca-utils, colord, coreboot-utils, db-util, default-jdk-headless | default-jdk | java-sdk, device-tree-compiler, dexdump [amd64 arm64 armhf i386], docx2txt, e2fsprogs, enjarify, ffmpeg, fontforge-extras, fonttools, fp-utils [!ppc64el !s390x], genisoimage, gettext, ghc, ghostscript, giflib-tools, gnumeric, gnupg, gnupg-utils, hdf5-tools, html2text, imagemagick, jsbeautifier, libarchive-tools, libxmlb-utils, llvm, lz4 | liblz4-tool, lzip, mono-utils, ocaml-nox, odt2txt, oggvideotools [!s390x], openssh-client, openssl, p7zip-full, pgpdump, poppler-utils, procyon-decompiler, python3-pdfminer, r-base-core, rpm2cpio, sng, sqlite3, squashfs-tools, tcpdump, u-boot-tools, unzip, wabt, xmlbeans, xxd, xz-utils, zip, zstd, androguard, python3-argcomplete, python3-binwalk, python3-defusedxml, python3-distro, python3-guestfs, python3-jsondiff, python3-progressbar, python3-pypdf, python3-debian, python3-pyxattr, python3-rpm, python3-tlsh Tests: pytest Depends: python3-all, diffoscope, python3-pytest, python3-h5py, file, python3-tlsh ===================================== diffoscope/comparators/7z.py ===================================== @@ -0,0 +1,100 @@ +# +# diffoscope: in-depth comparison of files, archives, and directories +# +# Copyright ? 2023 Chris Lamb +# +# diffoscope is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# diffoscope is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with diffoscope. If not, see . + +import os +import re +import logging +import subprocess + +from diffoscope.tools import tool_required +from diffoscope.tempfiles import get_temporary_directory +from diffoscope.difference import Difference + +from .utils.archive import Archive +from .utils.file import File +from .utils.command import Command, our_check_output + +logger = logging.getLogger(__name__) + + +class SevenZList(Command): + @tool_required("7z") + def cmdline(self): + return ( + "7z", + "l", + self.path, + ) + + def filter(self, line): + val = line.decode("utf-8") + if val.startswith("Listing archive: ") or val.startswith("Path = "): + return b"" + return line + + +class SevenZContainer(Archive): + @tool_required("7z") + def open_archive(self): + self._temp_dir = get_temporary_directory(suffix="7z") + + try: + our_check_output( + ("7z", "e", os.path.abspath(self.source.path)), + cwd=self._temp_dir.name, + stderr=subprocess.DEVNULL, + ) + except subprocess.CalledProcessError: + return False + + return self + + def close_archive(self): + self._temp_dir.cleanup() + + def get_member_names(self): + return os.listdir(self._temp_dir.name) + + def extract(self, member_name, dest_dir): + return os.path.join(self._temp_dir.name, member_name) + + +class SevenZFile(File): + DESCRIPTION = "Filesystem image" + FILE_TYPE_RE = re.compile(r"^DOS/MBR boot sector;") + CONTAINER_CLASSES = [SevenZContainer] + + def compare_details(self, other, source=None): + return [ + Difference.from_operation( + SevenZList, self.path, other.path, source="7z l" + ) + ] + + @classmethod + def recognizes(cls, file): + if not super().recognizes(file): + return False + + try: + cmd = SevenZList(file.path) + cmd.start() + except RequiredToolNotFound: + return False + + return b"Type = gzip\n" not in cmd.output ===================================== diffoscope/comparators/__init__.py ===================================== @@ -75,6 +75,7 @@ class ComparatorManager: ("ffprobe.FfprobeFile",), ("gnumeric.GnumericFile",), ("gzip.GzipFile",), + ("7z.SevenZFile",), ("haskell.HiFile",), ("icc.IccFile",), ("iso9660.Iso9660File",), ===================================== diffoscope/external_tools.py ===================================== @@ -23,6 +23,7 @@ that might resolve to, for example, `/usr/bin/abootimg`. """ EXTERNAL_TOOLS = { + "7z": {"debian": "p7zip-full"}, "aapt2": {"debian": "aapt"}, "abootimg": {"debian": "abootimg", "guix": "abootimg"}, "androguard": {"debian": "androguard"}, ===================================== tests/comparators/test_7z.py ===================================== @@ -0,0 +1,74 @@ +# +# diffoscope: in-depth comparison of files, archives, and directories +# +# Copyright ? 2023 Chris Lamb +# +# diffoscope is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# diffoscope is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with diffoscope. If not, see . + +import shutil +import pytest + +from diffoscope.comparators.lz4 import Lz4File +from diffoscope.comparators.binary import FilesystemFile +from diffoscope.comparators.utils.specialize import specialize + +from ..utils.data import load_fixture, assert_diff +from ..utils.tools import skip_unless_tools_exist +from ..utils.nonexisting import assert_non_existing + +lz4a = load_fixture("test1.lz4") +lz4b = load_fixture("test2.lz4") + + +def test_identification(lz4a): + assert isinstance(lz4a, Lz4File) + + +def test_no_differences(lz4a): + difference = lz4a.compare(lz4a) + assert difference is None + + + at pytest.fixture +def differences(lz4a, lz4b): + return lz4a.compare(lz4b).details + + + at skip_unless_tools_exist("lz4") +def test_content_source(differences): + assert differences[0].source1 == "test1" + assert differences[0].source2 == "test2" + + + at skip_unless_tools_exist("lz4") +def test_content_source_without_extension(tmpdir, lz4a, lz4b): + path1 = str(tmpdir.join("test1")) + path2 = str(tmpdir.join("test2")) + shutil.copy(lz4a.path, path1) + shutil.copy(lz4b.path, path2) + lz4a = specialize(FilesystemFile(path1)) + lz4b = specialize(FilesystemFile(path2)) + difference = lz4a.compare(lz4b).details + assert difference[0].source1 == "test1-content" + assert difference[0].source2 == "test2-content" + + + at skip_unless_tools_exist("lz4") +def test_content_diff(differences): + assert_diff(differences[0], "text_ascii_expected_diff") + + + at skip_unless_tools_exist("lz4") +def test_compare_non_existing(monkeypatch, lz4a): + assert_non_existing(monkeypatch, lz4a) View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/59b86c1faea491aba3319d8358ffed94b52edf6b -- View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/59b86c1faea491aba3319d8358ffed94b52edf6b You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 30 13:16:40 2023 From: gitlab at salsa.debian.org (Chris Lamb (@lamby)) Date: Thu, 30 Nov 2023 13:16:40 +0000 Subject: [Git][reproducible-builds/diffoscope][master] Add missing RequiredToolNotFound import. Message-ID: <65688b3837e5e_5e771480e8890216e0@godard.mail> Chris Lamb pushed to branch master at Reproducible Builds / diffoscope Commits: 64ed5f38 by Chris Lamb at 2023-11-30T13:16:18+00:00 Add missing RequiredToolNotFound import. - - - - - 1 changed file: - diffoscope/comparators/7z.py Changes: ===================================== diffoscope/comparators/7z.py ===================================== @@ -21,6 +21,7 @@ import re import logging import subprocess +from diffoscope.exc import RequiredToolNotFound from diffoscope.tools import tool_required from diffoscope.tempfiles import get_temporary_directory from diffoscope.difference import Difference View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/64ed5f38db0ce0850ad9aabe7213b8b9cd78d679 -- View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/64ed5f38db0ce0850ad9aabe7213b8b9cd78d679 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 30 18:32:48 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Thu, 30 Nov 2023 18:32:48 +0000 Subject: [Git][reproducible-builds/reproducible-website][master] 2023 11: += bookworm added to rebuilder-snapshot.d.n Message-ID: <6568d55071626_5e76f82e34891091cb@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-website Commits: 5a70e94e by Holger Levsen at 2023-11-30T19:32:37+01:00 2023 11: += bookworm added to rebuilder-snapshot.d.n Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - _reports/2023-11.md Changes: ===================================== _reports/2023-11.md ===================================== @@ -34,4 +34,4 @@ FIXME: Paul Gevers has enabled a no-penalty-no-gain reproducibility option for a * Cathy Hu: * [selinux-policy/policycoreutils](https://github.com/SELinuxProject/selinux/commit/84e0884260c550ef840de6d09573444d93fb209a) (toolchain, sort) -* FIXME by Holger: announce https://rebuilder-snapshot.debian.net properly here and on list. +* FIXME by Holger: announce https://rebuilder-snapshot.debian.net properly here and on list. On 2023-11-30 all build depends for everything on amd64,arm64, armhf, i386 currently in trixie, unstable and experimental was available and bookworm was added. View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/5a70e94e29c2d9920232b9d65b19d7597491826f -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/5a70e94e29c2d9920232b9d65b19d7597491826f You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Thu Nov 30 19:05:29 2023 From: gitlab at salsa.debian.org (Holger Levsen (@holger)) Date: Thu, 30 Nov 2023 19:05:29 +0000 Subject: [Git][reproducible-builds/reproducible-notes][master] document some blacklisting Message-ID: <6568dcf970f67_5e76f810b2c91176d8@godard.mail> Holger Levsen pushed to branch master at Reproducible Builds / reproducible-notes Commits: 9d6a23c6 by Holger Levsen at 2023-11-30T20:05:15+01:00 document some blacklisting Signed-off-by: Holger Levsen <holger at layer-acht.org> - - - - - 1 changed file: - packages.yml Changes: ===================================== packages.yml ===================================== @@ -1,3 +1,9 @@ +netopeer2: + version: 2.0.35-1 + issues: + - blacklisted_on_jenkins + comments: | + Test processes continue to stay alive on the host. 0ad: version: 0.0.20-2 issues: @@ -20148,6 +20154,7 @@ paperwork: version: 2.0.2-2 issues: - png_generated_by_plantuml_captures_kernel_version_and_builddate + - blacklisted_on_jenkins_armhf_only paps: version: 0.6.8-7 issues: @@ -23982,6 +23989,8 @@ qtwebkit-opensource-src: version: 5.212.0~alpha4-14 comments: | rpath issue fixed by -DCMAKE_BUILD_RPATH_USE_ORIGIN=ON + + blacklisted on i386 because diffoscope chocked on it. issues: - cmake_rpath_contains_build_path qtwebsockets-opensource-src: View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/9d6a23c6711b9d4183b675c3f747e3244514b4ff -- View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-notes/-/commit/9d6a23c6711b9d4183b675c3f747e3244514b4ff You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: