[Git][reproducible-builds/reproducible-website][master] 9 commits: Lets not promote yet more ambiguity in our environment names!
Chris Lamb
gitlab at salsa.debian.org
Tue Jul 2 19:04:00 UTC 2019
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
f10dec3d by Chris Lamb at 2019-07-02T13:42:21Z
Lets not promote yet more ambiguity in our environment names!
- - - - -
a7bd152d by Chris Lamb at 2019-07-02T13:42:52Z
Correct the templated titl
- - - - -
cc5cc920 by Chris Lamb at 2019-07-02T13:43:04Z
Misc updates to the template generator.
- - - - -
ab77a2c1 by Chris Lamb at 2019-07-02T13:44:47Z
Correct old wiki syntax.
- - - - -
864a2002 by Chris Lamb at 2019-07-02T19:03:34Z
Correct a minor grammatical error in two past reports.
- - - - -
0d67e48c by Chris Lamb at 2019-07-02T19:03:34Z
Correct a non-relative URL.
- - - - -
db48d6db by Chris Lamb at 2019-07-02T19:03:34Z
2019-07: Use the new design for the draft July report.
- - - - -
dba0deec by Chris Lamb at 2019-07-02T19:03:34Z
Correct grammar in the draft template.
- - - - -
aa0c8587 by Chris Lamb at 2019-07-02T19:03:34Z
2019-06: Initial draft
- - - - -
21 changed files:
- _docs/source-date-epoch.md
- _reports/2019-04.md
- _reports/2019-05.md
- _reports/2019-06.md
- _reports/2019-07.md
- bin/generate-draft
- bin/generate-draft.template
- + images/reports/2019-06/aimingforbullseye.png
- + images/reports/2019-06/buildinfo-debian-net.png
- + images/reports/2019-06/debconf19.png
- + images/reports/2019-06/debian.png
- + images/reports/2019-06/diffoscope.svg
- + images/reports/2019-06/fedora.png
- + images/reports/2019-06/intoto.png
- + images/reports/2019-06/opensuse.png
- + images/reports/2019-06/openwrt.png
- + images/reports/2019-06/profitbricks.png
- + images/reports/2019-06/prototypefund.png
- + images/reports/2019-06/reprobuilds-display.jpeg
- + images/reports/2019-06/reproducible-builds.png
- + images/reports/2019-06/website.png
Changes:
=====================================
_docs/source-date-epoch.md
=====================================
@@ -4,7 +4,7 @@ layout: docs
permalink: /docs/source-date-epoch/
---
-`SOURCE_DATE_EPOCH` (or `S_D_E`) [is a standardised environment variable](https://reproducible-builds.org/specs/source-date-epoch/) that distributions can set centrally and have build tools consume this in order to produce reproducible output.
+`SOURCE_DATE_EPOCH` [is a standardised environment variable](https://reproducible-builds.org/specs/source-date-epoch/) that distributions can set centrally and have build tools consume this in order to produce reproducible output.
Before implementing this, you should scan through [our checklist](https://wiki.debian.org/ReproducibleBuilds/StandardEnvironmentVariables#Checklist) to see if you can avoid implementing it.
@@ -16,7 +16,7 @@ Please read our [SOURCE_DATE_EPOCH specification](https://reproducible-builds.or
See [Standard Environment Variables](https://wiki.debian.org/ReproducibleBuilds/StandardEnvironmentVariables) for more detailed discussion of the rationales behind this mechanism.
-Below we also have [[#More_detailed_discussion|more detailed discussion]] about this specific variable, as well as documentation on [[#history-and-alternatives|history and alternative proposals]].
+Below we also have more detailed discussion about this specific variable, as well as documentation on history and alternative proposals.
## Setting the variable
@@ -337,7 +337,7 @@ NOTE: faketime BREAKS builds on some archs, for example hurd. See #778462 for de
Sometimes developers of build tools do not want to support `SOURCE_DATE_EPOCH`, or they will tweak the suggestion to something related but different. We really do think the best approach is to use `SOURCE_DATE_EPOCH` exactly as-is described above in our proposal, without any variation. Here we explain our reasoning versus the arguments we have encountered.
-(See [[ReproducibleBuilds/StandardEnvironmentVariables#more-detailed-discussion|Standard Environment Variables]] for general arguments.)
+(See *Standard Environment Variables* for general arguments.)
### "Lying about the time" / "violates language spec"
=====================================
_reports/2019-04.md
=====================================
@@ -7,7 +7,7 @@ draft: false
published: 2019-05-05 17:08:27
---
-**Welcome to the April 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In these now-monthly reports we will outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains.
+**Welcome to the April 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In these now-monthly reports we will outline the most important things which we have been up to in and around the world of reproducible builds & secure toolchains.
[![]({{ "/images/reports/2019-04/reproducible-builds.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
=====================================
_reports/2019-05.md
=====================================
@@ -9,7 +9,7 @@ published: 2019-06-06 12:50:39
[![]({{ "/images/reports/2019-05/reproducible-builds.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
-**Welcome to the May 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports we outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains over the past month.
+**Welcome to the May 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports we outline the most important things which we have been up to in and around the world of reproducible builds & secure toolchains over the past month.
As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no malicious flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing third-parties to come to a consensus on whether a build was compromised.
@@ -192,7 +192,7 @@ Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dd86
Chris Lamb added various fixes for larger/smaller screens [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/edef6f8)], added a logo suitable for printing physical pin badges [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/d78fd45)] and refreshed the opening copy text on our [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch) page.
-Bernhard M. Wiedemann then [documented a more concise C code example](https://reproducible-builds.org/docs/source-date-epoch/#c) for parsing the `SOURCE_DATE_EPOCH` environment variable [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/547732f)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e1efd6f)] and Holger Levsen added a [link to a specific bug](https://bugzilla.opensuse.org/show_bug.cgi?id=1133809) blocking progress in [openSUSE](https://opensuse.org/) to our [*Who is involved?*](https://reproducible-builds.org/who/) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d9f4bce)].
+Bernhard M. Wiedemann then [documented a more concise C code example](https://reproducible-builds.org/docs/source-date-epoch/#c) for parsing the `SOURCE_DATE_EPOCH` environment variable [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/547732f)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e1efd6f)] and Holger Levsen added a [link to a specific bug](https://bugzilla.opensuse.org/show_bug.cgi?id=1133809) blocking progress in [openSUSE](https://opensuse.org/) to our [*Who is involved?*]({{ "/who/" | prepend: site.baseurl }}) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d9f4bce)].
---
=====================================
_reports/2019-06.md
=====================================
@@ -6,101 +6,276 @@ title: "Reproducible Builds in June 2019"
draft: true
---
-## Mini DebConf Hamburg Sprint
+[![]({{ "/images/reports/2019-06/reproducible-builds.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
-kpcyrd, lynxis, Holger Levsen and Jelle van der Waa attended [mini DebConf Hamburg](https://wiki.debian.org/DebianEvents/de/2019/MiniDebConfHamburg) and worked on reproducible builds.
+**Welcome to the June 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports we outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains over the past month.
-* Jelle van der Waa
- * Improved the [reproducible_json.py script](https://salsa.debian.org/qa/jenkins.debian.net/commit/20a7b86ce0a26bd8f8718478c8e8a1612c0af87e) to generate distro specific JSON which lead to the availability of an [Arch Linux JSON](https://tests.reproducible-builds.org/archlinux/reproducible.json) file.
- * Investigated why the Arch Linux kernel package is not reproducible and found out that ```KBUILD_BUILD_HOST```, ```KGBUILD_BUILD_TIMESTAMP``` should be set. The enabling of ```CONFIG_MODULE_SIG_ALL``` causes the kernel modules to be signed with an at build time created key if non is provided which leads to unreproducibility.
- * [keyutils](https://www.archlinux.org/packages/core/x86_64/keyutils/) was fixed for embedding the build date in it's binary with this [patch](https://pkgbuild.com/~jelle/0001-Make-keyutils-reproducible.patch)
- * [nspr](https://www.archlinux.org/packages/core/x86_64/nspr/) has been made reproducible in Arch Linux with the following [change](https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/nspr&id=3696d15bba92ea14931f842b27654e318055e532)
+As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
-* kpcyrd
- * Created a Jenkins [job](https://jenkins.debian.net/view/All/job/reproducible_setup_schroot_alpine_jenkins/) to generate an alpine build chroot
- * Created a Jenkins [job](https://jenkins.debian.net/view/All/job/reproducible_alpine_scheduler/) to schedule new alpine packages
- * Created a Jenkins [job](https://jenkins.debian.net/job/reproducible_builder_alpine_1/) to build alpine packages
- * Created an alpine reproducible testing [overview page](https://tests.reproducible-builds.org/alpine/alpine.html)
- * Provided a proof of concept SOURCE_DATE_EPOCH [patch](https://github.com/kpcyrd/abuild/commit/ea1c11811eaf0a98b5b8ab9c57574a9895d56454.patch) for abuild to fix timestamp issues in alpine packages
+In this month's report, we will cover:
-* lynxis:
- * rewrote db interaction for OpenWrt.
- * use python3 for openwrt package parser.
- * managed to setup a test environment, using the new README.development.
+* **Media coverage** — *Lego bricks, pizza and Reproducible Builds?*
+* **Events** — *What happened at MiniDebConf Hamburg and the OpenWrt Summit, etc.*
+* **Upstream news** — *Is "Trusting Trust" close to a rebuttal? etc.*
+* **Distribution work** — *openSUSE updates and yet more Debian Installer progress*
+* **Software development** — *Patches patches patches, etc.*
+* **Misc news** — *From our mailing list...*
+* **Getting in touch** — *How to contribute*
-* Holger reviewed and merged all the above commits and supported Jelle, kpcyrd and lynxis to understand the codebase.
- * Holger split out README.development from the regular README.
-* Holger and Jelle also gave a talk titled 'Reproducible Builds - aiming for Bullseye' (bullseye is the next Debian release name).
- * Video: https://meetings-archive.debian.net/pub/debian-meetings/2019/miniconf-hamburg/reproducible-builds.webm
- * Slides: TBD
+---
+
+## Media coverage
+
+* Jospeh Devietti from [Cloudseal](https://www.cloudseal.io) published a post entitled [*An introduction to reproducible builds*](https://www.cloudseal.io/blog/2019-05-15-introduction-to-reproducible-builds) on their blog, noting that:
+
+> One key motivation for reproducible builds is to enable peak efficiency for the build caches used in modern build systems.
+
+* The [Prototype Fund](https://prototypefund.de/en/), an initiative to "aid software developers, hackers and creatives in furthering their ideas from concept to demo" produced a video featuring Holger Levsen explaining Reproducible Builds... using Lego bricks and pizzas!
+
+[![]({{ "/images/reports/2019-06/prototypefund.png#center" | prepend: site.baseurl }})](https://www.youtube.com/watch?v=PSxm2DbDHG8)
+
+* Carl Dong gave a talk titled [*Bitcoin Build System Security*](https://www.youtube.com/watch?v=I2iShmUTEl8) at the [Breaking Bitcoin](https://breaking-bitcoin.com/) conference in Amsterdam, Netherlands.
+
+---
+
+## Events
+
+[![]({{ "/images/reports/2019-06/debconf19.png#right" | prepend: site.baseurl }})](https://debconf19.debconf.org)
+
+There were a number of events that included or incorporated members of the Reproducible Builds community this month. If you know of any others, please do [get in touch]({{ "/who/" | prepend: site.baseurl }}). In addition, a number of members of the Reproducible Builds project will be at [DebConf 2019](https://debconf19.debconf.org/) in Curitiba, Brazil and will present on the status of their work.
+
+### MiniDebConf Hamburg 2019
+
+Holger Levsen, Jelle van der Waa, *kpcyrd* and Alexander Couzens attended [MiniDebConf Hamburg 2019](https://wiki.debian.org/DebianEvents/de/2019/MiniDebConfHamburg) and worked on Reproducible Builds.
+
+Holger gave a status update on the Project with a talk entited [*Reproducible Builds aiming for bullseye*](https://www.youtube.com/watch?v=vQv4fxDMMPs), referring to the [next Debian release name](https://lists.debian.org/debian-devel-announce/2016/07/msg00002.html):
+
+[![]({{ "/images/reports/2019-06/aimingforbullseye.png#center" | prepend: site.baseurl }})](https://www.youtube.com/watch?v=vQv4fxDMMPs)
+
+Jelle kindly gifted Holger with a [Reproducible Builds display](https://github.com/jelly/reproduciblebuilds-display):
+
+[![]({{ "/images/reports/2019-06/reprobuilds-display.jpeg#center" | prepend: site.baseurl }})](https://raw.githubusercontent.com/jelly/reproduciblebuilds-display/master/img/reprobuilds-display.jpeg)
+
+In addition, Lukas Puehringer gave a talk titled [*Building reproducible builds into apt with in-toto*](https://www.youtube.com/watch?v=hbHa4OFv7Qo):
+
+[![]({{ "/images/reports/2019-06/intoto.png#center" | prepend: site.baseurl }})](https://www.youtube.com/watch?v=hbHa4OFv7Qo)
+
+As part of various hacking sessions:
+
+* Jelle van der Waa:
+
+ * Improved the [`reproducible_json.py` script](https://salsa.debian.org/qa/jenkins.debian.net/commit/20a7b86ce0a26bd8f8718478c8e8a1612c0af87e) to generate distribution-specific JSON, leading to the availability of an [ArchLinux JSON file](https://tests.reproducible-builds.org/archlinux/reproducible.json).
+ * Investigated why the [Arch Linux](https://www.archlinux.org/) kernel package is not reproducible, finding out that `KBUILD_BUILD_HOST` and `KGBUILD_BUILD_TIMESTAMP` should be set. The enabling of `CONFIG_MODULE_SIG_ALL` causes the kernel modules to be signed with a (non-determinstic) build-time key if none is provided, leading to unreproducibility.
+ * [keyutils](https://www.archlinux.org/packages/core/x86_64/keyutils/) was fixed with respect to it embedding the build date in its binary. [[...](https://pkgbuild.com/~jelle/0001-Make-keyutils-reproducible.patch)]
+ * [nspr](https://www.archlinux.org/packages/core/x86_64/nspr/) was made reproducible in Arch Linux. [[...](https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/nspr&id=3696d15bba92ea14931f842b27654e318055e532)]
-Jelle was also so very kind and gifted Holger with this very nice display: https://github.com/jelly/reproduciblebuilds-display (FIXME: include picture of it = [pic](https://raw.githubusercontent.com/jelly/reproduciblebuilds-display/master/img/reprobuilds-display.jpeg))
+* *kpcyrd*:
+ * Created various Jenkins jobs to generate [Alpine](https://alpinelinux.org/) build chroots, schedule new packages and to ultimately build them. [[...](https://jenkins.debian.net/view/All/job/reproducible_setup_schroot_alpine_jenkins/)][[...](https://jenkins.debian.net/view/All/job/reproducible_alpine_scheduler/)][[...](https://jenkins.debian.net/job/reproducible_builder_alpine_1/)]
+ * Created an Alpine reproducible testing [overview page](https://tests.reproducible-builds.org/alpine/alpine.html).
+ * Provided a proof of concept [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/) patch for `abuild` to fix timestamp issues in Alpine packages. [[...](https://github.com/kpcyrd/abuild/commit/ea1c11811eaf0a98b5b8ab9c57574a9895d56454.patch)]
-Following discussions in Hamburg Ivo De Decker reviewed the situation around "#869184: dpkg: source uploads including _amd64.buildinfo cause problems" again and updated the bug with some recommendations for the next Debian release cycle.
+* Alexander Couzens:
+ * Rewrote the database interaction routines for [OpenWrt](https://openwrt.org/).
+ * Migrated the OpenWrt package parser to use Python 3.x as [Python 2.x will be reaching end-of-life](https://pythonclock.org/) at the end of this year.
+ * Setup a test environment using a new `README.development` file.
+Holger Levsen was on hand to review and merge all the above commits, providing support and insight into the the codebase. He additionally split out a a `README.development` from the regular, more-generic `README` file.
-## OpenWrt summit
+### OpenWrt summit
-* Holger participated in the [OpenWrt summit](http://lists.infradead.org/pipermail/openwrt-adm/2019-March/001021.html) (from [June 10th to 12th 2019](http://lists.infradead.org/pipermail/openwrt-adm/2019-March/001012.html)) discussing .buildinfo files. FIXME: add URL, also to pad/notes.
+[![]({{ "/images/reports/2019-06/openwrt.png#right" | prepend: site.baseurl }})](https://openwrt.org/)
-* Paul Spooren / aparcar made https://github.com/openwrt/openwrt/pull/2121 - "build: introduce feeds.buildinfo (and 2 other files) for reproducibility of OpenWrt"
+The [OpenWrt](https://openwrt.org/) project, is a Linux operating system targeting embedded devices, particularly wireless network routers. In June, they [hosted a summit](http://lists.infradead.org/pipermail/openwrt-adm/2019-March/001021.html) that took place from [10th to 12th](http://lists.infradead.org/pipermail/openwrt-adm/2019-March/001012.html) of the month.
+Here, Holger participated in the discussions regarding `.buildinfo` build-attestation documents. As a result of this, Paul Spooren (*aparcar*) made [a pull request](https://github.com/openwrt/openwrt/pull/2121) to introduce/create a `feeds.buildinfo` (etc) for reproducibility in OpenWrt.
-## Media
-* The PrototypeFund produced a video featuring Holger explaining Reproducible Builds with lego bricks and pizzas. https://www.youtube.com/watch?v=PSxm2DbDHG8
+---
+
+## Upstream news
+
+* The [Monero](https://www.getmonero.org/) cryptocurrency now offers [full reproducibility for all compiled binaries](https://github.com/monero-project/monero/pull/5633), a feature [first requested in October 2017](https://github.com/monero-project/monero/issues/2641).
+
+[![]({{ "/images/reports/2019-06/fedora.png#right" | prepend: site.baseurl }})](https://getfedora.org/)
+
+* The [Fedora project](https://getfedora.org/) debated setting [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/) [in all builds via `rpm`](https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57) which was accepted and merged on June 27th by Igor Gnatenko.
+
+* [Jeremiah Orians announced that version 1.0](https://lists.reproducible-builds.org/pipermail/rb-general/2019-June/001593.html) of the [`mescc-tools-seed`](https://github.com/oriansj/mescc-tools-seed) compiler has been released. For those not familiar with the project, it is the full bootstrap of a cross-platform compiler for the C programming language (written in C itself) from hex, the ultimate goal being able to demonstrate fully-bootstrapped compiler from hex to the [GCC GNU Compiler Collection](https://gcc.gnu.org/). This has many implications in and around [Ken Thompson](https://en.wikipedia.org/wiki/Ken_Thompson)'s [*Trusting Trust*](https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf) attack he outlined in 1983 [Turing Award Lecture](https://amturing.acm.org/lectures.cfm).
+
+---
+
+### Distribution work
+
+[![]({{ "/images/reports/2019-06/opensuse.png#right" | prepend: site.baseurl }})](https://www.opensuse.org/)
+
+Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-06/msg00429.html) for the [openSUSE](https://opensuse.org/) distribution.
+
+<br>
-## Upstream work:
+In [Debian](https://www.debian.org/), 39 reviews of packages were added, 3 were updated and 8 were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
-* Thanks to https://github.com/monero-project/monero/pull/5633 monero now has full reproducibility for all compiled binaries.
+[![]({{ "/images/reports/2019-06/debian.png#left" | prepend: site.baseurl }})](https://debian.org/)
+
+Chris Lamb also did more work testing of the reproducibility status of [Debian Installer](https://www.debian.org/devel/debian-installer/) images. In particular, he was working around and patching an issue stemming from us testing builds far into the "future". ([#926242](https://bugs.debian.org/926242#92))
+
+In addition, following discussions at [MiniDebConf Hamburg](https://wiki.debian.org/DebianEvents/de/2019/MiniDebConfHamburg), Ivo De Decker reviewed the situation around Debian bug [#869184](https://bugs.debian.org/869184) again ("*dpkg: source uploads including `_amd64.buildinfo` cause problems*") and updated the bug with some recommendations for the next Debian release cycle.
+
+---
+
+## Software development
+
+#### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
- * [wine](https://bugzilla.opensuse.org/show_bug.cgi?id=1062303) (report random file names)
- * vtk:
- * [fix date](https://gitlab.kitware.com/vtk/vtk/merge_requests/5633) ; merged
- * [sort perl hash](https://gitlab.kitware.com/vtk/vtk/merge_requests/5634) ; merged
- * report [parallelism race](https://gitlab.kitware.com/vtk/vtk/issues/17619) from unspecified dependency in cmake
- * [HSAIL-Tools](https://github.com/HSAFoundation/HSAIL-Tools/pull/54) (sort perl hash)
- * [python-nautilus](https://github.com/GNOME/nautilus-python/pull/6) (python date)
- * [rclone/cobra](https://github.com/ncw/rclone/pull/3289) (sort golang hash)
- * [herbstluftwm](https://github.com/herbstluftwm/herbstluftwm/pull/553) (date)
- * [lcov](https://github.com/linux-test-project/lcov/pull/68) (date ; mtime updated by sed)
- * [rakkess](https://github.com/corneliusweig/rakkess/pull/31) (date+time in Makefile)
- * [terraform](https://github.com/hashicorp/terraform/issues/21727) (report FTBFS-2030)
- * [MozillaFirefox+Thunderbird](https://bugzilla.opensuse.org/show_bug.cgi?id=1137970) (report parallelism race)
- * [ndpi](https://build.opensuse.org/request/show/707688) (date ; [already merged upstream](https://github.com/ntop/nDPI/pull/662))
- * [oyranos](https://build.opensuse.org/request/show/707785) (drop build kernel version ; [already merged upstream](https://github.com/oyranos-cms/oyranos/pull/52))
- * [python-qt5](https://build.opensuse.org/request/show/708180) (sort python readdir / os.walk ; [submitted upstream](https://www.riverbankcomputing.com/pipermail/pyqt/2019-June/041854.html))
- * [argus-client](https://build.opensuse.org/request/show/708470) (parallelism race + silent build failure)
- * [mypaint](https://build.opensuse.org/request/show/708828) (sort readdir ; [probably upstream](https://github.com/mypaint/libmypaint/pull/108))
- * [perl-Email-Date-Format](https://build.opensuse.org/request/show/708857) (fix rare breakage)
- * [linphone](https://build.opensuse.org/request/show/708862) (sort python readdir - [submitted+ignored upstream](https://github.com/BelledonneCommunications/linphone/pull/112))
- * [uperf](https://build.opensuse.org/request/show/708992) (date ; [already upstream](https://github.com/uperf/uperf/pull/13))
- * [thunarx-python](https://build.opensuse.org/request/show/708993) (date - not yet upstream)
- * [surfraw](https://build.opensuse.org/request/show/709175) (date ; [already upstream](https://gitlab.com/surfraw/Surfraw/merge_requests/2))
- * [plowshare](https://build.opensuse.org/request/show/709255) (date ; [already upstream](https://github.com/mcrapet/plowshare/pull/98))
- * [sawfish](https://build.opensuse.org/request/show/709295) (version update to get all upstream reproducibility fixes)
- * [vboot](https://build.opensuse.org/request/show/709449) (shell date - not yet upstream)
- * [rubygem-rice](https://build.opensuse.org/request/show/709984) (drop unreproducible files)
- * [benchmark](https://build.opensuse.org/request/show/710381) (version upgrade for fixing FTBFS-j1)
- * [perl-Alien-SDL](https://build.opensuse.org/request/show/710903) (sort perl readdir - [orphaned upstream](https://github.com/PerlGameDev/Alien-SDL/pull/6))
- * [ck](https://build.opensuse.org/request/show/710500) (FTBFS-j1 - [also fixed upstream](https://github.com/concurrencykit/ck/issues/141))
- * [python-hyper](https://build.opensuse.org/request/show/711311) (avoid build stuck on -j1 - not upstream)
- * [perl-OLE-Storage\_Lite](https://build.opensuse.org/request/show/711588) (fix FTBFS-2020 - [ignored upstream](https://rt.cpan.org/Public/Bug/Display.html?id=124513))
- * [python-xmlsec](https://build.opensuse.org/request/show/711589) (sort python glob - [already merged upstream](https://github.com/mehcode/python-xmlsec/pull/91))
- * [python-pgmagick](https://build.opensuse.org/request/show/711741) (sort readdir - [already merged upstream](https://github.com/hhatto/pgmagick/pull/47))
-
-* Richard Biener:
- * [gcc9/D](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90778) (sort hash)
-
-* Morten Linderud
- * [libpod](https://github.com/containers/libpod/pull/3390) (date)
-
-
-* [Building reproducible builds into apt with in-toto](https://www.youtube.com/watch?v=hbHa4OFv7Qo)
-
-* [Reproducible Builds aiming for bullseye](https://www.youtube.com/watch?v=vQv4fxDMMPs)
-
-* [FIXME](https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57) Fedora considers to set `SOURCE_DATE_EPOCH` in all builds via rpm
-
-* Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-06/msg00429.html) for the [openSUSE](https://opensuse.org/) distribution.
+ * [argus-client](https://build.opensuse.org/request/show/708470) (Parallelism race condition and silent build failure)
+ * [benchmark](https://build.opensuse.org/request/show/710381) (Version upgrade, fixing failing to build from FTBFS with `-j1`)
+ * [ck](https://build.opensuse.org/request/show/710500) (FTBFS with `-j1`, [also fixed upstream](https://github.com/concurrencykit/ck/issues/141))
+ * [herbstluftwm](https://github.com/herbstluftwm/herbstluftwm/pull/553) (Embedded build date)
+ * [HSAIL-Tools](https://github.com/HSAFoundation/HSAIL-Tools/pull/54) (Sort Perl hash)
+ * [lcov](https://github.com/linux-test-project/lcov/pull/68) (A file's [modification time](https://en.wikipedia.org/wiki/Mtime) was being updated by [sed](https://en.wikipedia.org/wiki/Sed))
+ * [linphone](https://build.opensuse.org/request/show/708862) (Sort Python [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html), [submitted but ignored upstream](https://github.com/BelledonneCommunications/linphone/pull/112))
+ * [mypaint](https://build.opensuse.org/request/show/708828) (Sort call to [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html), [probably upstream](https://github.com/mypaint/libmypaint/pull/108))
+ * [MozillaFirefox+Thunderbird](https://bugzilla.opensuse.org/show_bug.cgi?id=1137970) (Report parallelism race condition)
+ * [ndpi](https://build.opensuse.org/request/show/707688) (Fix a date, [already merged upstream](https://github.com/ntop/nDPI/pull/662))
+ * [oyranos](https://build.opensuse.org/request/show/707785) (Drop build kernel version, [already merged upstream](https://github.com/oyranos-cms/oyranos/pull/52))
+ * [perl-Alien-SDL](https://build.opensuse.org/request/show/710903) (Sort Perl [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html)`, [orphaned upstream](https://github.com/PerlGameDev/Alien-SDL/pull/6))
+ * [perl-Email-Date-Format](https://build.opensuse.org/request/show/708857) (Fix a rare breakage)
+ * [perl-OLE-Storage\_Lite](https://build.opensuse.org/request/show/711588) (Fix FTBFS when built in 2020, [ignored upstream](https://rt.cpan.org/Public/Bug/Display.html?id=124513))
+ * [plowshare](https://build.opensuse.org/request/show/709255) (Date, [already upstream](https://github.com/mcrapet/plowshare/pull/98))
+ * [python-hyper](https://build.opensuse.org/request/show/711311) (Avoid build getting stuck with `-j1`, not upstream)
+ * [python-nautilus](https://github.com/GNOME/nautilus-python/pull/6) (Python date)
+ * [python-pgmagick](https://build.opensuse.org/request/show/711741) (Sort [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html) call, [already merged upstream](https://github.com/hhatto/pgmagick/pull/47))
+ * [python-qt5](https://build.opensuse.org/request/show/708180) (Sort a Python [`readdir(3)`](https://pubs.opengroup.org/onlinepubs/7908799/xsh/readdir.html) / [`os.walk`](https://docs.python.org/3/library/os.html#os.walk), [submitted upstream](https://www.riverbankcomputing.com/pipermail/pyqt/2019-June/041854.html))
+ * [python-xmlsec](https://build.opensuse.org/request/show/711589) (Sort a Python [glob](https://docs.python.org/3/library/glob.html) call, [already merged upstream](https://github.com/mehcode/python-xmlsec/pull/91))
+ * [rakkess](https://github.com/corneliusweig/rakkess/pull/31) (Fix a date and time call in `Makefile`)
+ * [rclone/cobra](https://github.com/ncw/rclone/pull/3289) (sort [Go programming language](https://golang.org/) hash)
+ * [rubygem-rice](https://build.opensuse.org/request/show/709984) (Drop unreproducible files)
+ * [sawfish](https://build.opensuse.org/request/show/709295) (Version update to get all upstream reproducibility fixes)
+ * [surfraw](https://build.opensuse.org/request/show/709175) (Fix a date, [already upstream](https://gitlab.com/surfraw/Surfraw/merge_requests/2))
+ * [terraform](https://github.com/hashicorp/terraform/issues/21727) (Report FTBFS when built in 2030)
+ * [thunarx-python](https://build.opensuse.org/request/show/708993) (Fix a date, not yet upstream)
+ * [uperf](https://build.opensuse.org/request/show/708992) (Date, [already upstream](https://github.com/uperf/uperf/pull/13))
+ * [vboot](https://build.opensuse.org/request/show/709449) (Uses a shell date, not yet upstream)
+ * [vtk](https://gitlab.kitware.com/vtk):
+ * [Fix a date date](https://gitlab.kitware.com/vtk/vtk/merge_requests/5633) (merged)
+ * [Sort a Perl hash](https://gitlab.kitware.com/vtk/vtk/merge_requests/5634) (merged)
+ * Report [a parallelism race](https://gitlab.kitware.com/vtk/vtk/issues/17619) from an unspecified dependency in [CMake](https://cmake.org/)
+ * [wine](https://bugzilla.opensuse.org/show_bug.cgi?id=1062303) (Report the use of random file names)
+
+
+* Chris Lamb:
+ * [#930768](https://bugs.debian.org/930768) filed against [node-d3-fetch](https://tracker.debian.org/pkg/node-d3-fetch).
+ * [#930769](https://bugs.debian.org/930769) filed against [node-d3-contour](https://tracker.debian.org/pkg/node-d3-contour).
+ * [#930814](https://bugs.debian.org/930814) filed against [node-d3-hierarchy](https://tracker.debian.org/pkg/node-d3-hierarchy).
+ * [#930911](https://bugs.debian.org/930911) filed against [node-d3-scale-chromatic](https://tracker.debian.org/pkg/node-d3-scale-chromatic).
+ * [#931102](https://bugs.debian.org/931102) filed against [combblas](https://tracker.debian.org/pkg/combblas).
+
+* Morten Linderud submitted a patch for [libpod](https://github.com/containers/libpod/pull/3390), a library used to create container pods to [fix a date-related reproducibility issue](https://github.com/containers/libpod/pull/3390) which has subsequently been merged.
+* Richard Biener submitted a patch for the [GCC GNU Compiler Collection](https://gcc.gnu.org/) to [fix differences in the runtime debugging info between builds](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90778) in its [D programming language](https://dlang.org/) support.
+
+#### Project website
+
+[![]({{ "/images/reports/2019-06/website.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
+
+There was a significant amount of effort on [our website](https://reproducible-builds.org/) this month.
+
+* Chris Lamb:
+
+ * Move the remaining site to the newer website design. This was a long-outstanding task ([#2](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/2)) and required a huge number of changes, including moving all the event and documentation pages to the new design [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/acf3c33)] and migrating/merging the old `_layouts/page.html` into the new design [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/3798f0a)] too. This could then allow for many cleanups including moving/deleting files into cleaner directories, dropping a bunch of example layouts [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/c87784a)] and dropping the old "home" layout. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/6862829)]
+
+ * Added reports to the homepage. ([#16](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/16))
+
+ * Re-ordered and merged various top-level sections of the site to make the page easier to parse/navigate [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/0487cbb)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/22b6be0) and updated the documentation for [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/) to clarify that the alternative `-r` call to `date(1)` is for compatibility with [BSD](https://en.wikipedia.org/wiki/Berkeley_Software_Distribution) variants of UNIX [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/e54666a)].
+
+ * Made a large number of visual fixups, particularly to accommodate the principles of [responsive web design](https://en.wikipedia.org/wiki/Responsive_web_design). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/80c0157)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/7fed3e5)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/b1a90ca)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/db5d1b5)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/4bbc4c2)]
+
+ * Updating the [lint](https://en.wikipedia.org/wiki/Lint_\(software\)) functionality of the build system to check for URIs that are not using `{{ "/foo/" | prepend: site.baseurl }}`-style relative URLs. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/ae43b80)]
+
+* Jelle van der Waa updated the [Events]({{ "/events/" | prepend: site.baseurl }}) page to correct invalid [Markdown](https://daringfireball.net/projects/markdown/) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ce6fce8)] and fixed a typo of "distribution" on a previous event page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/824434b)].
+
+* Thomas Vincent added a huge number of videos and slides to the [*Resources*]({{ "/resources/" | prepend: site.baseurl }}) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/816d66a)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5ec6758)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8efe14a)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/334a2cf)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/303ecdb)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ad622a3)] etc. as well as added a button to link to subtitles [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/050a5f4)] and fixing a bug when displaying metadata links [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5e00011)].
+
+In addition, Atharva Lele added the [Buildroot](https://buildroot.org/) embedded Linux project to the ["Who's involved"]({{ "/who/" | prepend: site.baseurl }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/34dc835)]
+
+
+#### [`buildinfo.debian.net`](https://buildinfo.debian.net)
+
+[![]({{ "/images/reports/2019-06/buildinfo-debian-net.png#right" | prepend: site.baseurl }})](https://buildinfo.debian.net/)
+
+Chris Lamb significant time working on [`buildinfo.debian.net`](https://buildinfo.debian.net), his experiment into how to process, store and distribute `.buildinfo` files after the Debian archive software has processed them. This included:
+
+* Started making the move to Python 3.x (and [Django](https://www.djangoproject.com/) 2.x) [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/ef866349fab43000abd6e6115b1120e035f33bf9)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/c44c2eaf52defa599a67d1bc02e2e4a58a386e6e)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/d27540daeedab116f09e52e4bb186b97861e5d0e)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/9a68e9ab1aa13dd8550833dcab924c8818d3277f)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/ec475c64274e88244661f3f76374f453b562276c)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/c46e48bd52a89b0839a4a17728d6dd96be8a1bc5)][[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/0dcac1d682b151092bd2988b0bc442508c8bda17)], additionally performing a large number of adjacent cleanups including dropping the authentication framework [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/961be8b0b935f84f3c67804453c1508ff1751a5f)], fixing a number of [flake8](http://flake8.pycqa.org/) warnings [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/6f1257b82c89c639ec694c37d7aa6d76fcae38be)], adding a `setup.cfg` to silence some warnings [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/fc7bbc25b163c05a8ef1e74b3a77bf94a40ab30c)], moving to `__str__` and `str.format(...)` over `%`-style interpolation and `u"unicode"` strings [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/afc77977fa2ad376f828009f532be2581e3bd9b7)], etc.
+
+* Adding a number of (as-yet unreleased…) features, including caching the expensive landing page queries. [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/79f5e03946b8550ed41bdee5d811ef6ae846ba52)]
+
+* Taking the opportunity to start migrating the hosting from [its current GitHub home](https://gitlab.com/lamby/buildinfo.debian.net) to a [more-centralised repository on salsa.debian.org](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net), moving from the [Travis](https://travis-ci.org/) to the [GitLab](https://docs.gitlab.com/ee/ci/) continuous integration platform, updating the URL to the source in the footer [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/6648cc81fd6243019c8a6e51f828ddfa55dbd758)] and many other related changes [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/24f785113b63a0c2ef159ffd3162be1be72c7561)].
+
+* Applying the [Black](https://black.readthedocs.io/en/stable/) "uncompromising code formatter" to the codebase. [[...](https://salsa.debian.org/reproducible-builds/buildinfo.debian.net/commit/7d19e69ca93b1ac31d492f9b13e97f9fbd80870c)]
+
+#### Test framework
+
+We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). The following changes were done in the last month:
+
+* Alexander Couzens ([OpenWrt](https://openwrt.org)):
+ * Rewrite the database interaction routines for [OpenWrt](https://openwrt.org/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/380d632b)]
+ * Migrated the OpenWrt package parser to use Python 3.x as [Python 2.x will be reaching end-of-life](https://pythonclock.org/) at the end of this year. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/23a2c60e)]
+ * Use `IGNORE_ERRORS=n y m` similiar to [Buildbot](https://buildbot.net/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/961e44ec)]
+
+* Holger Levsen:
+ * Show [Alpine](https://alpinelinux.org/)-related jobs on the job health page. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f3d0a03a)]
+ * Alpine needs the [`jq`](https://stedolan.github.io/jq/) command-line JSON processor for the new scheduler. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/518f4005)]
+ * Start a dedicated `README.development` file. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/db7a2b8d)]
+ * Add support for some nodes running Debian *buster* already. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/33fc2245)]
+
+* Jelle van der Waa:
+ * Change [Arch Linux](https://www.archlinux.org/) and Alpine `BLACKLIST` status to `blacklist` [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0ab61da0)] and `GOOD` to `reproducible` [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5c62ea9d)] respectfully.
+ * Add a Jenkins job to generate Arch Linux HTML pages. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2f9aa5ab)]
+ * Fix the Arch Linux suites in the `reproducible.ini` file. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fa8e9192)]
+ * Add an Arch JSON export Jenkins job. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/033bc3e7)]
+ * Create per-distribution reproducible JSON files. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/20a7b86c)]
+
+* *kpcyrd* ([Alpine](https://alpinelinux.org/)):
+
+ * Start adding an Alpine theme. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1f5baa4d)]
+ * Add an Alpine website. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9a094dae)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ff75924c)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8f59af7b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6f5b99c1)]
+ * Add `#alpine-reproducible` to the `KGB` chat bot. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d4f27f79)]
+ * Use the `apk` version instead of `vercmp`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/deb36b07)]
+ * Install/configure various parts of the chroot including passing in Git options [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/44a9116a)], adding the `abuild` group onto more servers [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/70b4466b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/94e0e647)], installing [GnuPG](https://gnupg.org/) [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c057af34)]
+ * Build packages using its own scheduler. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/da75876e)] [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a4639713)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a9debc77)]
+ * Misc maintenance and fixups. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/439af034)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cc03efb5)]
+
+* Mattia Rizzolo:
+ * Adjust the `setup_pbuilder` script to use `[check-valid-until=no]` instead of `Acquire::Check-Valid-Until` (re. ([#926242](https://bugs.debian.org/926242#92))). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5a51e8af)]
+
+
+#### Other tools
+
+[![]({{ "/images/reports/2019-06/diffoscope.svg#right" | prepend: site.baseurl }})](https://diffoscope.org)
+
+In [diffoscope](https://diffoscope.org) (our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues) Chris Lamb documented that `run_diffoscope` should not be considered a stable API [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/76319f9)] and adjusted the configuration to build [our the Docker image](https://salsa.debian.org/reproducible-builds/diffoscope/container_registry) from the current Git checkout, not the Debian archive [[...](https://salsa.debian.org/reproducible-builds/diffoscope/issues/56)]
+
+Lastly, Chris Lamb added support for the clamp#ing of `tIME` chunks in `.png` files [[...](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/7)] to [strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism), our tool to remove specific non-deterministic results from a completed build.
+
+---
+
+## Misc news
+
+On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month [Lars Wirzenius](https://liw.fi/) continued conversation regarding [various questions about reproducible builds](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/001566.html) and their bearing on building a distributed continuous integration system which received many replies (thread index for [May](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/thread.html#1566) & [June](https://lists.reproducible-builds.org/pipermail/rb-general/2019-June/thread.html#1590)). In addition, Sebastian Huber asked whether [anyone has attempted a reproducible build of a GCC compiler itself](https://lists.reproducible-builds.org/pipermail/rb-general/2019-June/001580.html).
+
+---
+
+If you are interested in contributing the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
+
+<br>
+
+---
+
+This months's report was written by Bernhard M. Wiedeman, Chris Lamb, Holger Levsen, Jelle van der Waa, *kpcyrd* & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.
=====================================
_reports/2019-07.md
=====================================
@@ -1,5 +1,5 @@
---
-layout: new/report
+layout: report
year: "2019"
month: "07"
month_name: "July"
=====================================
bin/generate-draft
=====================================
@@ -102,7 +102,7 @@ def get_data(year, month, max_age=3600):
data.update({
'projects': PROJECTS,
- 'title': month_start.strftime('Reproducible Builds in %B %Y'),
+ 'month_year': month_start.strftime('%B %Y'),
'title_year': '{:04d}'.format(year),
'title_month': '{:02d}'.format(month),
})
=====================================
bin/generate-draft.template
=====================================
@@ -2,11 +2,11 @@
layout: report
year: "{{ title_year }}"
month: "{{ title_month }}"
-title: "{{ title }}"
+title: "Reproducible Builds in {{ month_year }}"
draft: true
---
-**Welcome to the {{ title_month }} {{ title_year }} report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports we outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains over the past month.
+**Welcome to the {{ month_year }} report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports we outline the most important things which we have been up to in and around the world of reproducible builds & secure toolchains over the past month.
As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
@@ -19,20 +19,28 @@ In this month's report, we will cover:
* **Misc news** — *From our mailing list, etc.*
* **Getting in touch** — *How to contribute, etc*
+If you are interested in contributing to our project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website.
+
---
## Media coverage
* FIXME
+---
+
## Upstream news
-* {{ packages_stats['added'] }} reviews of Debian packages were added, {{ packages_stats['updated'] }} were updated and {{ packages_stats['removed'] }} were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). FIXME issue types have been updated: {% for _, xs in issues_yml.items()|sort %}{% for x in xs %}[{{ x['title'] }}](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/{{ x['sha'] }}), {% endfor %}{% endfor %}
+* FIXME
+
+---
### Distribution work
In Debian, ...
+* {{ packages_stats['added'] }} reviews of Debian packages were added, {{ packages_stats['updated'] }} were updated and {{ packages_stats['removed'] }} were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). FIXME issue types have been updated: {% for _, xs in issues_yml.items()|sort %}{% for x in xs %}[{{ x['title'] }}](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/{{ x['sha'] }}), {% endfor %}{% endfor %}
+
---
## Software development
@@ -50,7 +58,7 @@ In addition, build failure bugs were reported by:
* {{ k }} ({{ v|length }}){% endfor %}{% endif %}
{% for project in projects %}
-### {{ project }}
+#### {{ project }}
{% for x in uploads[project] %}
{{ project }} version `{{ x['version'] }}` was [uploaded to Debian {{ x['distribution'] }}](https://tracker.debian.org/pkg/{{ project }}?FIXME) by {{ x['signed_by_name'] }}. It [included contributions already covered in previous months](https://salsa.debian.org/reproducible-builds/{{ project }}/commits/{% if project != 'diffoscope' %}debian/{% endif %}{{ x['version'] }}) as well as new ones from:
@@ -62,22 +70,20 @@ In addition, build failure bugs were reported by:
---
-## **Misc news** — *From our mailing list, etc.*
+## Misc news
* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month: FIXME
---
-## Getting in touch
-
-If you are interested in contributing the Reproducible Builds project, please visit our [Contribute](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
-
- * Mailing list: [`rb-general`](https://lists.reproducible-builds.org/listinfo/rb-general)
+If you are interested in contributing the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
* IRC: `#reproducible-builds` on `irc.oftc.net`.
* Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
+
<br>
---
=====================================
images/reports/2019-06/aimingforbullseye.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/aimingforbullseye.png differ
=====================================
images/reports/2019-06/buildinfo-debian-net.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/buildinfo-debian-net.png differ
=====================================
images/reports/2019-06/debconf19.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/debconf19.png differ
=====================================
images/reports/2019-06/debian.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/debian.png differ
=====================================
images/reports/2019-06/diffoscope.svg
=====================================
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ version="1.1"
+ width="128"
+ height="128"
+ id="svg2">
+ <defs
+ id="defs4" />
+ <metadata
+ id="metadata7">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ transform="matrix(1.0692573,0,0,1.0692573,-328.34726,-503.5515)"
+ id="layer1">
+ <g
+ id="g5409">
+ <g
+ transform="translate(5.418238,0)"
+ id="g5386">
+ <rect
+ width="90.304001"
+ height="50.999996"
+ x="316.36414"
+ y="472.80621"
+ id="rect4667-3"
+ style="fill:none;stroke:none" />
+ <g
+ id="text4673-8"
+ style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+ <path
+ d="m 316.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5371"
+ style="fill:#c00000;fill-opacity:1" />
+ <path
+ d="m 348.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5373"
+ style="fill:#c00000;fill-opacity:1" />
+ <path
+ d="m 380.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5375"
+ style="fill:#c00000;fill-opacity:1" />
+ </g>
+ <g
+ id="text5366"
+ style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+ <path
+ d="m 327.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5378" />
+ <path
+ d="m 359.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5380" />
+ <path
+ d="m 391.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5382" />
+ </g>
+ </g>
+ <use
+ id="use5399"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.8,0,0,0.8,82.417275,133.65028)"
+ id="use5401"
+ style="opacity:0.85"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.6,0,0,0.6,164.83455,260.05454)"
+ id="use5403"
+ style="opacity:0.7"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.4,0,0,0.4,247.25182,379.25208)"
+ id="use5405"
+ style="opacity:0.55"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ </g>
+ </g>
+</svg>
=====================================
images/reports/2019-06/fedora.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/fedora.png differ
=====================================
images/reports/2019-06/intoto.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/intoto.png differ
=====================================
images/reports/2019-06/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/opensuse.png differ
=====================================
images/reports/2019-06/openwrt.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/openwrt.png differ
=====================================
images/reports/2019-06/profitbricks.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/profitbricks.png differ
=====================================
images/reports/2019-06/prototypefund.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/prototypefund.png differ
=====================================
images/reports/2019-06/reprobuilds-display.jpeg
=====================================
Binary files /dev/null and b/images/reports/2019-06/reprobuilds-display.jpeg differ
=====================================
images/reports/2019-06/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/reproducible-builds.png differ
=====================================
images/reports/2019-06/website.png
=====================================
Binary files /dev/null and b/images/reports/2019-06/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/4998bd1d331937de9240037c3cce4b5a7f9ed34f...aa0c8587a45354932e345e172f18f630c0e2133d
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/4998bd1d331937de9240037c3cce4b5a7f9ed34f...aa0c8587a45354932e345e172f18f630c0e2133d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190702/58df922e/attachment.html>
More information about the rb-commits
mailing list