[Git][reproducible-builds/reproducible-website][master] More minor changes.

Chris Lamb gitlab at salsa.debian.org
Mon Aug 5 10:31:41 UTC 2019



Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
dd7eae98 by Chris Lamb at 2019-08-05T10:31:23Z
More minor changes.

- - - - -


2 changed files:

- _reports/2019-07.md
- images/reports/2019-07/debian.png


Changes:

=====================================
_reports/2019-07.md
=====================================
@@ -16,7 +16,7 @@ The motivation behind the reproducible builds effort is to ensure no flaws have
 
 In July's report, we cover:
 
-* **Headlines** — *Media coverage, upstream news, etc.*
+* **Front page** — *Media coverage, upstream news, etc.*
 * **Distribution work** — *Shenanigans at DebConf19*
 * **Software development** — *Software transparency, yet more diffoscope work, etc.*
 * **On our mailing list** — *GNU tools, education and buildinfo files*
@@ -26,45 +26,47 @@ If you are interested in contributing to our project, we enthusiastically invite
 
 ---
 
-## Headlines
+## Front page
 
 [![]({{ "/images/reports/2019-07/fdroid.png#right" | prepend: site.baseurl }})](https://f-droid.org/)
 
-Nico Alt wrote a detailed and well-researched article on his blog titled "[*Trust is good, control is better*](https://nico.dorfbrunnen.eu/posts/2019/reproducibility-fdroid/)" which discusses Reproducible builds in [F-Droid](https://f-droid.org/), alternative application repository for Android mobile phones. In contrast to the bigger commercial app stores F-Droid only offers apps that are free and open source software. The post uses the output of [diffoscope](https://diffoscope.org) and talks more generally about how reproducible builds prevents single developers or other important centralised infrastructure becoming rich targets for toolchain-based attacks.
+Nico Alt wrote a detailed and well-researched article titled "[*Trust is good, control is better*](https://nico.dorfbrunnen.eu/posts/2019/reproducibility-fdroid/)" which discusses Reproducible builds in [F-Droid](https://f-droid.org/) the alternative application repository for Android mobile phones. In contrast to the bigger commercial app stores F-Droid only offers apps that are free and open source software. The post not only demonstrates using [diffoscope](https://diffoscope.org) but talks more generally about how reproducible builds can prevent single developers or other important centralised infrastructure becoming targets for toolchain-based attacks.
 
-Later in the month, F-Droid's aforementioned reproducibility status was mentioned on [episode 68](https://latenightlinux.com/late-night-linux-episode-68/) of the [Late Night Linux podcast](https://latenightlinux.com/) from approximately. ([direct link](https://pca.st/D630#t=849) to 14:12)
+Later in the month, F-Droid's aforementioned reproducibility status was mentioned on [episode 68](https://latenightlinux.com/late-night-linux-episode-68/) of the [Late Night Linux podcast](https://latenightlinux.com/). ([direct link](https://pca.st/D630#t=849) to 14:12)
 
 [![]({{ "/images/reports/2019-07/thesis.png#right" | prepend: site.baseurl }})](http://bora.uib.no/handle/1956/20411)
 
-Morten ("*Foxboron*") Linderud published his academic thesis "[*Reproducible Builds: break a log, good things come in trees*](http://bora.uib.no/handle/1956/20411)" which investigates and describes how transparency log overlays can provide additional security guarantees for "rebuilders" producing software packages. The thesis was part of Morten's studies at the [University of Bergen](https://www.uib.no/), Norway and is an extension of the work New York University has been doing with [package rebuilder integration in APT](https://www.youtube.com/watch?v=hbHa4OFv7Qo)
+Morten ("*Foxboron*") Linderud published his academic thesis "[*Reproducible Builds: break a log, good things come in trees*](http://bora.uib.no/handle/1956/20411)" which investigates and describes how transparency log overlays can provide additional security guarantees for computers automatically producing software packages. The thesis was part of Morten's studies at the [University of Bergen](https://www.uib.no/), Norway and is an extension of the work [New York University Tandon School of Engineering](https://engineering.nyu.edu/) has been doing with [package rebuilder integration in APT](https://www.youtube.com/watch?v=hbHa4OFv7Qo).
 
-[Mike Hommey](https://glandium.org) posted to his blog about [*Reproducing the Linux builds of Firefox 68*](https://glandium.org/blog/?p=3923) which leverages that builds shipped by Mozilla should be reproducible from this version onwards. He discusses the problems caused by the builds being optimised with [Profile-guided Optimisation](https://en.wikipedia.org/wiki/Profile-guided_optimization) (PGO) but armed with the now-published profiling data he provides [Docker](https://www.docker.com/)-based instructions how to reproduce the published builds for yourself.
+[Mike Hommey](https://glandium.org) posted to his blog about [*Reproducing the Linux builds of Firefox 68*](https://glandium.org/blog/?p=3923) which leverages that builds shipped by Mozilla should be reproducible from this version. He discusses the problems caused by the builds being optimised with [Profile-Guided Optimisation](https://en.wikipedia.org/wiki/Profile-guided_optimization) (PGO) but armed with the now-published profiling data, Mike provides [Docker](https://www.docker.com/)-based instructions how to reproduce the published builds yourself.
 
 [![]({{ "/images/reports/2019-07/rust.jpg#left" | prepend: site.baseurl }})](https://www.rust-lang.org/)
 
-Joel Galenson has been [making progress on a reproducible Rust compiler](https://github.com/jgalenson/reproducible-rustc) which includes support for a `--remap-path-prefix` related to the concepts and problems involved in the [`BUILD_PATH_PREFIX_MAP`](https://reproducible-builds.org/specs/build-path-prefix-map/) proposal.
+Joel Galenson has been making progress on [a reproducible Rust compiler](https://github.com/jgalenson/reproducible-rustc) which includes support for a `--remap-path-prefix` argument, related to the concepts and problems involved in the [`BUILD_PATH_PREFIX_MAP`](https://reproducible-builds.org/specs/build-path-prefix-map/) proposal to fix issues with build paths being embedded in binaries.
 
 Lastly, [Alessio Treglia](http://en.alessiotreglia.com/) posted to their blog about [*Cosmos Hub and Reproducible Builds*](http://en.alessiotreglia.com/articles/cosmos-hub-and-reproducible-builds/) which describes the reproducibility work happening in the [Cosmos Hub](https://hub.cosmos.network), a network of interconnected blockchains. Specifically, Alessio talks about work being done on the [Gaia](https://hub.cosmos.network/docs/what-is-gaia.html) development kit for the Hub.
 
+<br>
+
 ---
 
 ### Distribution work
 
 [![]({{ "/images/reports/2019-07/opensuse.png#right" | prepend: site.baseurl }})](https://www.opensuse.org/)
 
-Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-07/msg00364.html) for the [openSUSE](https://opensuse.org/) distribution. Enabling [Link Time Optimization](https://gcc.gnu.org/wiki/LinkTimeOptimization) (LTO) in this distribution's "[Tumbleweed](https://software.opensuse.org/distributions/tumbleweed)" branch caused multiple issues due to the number of cores on the build host being added to the `CFLAGS` variable. This affected, for example, [a `debuginfo/rpm` header](https://bugzilla.opensuse.org/show_bug.cgi?id=1140896) as well as resulted in [in `CFLAGS` appearing in built binaries](https://bugzilla.opensuse.org/show_bug.cgi?id=1141323) such as `fldigi`, `gmp`, `haproxy`, etc.
+Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-07/msg00364.html) for the [openSUSE](https://opensuse.org/) distribution where enabling. Enabling [Link Time Optimization](https://gcc.gnu.org/wiki/LinkTimeOptimization) (LTO) in this distribution's "[Tumbleweed](https://software.opensuse.org/distributions/tumbleweed)" branch caused multiple issues due to the number of cores on the build host being added to the `CFLAGS` variable. This affected, for example, [a `debuginfo/rpm` header](https://bugzilla.opensuse.org/show_bug.cgi?id=1140896) as well as resulted in [in `CFLAGS` appearing in built binaries](https://bugzilla.opensuse.org/show_bug.cgi?id=1141323) such as `fldigi`, `gmp`, `haproxy`, etc.
 
 [![]({{ "/images/reports/2019-07/openwrt.png#right" | prepend: site.baseurl }})](https://openwrt.org/)
 
-As highlighted in [last month's report]({{ "/reports/2019-07/" | prepend: site.baseurl }}), the [OpenWrt](https://openwrt.org/) project (a Linux operating system targeting embedded devices, particularly wireless network routers) [hosted a summit](http://lists.infradead.org/pipermail/openwrt-adm/2019-March/001021.html) that [took place from 10th to 12th of that month](http://lists.infradead.org/pipermail/openwrt-adm/2019-March/001012.html) in Hamburg, Germany. Their [full summit report](https://openwrt.org/meetings/hamburg2019/start) and roundup is now available that covers many general aspects within that distribution, including the work on reproducible builds that was done during the event.
+As highlighted in [last month's report]({{ "/reports/2019-07/" | prepend: site.baseurl }}), the [OpenWrt](https://openwrt.org/) project (a Linux operating system targeting embedded devices such as wireless network routers) [hosted a summit](http://lists.infradead.org/pipermail/openwrt-adm/2019-March/001021.html) in Hamburg, Germany. Their [full summit report and roundup](https://openwrt.org/meetings/hamburg2019/start) is now available that covers many general aspects within that distribution, including the work on reproducible builds that was done during the event.
 
 #### Debian
 
 [![]({{ "/images/reports/2019-07/debconf19.png#right" | prepend: site.baseurl }})](https://debconf19.debconf.org)
 
-It was an extremely productive time in Debian this month in and around [DebConf19](https://debconf19.debconf.org/), the 20th annual conference for contributors and users which was held at the Federal University of Technology in Paraná (UTFPR) in Curitiba, Brazil, from July 21 to 28. The conference was preceded by "DebCamp" which was held from the 14th until the 19th with an additional "Open Day" — targeted at the more-general public — being held on the 20th.
+It was an extremely productive time in Debian this month in and around [DebConf19](https://debconf19.debconf.org/), the 20th annual conference for both contributors and users and was held at the Federal University of Technology in Paraná (UTFPR) in Curitiba, Brazil, from July 21 to 28. The conference was preceded by "DebCamp" from the 14th until the 19th with an additional "Open Day" that is targeted at the more-general public on the 20th.
 
-There were a number of talks touching on the topic of reproducible builds and secure toolchains, including:
+There were a number of talks touching on the topic of reproducible builds and secure toolchains throughout the conference, including:
 
 * *[Reproducible Builds - aiming for bullseye](https://debconf19.debconf.org/talks/30-reproducible-builds-aiming-for-bullseye/)* by Holger Levsen, Chris Lamb and Vagrant Cascadian.
 * *[Software transparency: improving package manager security](https://debconf19.debconf.org/talks/66-software-transparency-improving-package-manager-security/)* presented by Benjamin Hof.
@@ -74,15 +76,15 @@ There were naturally countless discussions regarding Reproducible Builds in and
 
 [![]({{ "/images/reports/2019-07/debian.png#center" | prepend: site.baseurl }})](https://debian.org/)
 
-The release of Debian 10 *buster* has also meant the release cycle for the next release (codenamed *bullseye*) has just begun. As part of this, the [Release Team recently announced](https://lists.debian.org/debian-devel-announce/2019/07/msg00002.html) that Debian will no longer allow binaries built and uploaded by maintainers on their own machines to be part of the upcoming release. This is great news not only for toolchain security in general but also in that it will ensure that all binaries that will form part of this release will likely have a `.buildinfo` file and metadata that could be used by others to reproduce the builds.
+The release of Debian 10 *buster* has also meant the release cycle for the next release (codenamed "*bullseye*") has just begun. As part of this, the [Release Team recently announced](https://lists.debian.org/debian-devel-announce/2019/07/msg00002.html) that Debian will no longer allow binaries built and uploaded by maintainers on their own machines to be part of the upcoming release. This is great news not only for toolchain security in general but also in that it will ensure that all binaries that will form part of this release will likely have a `.buildinfo` file and thus metadata that could be used by others to reproduce and verify the builds.
 
-Holger Levsen [filed a bug against the underlying tool](https://bugs.debian.org/932849) that maintains the Debian archive ("[dak](https://wiki.debian.org/DebianDak)) after he noticed that `.buildinfo` metadata files were not being automatically propagated if packages had to be manually approved or processed in the so-called "[`NEW` queue](https://ftp-master.debian.org/new.html)". After it was pointed out that the files were being retained in a separate location, Benjamin Hof [proposed a potential patch](https://bugs.debian.org/932849#22) for the issue which is pending review.
+Holger Levsen [filed a bug against the underlying tool](https://bugs.debian.org/932849) that maintains the Debian archive ("[dak](https://wiki.debian.org/DebianDak)") after he noticed that `.buildinfo` metadata files were not being automatically propagated if packages had to be manually approved or processed in the so-called "[`NEW` queue](https://ftp-master.debian.org/new.html)". After it was pointed out that the files were being retained in a separate location, Benjamin Hof [proposed a potential patch](https://bugs.debian.org/932849#22) for the issue which is pending review.
 
 David Bremner posted to his blog post about "[Yet another buildinfo database](https://www.cs.unb.ca/~bremner//blog/posts/builtin-pho/)" that provides a SQL interface for querying `.buildinfo` attestation documents, particularly focusing on identifying packages that were built with a specific — and possibly buggy — build-dependency. Later at DebConf, David [demonstrated his tool live](https://meetings-archive.debian.net/pub/debian-meetings/2019/DebConf19/live-demos.webm) (starting at 36:30).
 
 Ivo de Decker ("*ivodd"*) scheduled rebuilds of over 600 packages that last experienced an upload to the archive in December 2016 or earlier. This was so that they would be built using a version of the low-level `dpkg` package build tool that supports the generation of reproducible binary packages. The effect of this on the main archive will be deliberately staggered and thus visible throughout the upcoming weeks, potentially resulting in some of these packages now failing to build.
 
-[Joaquin de Andres posted an update](https://lists.debian.org/debian-devel/2019/07/msg00613.html) regarding the work being done on continuous integration in the developer's  at DebConf19 in which he mentions, *inter alia*, a tool called [`atomic-reprotest`](https://salsa.debian.org/salsa-ci-team/atomic-reprotest/). This is a relatively new utility to help debug failures logged by the our `reprotest` tool which attempts to test whether a build is reproducible or not. This tool was also mentioned [in a subsequent "Lightning Talk"](https://debconf19.debconf.org/talks/131-lightning-talks-2/).
+[Joaquin de Andres posted an update](https://lists.debian.org/debian-devel/2019/07/msg00613.html) regarding the work being done on continuous integration on [Debian's Gitlab instance](https://salsa.debian.org) at DebConf19 in which he mentions, *inter alia*, a tool called [`atomic-reprotest`](https://salsa.debian.org/salsa-ci-team/atomic-reprotest/). This is a relatively new utility to help debug failures logged by the our `reprotest` tool which attempts to test whether a build is reproducible or not. This tool was also mentioned [in a subsequent lightning talk](https://debconf19.debconf.org/talks/131-lightning-talks-2/).
 
 Chris Lamb filed two bugs to drop the test jobs for both [`strip-nondeterminism`](https://tracker.debian.org/pkg/strip-nondeterminism) ([#932366](https://bugs.debian.org/932366)) and [`reprotest`](https://tracker.debian.org/pkg/reprotest) ([#932374](https://bugs.debian.org/932374)) after modifying them to built on the [Salsa](https://salsa.debian.org) server's own continuous integration platform and Holger Levsen shortly resolved them.
 
@@ -92,9 +94,9 @@ Lastly, 63 reviews of Debian packages were added, 72 were updated and 22 were re
 
 ## Software development
 
-The goal of [Benjamin Hof](https://www.net.in.tum.de/members/hof/)'s "Software transparency" effort is to improve on the cryptographic signatures of the [APT package manager](https://en.wikipedia.org/wiki/APT_(Package_Manager)) by introducing a [Merkle tree](https://en.wikipedia.org/wiki/Merkle_tree)-based transparency log for package metadata and source code, in a similar vein to [certificate transparency](https://securitytrails.com/blog/what-are-certificate-transparency-logs). This month, he pushed [a number of repositories to our revision control system](https://salsa.debian.org/reproducible-builds/transparency) for further future development and review.
+The goal of [Benjamin Hof](https://www.net.in.tum.de/members/hof/)'s Software Transparency effort is to improve on the cryptographic signatures of the [APT package manager](https://en.wikipedia.org/wiki/APT_(Package_Manager)) by introducing a [Merkle tree-based](https://en.wikipedia.org/wiki/Merkle_tree) transparency log for package metadata and source code, in a similar vein to [certificate transparency](https://securitytrails.com/blog/what-are-certificate-transparency-logs). This month, he pushed [a number of repositories to our revision control system](https://salsa.debian.org/reproducible-builds/transparency) for further future development and review.
 
-In addition, Bernhard M. Wiedemann updated his [deliberately unreproducible demonstration software project](https://github.com/bmwiedemann/theunreproduciblepackage) to add [support for floating point variations](https://github.com/bmwiedemann/theunreproduciblepackage/commit/e5d59a3dda050b5c52b59af0ab610936d037c3b2) as well as [changes in the project's copyright year](https://github.com/bmwiedemann/theunreproduciblepackage/commit/c53ba1521867ca2b92ff93a367c5bfa90d7898f7).
+In addition, Bernhard M. Wiedemann updated his (deliberately) [unreproducible demonstration project](https://github.com/bmwiedemann/theunreproduciblepackage) to add [support for floating point variations](https://github.com/bmwiedemann/theunreproduciblepackage/commit/e5d59a3dda050b5c52b59af0ab610936d037c3b2) as well as [changes in the project's copyright year](https://github.com/bmwiedemann/theunreproduciblepackage/commit/c53ba1521867ca2b92ff93a367c5bfa90d7898f7).
 
 #### Upstream patches
 
@@ -157,7 +159,7 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
 
 Neal Gompa, Michael Schröder & Miro Hrončok responded to [Fedora](https://getfedora.org)'s recent [change to `rpm-config`](https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57) with some new developments within [rpm](https://github.com/rpm-software-management/rpm/pull/785) to fix an unreproducible "`Build Date`" and [reverted a change to the Python interpreter](https://github.com/fedora-python/cpython/pull/3) to switch back to unreproducible/time-based compile caches.
 
-[![]({{ "/images/reports/2019-07/alpinelinux.png#left" | prepend: site.baseurl }})](https://www.alpinelinux.org)
+[![]({{ "/images/reports/2019-07/alpinelinux.png#right" | prepend: site.baseurl }})](https://www.alpinelinux.org)
 
 Lastly, *kpcyrd* [submitted a pull request](https://github.com/alpinelinux/abuild/pull/93) for [Alpine Linux](https://alpinelinux.org/) to add [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/) support to the [`abuild`](https://github.com/alpinelinux/abuild/) build tool in this operating system.
 
@@ -188,6 +190,8 @@ This month, Chris Lamb made the following changes:
 
 In addition, Marc Herbert provided a patch to catch failures to disassemble [ELF](https://en.wikipedia.org/wiki/Executable_and_Linkable_Format) binaries. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/issues/20)]
 
+<br>
+
 #### Project website
 
 [![]({{ "/images/reports/2019-07/website.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
@@ -210,7 +214,9 @@ There was a yet more effort put into our [our website](https://reproducible-buil
 
 Holger Levsen also added explanations on how to install [diffoscope](https://diffoscope.org/) on OpenBSD [[...](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/c4a35f3)] and FreeBSD [[...](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/0c0dc6c)] to its homepage and Arnout Engelen added a prelimary and work-in-progress idea for a badge or "shield" program for upstream projects. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/67a4bde)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/68e7b42)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fe67d8f)].
 
-A special thank you to Alexander Borkowski [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/48aaa4d)] Georg Faerber [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/91a4e41)], and John Scott [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a6a1100)] for their individual fixes. To err is human; to reproduce, divine.
+A special thank you to Alexander Borkowski [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/48aaa4d)] Georg Faerber [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/91a4e41)], and John Scott [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a6a1100)] for their individual fixes. *To err is human; to reproduce, divine.*
+
+<br>
 
 #### strip-nondeterminism
 
@@ -227,6 +233,8 @@ In addition, Chris Lamb made the following changes:
     * Merge the `debian` branch into the `master` branch to simplify testing and deployment [[...](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/b1132f4)] and update `debian/gbp.conf` to match [[...](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/b948d76)].
 * Drop misleading and outdated `MANIFEST` and `MANIFEST.SKIP` files as they are not used by our release process. [[...](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/368f18b)]
 
+<br>
+
 #### Test framework
 
 [![]({{ "/images/reports/2019-07/testframework.png#right" | prepend: site.baseurl }})](https://tests.reproducible-builds.org/)


=====================================
images/reports/2019-07/debian.png
=====================================
Binary files a/images/reports/2019-07/debian.png and b/images/reports/2019-07/debian.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dd7eae981b3a9c60ff2ed892dc715068e43943e5

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dd7eae981b3a9c60ff2ed892dc715068e43943e5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190805/8f92dd95/attachment.html>


More information about the rb-commits mailing list