[Git][reproducible-builds/reproducible-website][master] 3 commits: Drop accidentally-committed /.jekyll-metadata file.
Chris Lamb
gitlab at salsa.debian.org
Tue Jun 4 15:44:19 UTC 2019
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
d25dde87 by Chris Lamb at 2019-06-04T15:13:35Z
Drop accidentally-committed /.jekyll-metadata file.
- - - - -
2baac621 by Chris Lamb at 2019-06-04T15:14:10Z
Update report template.
- - - - -
c5f1a31e by Chris Lamb at 2019-06-04T15:44:02Z
2019-05: Initial draft.
- - - - -
11 changed files:
- .gitignore
- − .jekyll-metadata
- _reports/2019-05.md
- bin/generate-draft.template
- + images/reports/2019-05/debian.png
- + images/reports/2019-05/diffoscope.svg
- + images/reports/2019-05/notion.png
- + images/reports/2019-05/opensuse.png
- + images/reports/2019-05/reproducible-builds.png
- + images/reports/2019-05/trydiffoscope.png
- + images/reports/2019-05/website.png
Changes:
=====================================
.gitignore
=====================================
@@ -3,3 +3,4 @@
#*
.sass-cache
/_site
+/.jekyll-metadata
=====================================
.jekyll-metadata deleted
=====================================
Binary files a/.jekyll-metadata and /dev/null differ
=====================================
_reports/2019-05.md
=====================================
@@ -2,39 +2,70 @@
layout: new/report
year: "2019"
month: "05"
-month_name: "May"
+title: "Reproducible Builds in May 2019"
draft: true
-title: "Reproducible builds in May 2019"
---
-* Luca Boccassi [proposed a change](https://salsa.debian.org/salsa-ci-team/pipeline/merge_requests/74) to repotest to not use the `nocheck` option to make more reproducibility issues visible.
+**Welcome to the May 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
-* Vagrant Cascadian [submitted a patch to u-boot](https://patchwork.ozlabs.org/patch/1093969/) fixing reproducibility when building a new type of compressed image. [merged in 2019.07-rc2](https://git.denx.de/?p=u-boot.git;a=commit;h=878e2a50b50199cb06ee28df53151e396a29d838).
+In our reports we outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains over the past month.
-* [GNU Guix 1.0.0 released](https://www.gnu.org/software/guix/blog/2019/gnu-guix-1.0.0-released/)
+[![]({{ "/images/reports/2019-05/reproducible-builds.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
-* [FIXME](https://www.wired.com/story/barium-supply-chain-hackers/) wired reporting: A single group of hackers appears responsible for supply chain hacks of CCleaner, Asus, and more, planting backdoors on millions of machines.
+As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing third-parties to come to a consensus on whether a build was compromised.
-* [FIXME](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews-2019-05) Mozilla Add-on Policies effective 2019-06-10 state: Add-ons may contain transpiled, minified or otherwise machine-generated code, but Mozilla needs to review a copy of the human-readable source code. The author must provide this information to Mozilla during submission along with instructions on how to reproduce the build.
+In this months's report, we will cover:
-* [FIXME](https://www.youtube.com/watch?v=wRHi8Ui5vWA) PyCon 2019 talk: Building reproducible Python applications for secured environments
- * [FIXME](https://twitter.com/bengerman13/status/1124782596582518784) also mentioned on twitter
+* **Media coverage** — *More supply chain attacks, Reproducible Builds on the conference circuit, etc.*
+* **Upstream news** — *Mozilla updating their add-on policy, etc.*
+* **Distribution work** — *Debian Installer progress, openSUSE updates, etc.*
+* **Software development** — *try.diffoscope.org rewrite, upstream patches, etc.*
+* **Misc news** — *From our mailing list, etc.*
+* **Getting in touch** — *How to contribute, etc.*
-* [FIXME](https://summerofcode.withgoogle.com/projects/#5992608243908608) Atharva Lele is going to work on reproducible builds for [buildroot](https://buildroot.org/) as part of Google Summer of Code.
+---
+
+## Media coverage
+
+* Adam Greenberg reported on [Wired](https://www.wired.com) about the [Barium](https://www.wired.com/story/barium-supply-chain-hackers/), detailing a single group of malicious actors who appear responsible for a veriety supply chain hacks of [CCleaner](https://www.ccleaner.com/), [Asus](https://www.asus.com/) and more, therefore planting backdoors on and gaining access to millions of machines.
+
+* The work of Chris Lamb in/around Debian's Reproducible Builds effort [won a Google Open Source Peer Bonus award](https://opensource.googleblog.com/2019/04/google-open-source-peer-bonus-winners.html), a program with the goal of recognising and supporting the ecosystem and sustainability of free software by rewarding and recognising developers for their contributions to open source projects
+
+* Kushal Das presented at [PyCon](https://us.pycon.org/2019/about/) 2019 on [building reproducible Python applications for secured environments](https://www.youtube.com/watch?v=wRHi8Ui5vWA). In the talk, Kushal argues that validating the dependencies of project is very critical along with the actual project source code, referring to incidents where people were [able to steal bticoins using a popular library](https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/). His talk uses the [SecureDrop client application](https://github.com/freedomofpress/securedrop-client) for journalists as an example project and see how he tried to tackle the similar problem.
+
+* [GitHub](https://github.com/) announced [adding a package registry feature](https://github.com/features/package-registry) which [suggest but alas not guarantee](https://github.com/ipfs/package-managers/issues/55) a strong link between the Git repository and the published packages, highlighting the need for Reproducible Builds.
+
+* [Andrew Martin](https://www.binarysludge.com/) [published his slides](https://drive.google.com/a/control-plane.io/file/d/1xUDrcWmB3a_5oMxeIJuqf6vtXZN/view?usp=sharing) for his talk titled [*Rootless, Reproducible and Hermetic: Secure Container Build Showdown*](https://www.youtube.com/watch?v=IpMPRC-ybJI) that he gave at [KubeCon 2019](https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2019/).
+
+---
-* lists.r-b.o changed home; thanks to [potager.org](https://potager.org/) for hosting us all this time. Also many thanks to Profitbricks for hosting our new mailserver, mail.r-b.o.
+## Upstream news
-* [FIXME](https://opensource.googleblog.com/2019/04/google-open-source-peer-bonus-winners.html) The work of Chris Lamb for Debian's Reproducible Builds won one of the Google Open Source Peer Bonus awards.
+* The [IPFS](https://ipfs.io) "[Package Managers Special Interest Group](https://github.com/ipfs/package-managers#readme)" is [gathering research around package management](https://github.com/ipfs/package-managers/blob/master/docs/papers.md), much of which is relevant to the Reproducible Builds effort.
-* Arnout Engelen created a [patch](https://github.com/raboof/notion/pull/100) to make the binary of the Notion window manager for X11 reproducible.
+* [Mozilla](https://www.mozilla.org)'s update "Add-on Policy" document for the [Firefox web browser](https://www.mozilla.org/en-GB/firefox/) now [dictates that add-ons may contain "transpiled, minified or otherwise machine-generated code"](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews-2019-05), but Mozilla needs to review a copy of the human-readable source code. The author must provide this information to Mozilla during submission along with instructions on how to reproduce the build.
-* GitHub announced adding a [package registry feature](https://github.com/features/package-registry), which [suggest but not guarantee](https://github.com/ipfs/package-managers/issues/55) a strong link between the git repo and the published packages, highlighting the need for Reproducible Builds.
+* Atharva Lele is going to work on reproducible builds for the [Buildroot](https://buildroot.org/) embedded Linux project as part of [Google Summer of Code](https://summerofcode.withgoogle.com/), [ensuring that two instances of buildroot running with the same configuration for the same device yield the same result](https://summerofcode.withgoogle.com/projects/#5992608243908608).
-* The [IPFS](https://ipfs.io) [Package Managers Special Interest Group](https://github.com/ipfs/package-managers#readme) is gathering [research around package management](https://github.com/ipfs/package-managers/blob/master/docs/papers.md), much of which is relevant to Reproducible Builds.
+---
+
+### Distribution work
+
+[![]({{ "/images/reports/2019-05/opensuse.png#right" | prepend: site.baseurl }})](https://www.opensuse.org/)
+
+Holger Levsen filed a wishlist request requesting that `.buildinfo` build attestation documents from the [Debian Long Term Support (LTS)](https://wiki.debian.org/LTS/) project [are also distributed by the build/archive infrastructure](https://bugs.debian.org/929397) so that the reproducibility status of these security packages can be validated.
Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-05/msg00341.html) for the [openSUSE](https://opensuse.org/) distribution.
-* [FIXME](https://twitter.com/sublimino/status/1130778400761831424) Andrew Martin published [his slides](https://drive.google.com/a/control-plane.io/file/d/1xUDrcWmB3a_5oMxeIJuqf6vtXZN/view?usp=sharing) on a talk titled "Rootless, Reproducible, and Hermetic: Secure Container Build Showdown"
+[![]({{ "/images/reports/2019-05/debian.png#left" | prepend: site.baseurl }})](https://debian.org/)
+
+There was yet more progress towards making the [Debian Installer](https://www.debian.org/devel/debiah-installer/) images reproducible. Following-on from last months, [Chris Lamb](https://chris-lamb.co.uk/) performed some further testing of the generated images and [requested a status update](https://bugs.debian.org/926242#67) which resulted in a call for testing the [possible removal of a now-obsolete workaround](https://bugs.debian.org/926242#87) that is hindering progress.
+
+68 reviews of Debian packages were added, 30 were updated and 11 were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb discovered, identified and triaged two new issue types, the first identifying randomness in [Fontconfig](https://www.freedesktop.org/wiki/Software/fontconfig/) `.uuid` files [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/0b9e9668) and another [`randomness_in_output_from_perl_deparse`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/430c2d21).
+
+Finally,[GNU Guix](https://www.gnu.org/software/guix) announced its [1.0.0 release](https://www.gnu.org/software/guix/blog/2019/gnu-guix-1.0.0-released/).
+
+---
## Software development
@@ -42,39 +73,150 @@ Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](htt
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+[![]({{ "/images/reports/2019-05/notion.png#right" | prepend: site.baseurl }})](https://notionwm.net/)
+
+* Arnout Engelen [authored a pull request](https://github.com/raboof/notion/pull/100) to make the binary of the [Notion window manager](https://notionwm.net/) reproducible.
+
* Bernhard M. Wiedemann:
- * [zip](https://build.opensuse.org/request/show/700402) (add SDE clamping of mtime; [also submitted upstream](https://sourceforge.net/p/infozip/patches/25/) and [distropatches](https://github.com/distropatches/zip/commits/opensuse))
- * [plata-theme](https://gitlab.com/tista500/plata-theme/merge_requests/3) (zip mtime)
- * [nulloy](https://github.com/nulloy/nulloy/pull/149) (.zip timestamps)
- * [DVDStyler](https://sourceforge.net/p/dvdstyler/DVDStyler/merge-requests/1/) (.zip ctime)
- * [fs-uae](https://build.opensuse.org/request/show/701063) ([already upstream](https://github.com/FrodeSolheim/fs-uae/pull/182) ; zip order, date/mtime)
- * [mvapich2](https://build.opensuse.org/request/show/705701) (sort readdir [already upstream](http://mailman.cse.ohio-state.edu/pipermail/mvapich-discuss/2019-April/006837.html))
- * [mrrescue](https://build.opensuse.org/request/show/701742) (zip -X mtime)
- * [gnome-builder](https://build.opensuse.org/request/show/701094) (drop environment.pickle)
- * [python-Fabric3](https://build.opensuse.org/request/show/702815) (workaround FTBFS -j1)
- * [python-rjsmin](https://build.opensuse.org/request/show/703832) (disable profiling)
- * [gettext-runtime](https://build.opensuse.org/request/show/705693) (use `S_D_E`)
- * [pithos](https://build.opensuse.org/request/show/706096) (make noarch .pyc files)
- * [python-ovirt-engine-sdk](https://gerrit.ovirt.org/100278) (Sort input file list)
- * [osc](https://github.com/openSUSE/osc/issues/547) (report multibuild dep bug hindering openSUSE reproducible builds)
- * [python-nbconvert](https://bugzilla.opensuse.org/show_bug.cgi?id=1136099) (FTBFS -j1)
- * [python3-saml](https://github.com/onelogin/python3-saml/pull/140) (fix FTBFS-2020)
+ * [dvdstyler](https://sourceforge.net/p/dvdstyler/DVDStyler/merge-requests/1/) (`.zip` [ctime](https://en.wikipedia.org/wiki/Ctime))
+ * [fs-uae](https://build.opensuse.org/request/show/701063) ([already filed upstream](https://github.com/FrodeSolheim/fs-uae/pull/182); zip order, date/`mtime`)
+ * [gettext-runtime](https://build.opensuse.org/request/show/705693) (Use the [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/) environment variable)
+ * [gnome-builder](https://build.opensuse.org/request/show/701094) (Drop `environment.pickle` file)
+ * [mrrescue](https://build.opensuse.org/request/show/701742) (`zip -X` modification time)
+ * [mvapich2](https://build.opensuse.org/request/show/705701) (Sort `readdir(2)` call, [already filed upstream](http://mailman.cse.ohio-state.edu/pipermail/mvapich-discuss/2019-April/006837.html))
+ * [nulloy](https://github.com/nulloy/nulloy/pull/149) (`.zip` timestamps)
+ * [osc](https://github.com/openSUSE/osc/issues/547) (Dependency bug hindering openSUSE reproducible builds)
+ * [pithos](https://build.opensuse.org/request/show/706096) (mark `.pyc` files as "no architecture")
+ * [plata-theme](https://gitlab.com/tista500/plata-theme/merge_requests/3) (zip `mtime`)
+ * [python-Fabric3](https://build.opensuse.org/request/show/702815) (Workaround FTBFS `-j1`)
* [python-keystonemiddleware](https://review.opendev.org/657780) (Make tests pass in 2020)
- * [python-requests-toolbelt](https://github.com/requests/toolbelt/issues/270) (report FTBFS-2021)
+ * [python-nbconvert](https://bugzilla.opensuse.org/show_bug.cgi?id=1136099) (Fails to build in single-process, `-j1`, mode)
+ * [python-ovirt-engine-sdk](https://gerrit.ovirt.org/100278) (Sort input file list)
+ * [python-requests-toolbelt](https://github.com/requests/toolbelt/issues/270) (Does not build in the year 2021)
+ * [python-rjsmin](https://build.opensuse.org/request/show/703832) (Disable profiling)
+ * [python3-saml](https://github.com/onelogin/python3-saml/pull/140) (Does not build in the year 2020)
+ * [zip](https://build.opensuse.org/request/show/700402) (Add `SOURCE_DATE_EPOCH` clamping of modification times; [also submitted upstream](https://sourceforge.net/p/infozip/patches/25/) and in [distropatches](https://github.com/distropatches/zip/commits/opensuse))
+
+* Chris Lamb:
+ * [#836609](https://bugs.debian.org/836609) re-opened for [nostalgy](https://tracker.debian.org/pkg/nostalgy).
+ * [#928329](https://bugs.debian.org/928329) filed against [fonts-ipaexfont](https://tracker.debian.org/pkg/fonts-ipaexfont).
+ * [#929208](https://bugs.debian.org/929208) filed against [xorg-gtest](https://tracker.debian.org/pkg/xorg-gtest).
+ * [#929609](https://bugs.debian.org/929609) filed against [ndpi](https://tracker.debian.org/pkg/ndpi).
+ * [#929791](https://bugs.debian.org/929791) filed against [ghmm](https://tracker.debian.org/pkg/ghmm).
+ * [#929793](https://bugs.debian.org/929793) filed against [liblopsub](https://tracker.debian.org/pkg/liblopsub).
+
+Finally, Vagrant Cascadian [submitted a patch](https://patchwork.ozlabs.org/patch/1093969/) for [u-boot](https://www.denx.de/wiki/U-Boot/) boot loader fixing reproducibility when building a new type of compressed image. This [was subsequently merged in version `2019.07-rc2`](https://git.denx.de/?p=u-boot.git;a=commit;h=878e2a50b50199cb06ee28df53151e396a29d838).
+
+#### diffoscope
+
+[![]({{ "/images/reports/2019-05/diffoscope.svg#right" | prepend: site.baseurl }})](https://diffoscope.org)
+
+[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. It does not define reproducibility, but rather provides a helpful and human-readable guidance for packages that are not reproducible, rather than relying essentially-useless diffs.
+
+* Chris Lamb:
+
+ * Support the latest [PyPI](https://pypi.org/) package repository upload requirements by using real [reStructuredText](http://docutils.sourceforge.net/rst.html) comments instead of the `raw` directive [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/edb01aa)] and by stripping out manpage-only parts of the `README` rather than using the `only` directive [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/d06d065)].
+
+ * Fix execution of symbolic links that point to the `bin/diffoscope` entry point in a checked-out version of our Git repository by fully resolving the location as part of dynamically calculating Python's module include path. [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/afc63b3)]
+
+ * Add a [Dockerfile](https://docs.docker.com/engine/reference/builder/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/2c37397)] with various subsequent fixups [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/2cb8206)][[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/8f67fcb)][[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/ba4b2ae)].
+
+ * Published the resulting Docker image in [diffoscope's container registry](https://salsa.debian.org/reproducible-builds/diffoscope/container_registry) and updated the [diffoscope homepage](https://diffoscope.org/) to provide "quick start" instructions on how to use diffoscope via this image.
+
+* Mattia Rizzolo:
+
+ * Uploaded version `115` [to Debian experimental](https://tracker.debian.org/news/1040177/accepted-diffoscope-115-source-all-into-experimental/).
+ * Adjust various build and test-dependencies, including specifing the [ffmpeg](https://ffmpeg.org/) video encoding tool/library and the [Black](https://ffmpeg.org/) code formatter [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0eddfab)] in the build-dependenciess [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d2d3dec)] and reinstating the [oggvideotools](https://sourceforge.net/projects/oggvideotools/) and `procyon-decompiler` as test dependencies, now that are no-longer buggy [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6940757)], etc.
+ * Make the Debian autopkgtests not fail when a limited subset of "required tools" are temporarily unavailable. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f584fa2)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3d74240)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2e11182)]
+
+In addition, Santiago Torres altered the behavour of the tests to ensure compatibility with various versions of [file(1)]() [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0f02296)] and Vagrant Cascadian added support for various external tools in [GNU Guix](https://www.gnu.org/software/guix/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7f3416f)] and updated the version of *diffoscope* in that distribution [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ff793da66918ace85048f90dc069415ef067ba06)].
+
-* a discussion on reproducible / verifyable neuronal networks:
- * [FIXME](https://lists.debian.org/7ba5a9c7-a58e-e173-a99b-28f1dfc3deae@cohens.org.il)
+#### try.diffoscope.org
- * [FIXME](https://salsa.debian.org/lumin/deeplearning-policy) and specifically https://salsa.debian.org/lumin/deeplearning-policy#neural-network-reproducibility
+[![]({{ "/images/reports/2019-05/trydiffoscope.png#right" | prepend: site.baseurl }})](https://try.diffoscope.org/)
- * ['The reproducible builds world has gotten a lot further with bit-for-bit identical builds than I ever imagined they would.'](https://lists.debian.org/debian-devel/2019/05/msg00355.html)
+Chris Lamb made a large number of following changes to the web-based ("no installation required") version of the *[diffoscope](https://diffoscope.org)* tool, [try.diffoscope.org](https://try.diffoscope.org):
-* [#929397 ftp.d.o: please upload LTS .buildinfo files to ftp-master](https://bugs.debian.org/929397)
+* Ported the entire site to Python 3 and [Django](https://www.djangoproject.com/) 2.x as [Python 2.x is due for deprecation](https://pythonclock.org/). This required updates to a huge number of parts around the site including but not limited to completely reconfiguring and integrating the [Celery](http://www.celeryproject.org/) queue processor, all the string formatting, etc.
-* [reopened](https://bugs.debian.org/836609)
+* Moved to using the published/public [Docker](https://www.docker.com/) image to execute builds instead rolling our own container.
-* [FIXME](https://bugs.debian.org/926242#67)
+* Updated and upgraded the underlying operating system to the Debian *stable* distribution.
-* [FIXME](https://salsa.debian.org/reproducible-builds/reproducible-website/merge_requests/33) added concise `S_D_E` C code snippet
+* Moved the [canonical Git repository](https://salsa.debian.org/reproducible-builds/try.diffoscope.org) from Github to the [Reproducible Builds group on salsa.debian.org](https://salsa.debian.org/reproducible-builds/try.diffoscope.org), requiring moving to Gitlab's own [continuous integration (CI) support](https://docs.gitlab.com/ee/ci/) from [Travis CI](https://travis-ci.org/), working around the aggressive firewall (exclusively outgoing ports 80/443) applied to the [Salsa](https://salsa.debian.org/)-based CI runners.
+
+* Avoid having to update the [Let's Encrypt](https://letsencrypt.org/)-provided SSL certificate manually every 90 days by moving to using [Certbot](https://certbot.eff.org/about/) in `--auto` mode.
+
+#### Test framework
+
+We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). The following changes were done in the last month:
+
+* Holger Levsen made the following ([Debian](https://www.debian.org/)-related changes):
+
+ * Reduce the number of `cron(8)` mails for synchronising `.buildinfo` files from eight to one per day. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/40571647)]
+ * Run `rsync2buildinfos.debian.net` script every other hour now that it just produces one mail per day. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/67c819fb)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9db63b7b)]
+ * Execute the package scheduler every 2 hours (instead of 3). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/bb9b49f2)]
+ * Switch the [Codethink](https://www.codethink.co.uk/) and OSUOSL nodes to use our updated email relay system. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/45532738)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/88bd5987)]
+ * Deal with the (rare) cases of `.buildinfo` files with the same name. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c7d6f107)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/951dd1c0)]
+ * Save and mail the package scheduler results once a day instead of mailing ~8 times a day. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5e3f7d34)]
+
+* In addition, Holger Levsen made the following distribution-agnositic changes:
+
+ * Notify the `#reproducible-builds` (not `#debian-reproducible`) about Jenkins rebooting and send notifications about offline hosts to this former channel. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a51ffc69)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c9d322ef)]
+ * Prevent the Jenkins log from growing to over 100G in size. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8f21110b)]
+
+* Mattia Rizzolo:
+
+ * Use a special code so that remote builds can abort themselves by passing back the command to the "master". [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/17303def)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/33ea96a3)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/923d22a2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8f807691)]
+ * Fix a pattern matching bug to ensure all "zombie" processes are found. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/33fa12bb)]
+ * [flake8](http://flake8.pycqa.org/en/latest/) the `chroot-installation.yaml.py` file. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/839af096)]
+ * Set a known [HTTP User Agent](https://en.wikipedia.org/wiki/User_agent#Use_in_HTTP) for Git, so that server can recognise us. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c93bdaeb)]
+ * Allow network access for the [`debian-installer-netboot-images`](https://tracker.debian.org/pkg/debian-installer-netboot-images) Debian package. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f1e641b8)]
+
+Finally, Vagrant Cascadian removed the deprecated `--buildinfo-id` from the `pbuilder(8)` configuration. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6376dd4a)] and Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/08b024a2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/63cff4ef)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/941f6fd1)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/db0e4ecc)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5f59a8f8)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2401e4ee)]
+Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dd86f22e)] and Vagrant Cascadian all performed a large amount of build node maintenance, system & Jenkins administration.
+
+#### Project website
+
+[![]({{ "/images/reports/2019-05/website.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
+
+Chris Lamb added various fixes for larger/smaller screens [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/edef6f8)], added a logo suitable for printing physical pin badges [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/d78fd45)] and refreshed the opening copy text on our [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch) page.
+
+Bernhard M. Wiedemann then [documented a more consise C code example](https://reproducible-builds.org/docs/source-date-epoch/#c) for parsing the `SOURCE_DATE_EPOCH` environment variable [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/547732f)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e1efd6f)] and Holger Levsen added a [link to a specific bug](https://bugzilla.opensuse.org/show_bug.cgi?id=1133809) blocking progress in [openSUSE](https://opensuse.org/) to our [*Who is involved?*](https://reproducible-builds.org/who/) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d9f4bce)].
+
+---
+
+## Misc news
+
+* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month [Lars Wirzenius](https://liw.fi/) asked [various questions about reproducible builds and their bearing on building a distributed continuous integration system](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/001566.html) which had many replies ([view thread index](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/thread.html#1566)).
+
+* The server powering [`lists.reproducible-builds.org`](http://lists.reproducible-builds.org/) changed home. Thanks to [`potager.org`](https://potager.org/) for hosting us all this time and many thanks to [Profitbricks](https://www.profitbricks.com) for hosting our new mail server.
+
+* Mo Zhou wrote a [detailed policy for deep learning software](https://salsa.debian.org/lumin/deeplearning-policy) for the [Debian](https://debian.org) distribution which touches on the reproducibility of data models.
+
+Lastly, Sam Hartman, the current [Debian Project Leader](https://www.debian.org/devel/leader), wrote on the [`debian-devel`](https://lists.debian.org/debian-devel) mailing list:
+
+> The reproducible builds world has gotten a lot further with bit-for-bit identical builds than I ever imagined they would. [[...](https://lists.debian.org/debian-devel/2019/05/msg00355.html)]
+
+Thanks, Sam!
+
+
+---
+
+## Getting in touch
+
+If you are interested in contributing the Reproducible Builds project, please visit our [Contribute](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+
+ * Mailing list: [`rb-general`](https://lists.reproducible-builds.org/listinfo/rb-general)
+
+<br>
+
+---
-* Vagrant Cascadian [updated diffoscope in GNU Guix](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ff793da66918ace85048f90dc069415ef067ba06).
+This month's report was written by Arnout Engelen, Bernhard M. Wiedemann, [Chris Lamb](https://chris-lamb.co.uk/), [Holger Levsen](http://layer-acht.org/thinking/), Mattia Rizzolo and Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.
=====================================
bin/generate-draft.template
=====================================
@@ -6,11 +6,40 @@ title: "{{ title }}"
draft: true
---
-* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month: FIXME
+**Welcome to the {{ title_month }} {{ title_year }} report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports we outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains over the past month.
+
+As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
+
+In this months's report, we will cover:
+
+* **Media coverage** — *FIXME, etc.*
+* **Upstream news** — *FIXME, etc.*
+* **Distribution work** — *FIXME, etc.*
+* **Software development** — *FIXME, etc.*
+* **Misc news** — *From our mailing list, etc.*
+* **Getting in touch** — *How to contribute, etc*
+
+---
+
+## Media coverage
+
+* FIXME
+
+## Upstream news
* {{ packages_stats['added'] }} reviews of Debian packages were added, {{ packages_stats['updated'] }} were updated and {{ packages_stats['removed'] }} were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). FIXME issue types have been updated: {% for _, xs in issues_yml.items()|sort %}{% for x in xs %}[{{ x['title'] }}](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/{{ x['sha'] }}), {% endfor %}{% endfor %}
-## Packages reviewed and fixed, and bugs filed
+### Distribution work
+
+In Debian, ...
+
+---
+
+## Software development
+
+#### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
{% for x, ys in patches.items()|sort %}* {{ x }}:
{% for y in ys %} * [#{{ y['id'] }}](https://bugs.debian.org/{{ y['id'] }}) filed against [{{ y['source'] }}](https://tracker.debian.org/pkg/{{ y['source'] }}).
@@ -21,7 +50,7 @@ In addition, build failure bugs were reported by:
* {{ k }} ({{ v|length }}){% endfor %}{% endif %}
{% for project in projects %}
-## {{ project }} development
+### {{ project }}
{% for x in uploads[project] %}
{{ project }} version `{{ x['version'] }}` was [uploaded to Debian {{ x['distribution'] }}](https://tracker.debian.org/pkg/{{ project }}?FIXME) by {{ x['signed_by_name'] }}. It [included contributions already covered in previous months](https://salsa.debian.org/reproducible-builds/{{ project }}/commits/{% if project != 'diffoscope' %}debian/{% endif %}{{ x['version'] }}) as well as new ones from:
@@ -33,4 +62,24 @@ In addition, build failure bugs were reported by:
---
+## **Misc news** — *From our mailing list, etc.*
+
+* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month: FIXME
+
+---
+
+## Getting in touch
+
+If you are interested in contributing the Reproducible Builds project, please visit our [Contribute](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * Mailing list: [`rb-general`](https://lists.reproducible-builds.org/listinfo/rb-general)
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+
+<br>
+
+---
+
This months's report was written by {{ author }} & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.
=====================================
images/reports/2019-05/debian.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/debian.png differ
=====================================
images/reports/2019-05/diffoscope.svg
=====================================
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ version="1.1"
+ width="128"
+ height="128"
+ id="svg2">
+ <defs
+ id="defs4" />
+ <metadata
+ id="metadata7">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ transform="matrix(1.0692573,0,0,1.0692573,-328.34726,-503.5515)"
+ id="layer1">
+ <g
+ id="g5409">
+ <g
+ transform="translate(5.418238,0)"
+ id="g5386">
+ <rect
+ width="90.304001"
+ height="50.999996"
+ x="316.36414"
+ y="472.80621"
+ id="rect4667-3"
+ style="fill:none;stroke:none" />
+ <g
+ id="text4673-8"
+ style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+ <path
+ d="m 316.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5371"
+ style="fill:#c00000;fill-opacity:1" />
+ <path
+ d="m 348.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5373"
+ style="fill:#c00000;fill-opacity:1" />
+ <path
+ d="m 380.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5375"
+ style="fill:#c00000;fill-opacity:1" />
+ </g>
+ <g
+ id="text5366"
+ style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+ <path
+ d="m 327.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5378" />
+ <path
+ d="m 359.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5380" />
+ <path
+ d="m 391.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5382" />
+ </g>
+ </g>
+ <use
+ id="use5399"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.8,0,0,0.8,82.417275,133.65028)"
+ id="use5401"
+ style="opacity:0.85"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.6,0,0,0.6,164.83455,260.05454)"
+ id="use5403"
+ style="opacity:0.7"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.4,0,0,0.4,247.25182,379.25208)"
+ id="use5405"
+ style="opacity:0.55"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ </g>
+ </g>
+</svg>
=====================================
images/reports/2019-05/notion.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/notion.png differ
=====================================
images/reports/2019-05/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/opensuse.png differ
=====================================
images/reports/2019-05/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/reproducible-builds.png differ
=====================================
images/reports/2019-05/trydiffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/trydiffoscope.png differ
=====================================
images/reports/2019-05/website.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/6bbbe9577978b3b31fed6ece84142dc4661df82d...c5f1a31e9adfb28419e5b19f7df373a331a90b0f
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/6bbbe9577978b3b31fed6ece84142dc4661df82d...c5f1a31e9adfb28419e5b19f7df373a331a90b0f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190604/e991598c/attachment.html>
More information about the rb-commits
mailing list