<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<h3>

Jelle van der Waa pushed to branch master

at <a href="https://salsa.debian.org/reproducible-builds/reproducible-website">Reproducible Builds / reproducible-website</a>

</h3>

<h4>

Commits:

</h4>

<ul>

<li>

<strong><a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e8d866af3e6f52583ced0f64b6a8a42f731cd8aa">e8d866af</a></strong>

<div>

<span>by Jelle van der Waa</span>

<i>at 2019-09-04T11:21:14Z</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">2019-08: Use new instead of fresh

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0289ab43edff31d56c3d069d65c1992c10160465">0289ab43</a></strong>

<div>

<span>by Jelle van der Waa</span>

<i>at 2019-09-04T11:22:33Z</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">2019-08: 2019 not 2009

</pre>

</li>

</ul>

<h4>1 changed file:</h4>

<ul>

<li class="file-stats">

<a href="#334fe06b3e3b54f4637d878fe3f78630c377893e">

_reports/2019-08.md

</a>

</li>

</ul>

<h4>Changes:</h4>

<li id="334fe06b3e3b54f4637d878fe3f78630c377893e">

<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/compare/27e62dd69b93c3e117deecae7cf749cf5405c9fe...0289ab43edff31d56c3d069d65c1992c10160465#334fe06b3e3b54f4637d878fe3f78630c377893e"><strong>_reports/2019-08.md</strong></a>

<hr>

<table class="code white" style="font-family: monospace; font-size: 90%;" bgcolor="#fff" width="100%" cellpadding="0" cellspacing="0">

<tr class="line_holder match" id="" style="line-height: 1.6;">

<td class="diff-line-num unfold js-unfold old_line" data-linenumber="34" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">...</td>

<td class="diff-line-num unfold js-unfold new_line" data-linenumber="34" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">...</td>

<td class="line_content match " style="padding-left: 0.5em; padding-right: 0.5em; color: rgba(0,0,0,0.3);" bgcolor="#fafafa">@@ -34,13 +34,13 @@ If you are interested in contributing to our project, please visit our [*Contrib</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="34" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

34

</td>

<td class="diff-line-num new_line" data-linenumber="34" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

34

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC34" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="35" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

35

</td>

<td class="diff-line-num new_line" data-linenumber="35" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

35

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC35" class="line" lang="markdown">A backdoor was found in <span class="p">[</span><span class="nv" style="color: #008080;">Webmin</span><span class="p">](</span><span class="sx" style="color: #d14;">http://www.webmin.com/exploit.html</span><span class="p">)</span>, the web-based application used by sysadmins to remotely manage Unix-based systems. Whilst more details can be found on <span class="p">[</span><span class="nv" style="color: #008080;">upstream's dedicated exploit page</span><span class="p">](</span><span class="sx" style="color: #d14;">http://www.webmin.com/exploit.html</span><span class="p">)</span> it appears that the build toolchain was compromised. Note especially that the exploit "did not show up in any Git diffs" and thus would not have been found via an audit of the source code. The backdoor would allow a remote attacker to execute arbitrary commands with superuser privileges on the machine running Webmin. Once a machine is compromised, an attacker could then use it to launch attacks on other systems managed through Webmin or indeed any other connected system. Techniques such as reproducible builds can help detect exactly these kinds of attacks that can lay dormant for years. (<span class="p">[</span><span class="nv" style="color: #008080;">LWN comments</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lwn.net/Articles/796951/</span><span class="p">)</span>)</span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="36" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

36

</td>

<td class="diff-line-num new_line" data-linenumber="36" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

36

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC36" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

<tr class="line_holder old" id="" style="line-height: 1.6;">

<td class="diff-line-num old old_line" data-linenumber="37" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#f9d7dc">

37

</td>

<td class="diff-line-num new_line old" data-linenumber="37" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#f9d7dc">

</td>

<td class="line_content old" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#fbe9eb">

<pre style="margin: 0;">-<span id="LC37" class="line" lang="markdown">In a talk titled <span class="p">[</span><span class="nv" style="color: #008080;">*There and Back Again, Reproducibly!*</span><span class="p">](</span><span class="sx" style="color: #d14;">https://cfp.linuxdev-br.net/2019/talk/VH9CCY/</span><span class="p">)</span>, Holger Levsen and Vagrant Cascadian presented at the 20<span class="idiff left right">0</span>9 edition of the <span class="p">[</span><span class="nv" style="color: #008080;">Linux Developer Conference</span><span class="p">](</span><span class="sx" style="color: #d14;">https://linuxdev-br.net/</span><span class="p">)</span> in São Paulo, Brazil on Reproducible Builds.</span>

</pre>

</td>

</tr>

<tr class="line_holder new" id="" style="line-height: 1.6;">

<td class="diff-line-num new old_line" data-linenumber="38" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="37" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

37

</td>

<td class="line_content new" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">

<pre style="margin: 0;">+<span id="LC37" class="line" lang="markdown">In a talk titled <span class="p">[</span><span class="nv" style="color: #008080;">*There and Back Again, Reproducibly!*</span><span class="p">](</span><span class="sx" style="color: #d14;">https://cfp.linuxdev-br.net/2019/talk/VH9CCY/</span><span class="p">)</span>, Holger Levsen and Vagrant Cascadian presented at the 20<span class="idiff left right">1</span>9 edition of the <span class="p">[</span><span class="nv" style="color: #008080;">Linux Developer Conference</span><span class="p">](</span><span class="sx" style="color: #d14;">https://linuxdev-br.net/</span><span class="p">)</span> in São Paulo, Brazil on Reproducible Builds.</span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="38" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

38

</td>

<td class="diff-line-num new_line" data-linenumber="38" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

38

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC38" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="39" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

39

</td>

<td class="diff-line-num new_line" data-linenumber="39" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

39

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC39" class="line" lang="markdown"><span class="p">[</span><span class="nv" style="color: #008080;">LWN</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lwn.net</span><span class="p">)</span> posted and hosted an an interesting summary and discussion on <span class="p">[</span><span class="nv" style="color: #008080;">*Hardening the `file` utility for Debian*</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lwn.net/Articles/796108</span><span class="p">)</span>. In July, Chris Lamb had cross-posted his reply to the "<span class="p">[</span><span class="nv" style="color: #008080;">Re: file(1) now with seccomp support enabled</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lists.reproducible-builds.org/pipermail/rb-general/2019-July/001612.html</span><span class="p">)</span> thread that was <span class="p">[</span><span class="nv" style="color: #008080;">originally started on the `debian-devel`</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lists.debian.org/debian-devel/2019/07/msg00391.html</span><span class="p">)</span> mailing list - in this post, Chris refers to our <span class="sb" style="color: #d14;">`strip-nondeterminism`</span> tool not being able to accommodate the additional security hardening in <span class="p">[</span><span class="nv" style="color: #008080;">`file(1)`</span><span class="p">](</span><span class="sx" style="color: #d14;">http://darwinsys.com/file/</span><span class="p">)</span> and the changes made to the tool in order to do fix this issue which was causing a huge number of regressions in <span class="p">[</span><span class="nv" style="color: #008080;">our testing framework</span><span class="p">](</span><span class="sx" style="color: #d14;">http://tests.reproducible-builds.org/</span><span class="p">)</span>.</span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="40" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

40

</td>

<td class="diff-line-num new_line" data-linenumber="40" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

40

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC40" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="41" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

41

</td>

<td class="diff-line-num new_line" data-linenumber="41" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

41

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC41" class="line" lang="markdown"><span class="p">[</span><span class="nv" style="color: #008080;">![</span><span class="p">](</span><span class="sx" style="color: #d14;">{{</span> <span class="nn" style="color: #555;">"/images/reports/2019-08/cccamp.png#right"</span> | prepend: site.baseurl }})](https://events.ccc.de/camp/2019/)</span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="42" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

42

</td>

<td class="diff-line-num new_line" data-linenumber="42" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

42

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC42" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

<tr class="line_holder old" id="" style="line-height: 1.6;">

<td class="diff-line-num old old_line" data-linenumber="43" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#f9d7dc">

43

</td>

<td class="diff-line-num new_line old" data-linenumber="43" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#f9d7dc">

</td>

<td class="line_content old" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#fbe9eb">

<pre style="margin: 0;">-<span id="LC43" class="line" lang="markdown">The Chaos Communication Camp — an international, five-day open-air event for hackers that provides a relaxed atmosphere for free exchange of technical, social, and political ideas — <span class="p">[</span><span class="nv" style="color: #008080;">hosted its 2019 edition</span><span class="p">](</span><span class="sx" style="color: #d14;">https://events.ccc.de/camp/2019/</span><span class="p">)</span> where there were many discussions and meet-ups at least partly related to Reproducible Builds. This including the titular <span class="p">[</span><span class="nv" style="color: #008080;">Reproducible Builds Meetup</span><span class="p">](</span><span class="sx" style="color: #d14;">https://events.ccc.de/camp/2019/wiki/Session:Reproducible_Builds_Meetup</span><span class="p">)</span> session which was attended by around twenty-five people where half of them were <span class="idiff left right">fresh</span> to the project as well as <span class="p">[</span><span class="nv" style="color: #008080;">a session dedicated to all ArchLinux related issues</span><span class="p">](</span><span class="sx" style="color: #d14;">https://events.ccc.de/camp/2019/wiki/Session:Arch_Linux_Meetup</span><span class="p">)</span>.</span>

</pre>

</td>

</tr>

<tr class="line_holder new" id="" style="line-height: 1.6;">

<td class="diff-line-num new old_line" data-linenumber="44" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="43" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

43

</td>

<td class="line_content new" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">

<pre style="margin: 0;">+<span id="LC43" class="line" lang="markdown">The Chaos Communication Camp — an international, five-day open-air event for hackers that provides a relaxed atmosphere for free exchange of technical, social, and political ideas — <span class="p">[</span><span class="nv" style="color: #008080;">hosted its 2019 edition</span><span class="p">](</span><span class="sx" style="color: #d14;">https://events.ccc.de/camp/2019/</span><span class="p">)</span> where there were many discussions and meet-ups at least partly related to Reproducible Builds. This including the titular <span class="p">[</span><span class="nv" style="color: #008080;">Reproducible Builds Meetup</span><span class="p">](</span><span class="sx" style="color: #d14;">https://events.ccc.de/camp/2019/wiki/Session:Reproducible_Builds_Meetup</span><span class="p">)</span> session which was attended by around twenty-five people where half of them were <span class="idiff left right">new</span> to the project as well as <span class="p">[</span><span class="nv" style="color: #008080;">a session dedicated to all ArchLinux related issues</span><span class="p">](</span><span class="sx" style="color: #d14;">https://events.ccc.de/camp/2019/wiki/Session:Arch_Linux_Meetup</span><span class="p">)</span>.</span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="44" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

44

</td>

<td class="diff-line-num new_line" data-linenumber="44" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

44

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC44" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="45" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

45

</td>

<td class="diff-line-num new_line" data-linenumber="45" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

45

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC45" class="line" lang="markdown"><span class="p">---</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="46" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

46

</td>

<td class="diff-line-num new_line" data-linenumber="46" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

46

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC46" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

</table>

<br>

</li>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/compare/27e62dd69b93c3e117deecae7cf749cf5405c9fe...0289ab43edff31d56c3d069d65c1992c10160465">View it on GitLab</a>.

<br>

You're receiving this email because of your account on salsa.debian.org.

If you'd like to receive fewer emails, you can

adjust your notification settings.

</p>

</div>

</body>

</html>