[Git][reproducible-builds/reproducible-website][master] 2 commits: Add a bit more padding.

Chris Lamb gitlab at salsa.debian.org
Thu Jun 6 09:05:48 UTC 2019



Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
1af96f9e by Chris Lamb at 2019-06-06T09:05:14Z
Add a bit more padding.

- - - - -
73b7ed54 by Chris Lamb at 2019-06-06T09:05:23Z
2019-05: Rework draft.

- - - - -


8 changed files:

- _reports/2019-05.md
- assets/styles/custom.scss
- + images/reports/2019-05/buildroot.png
- + images/reports/2019-05/irc.png
- + images/reports/2019-05/kubecon.png
- + images/reports/2019-05/profitbricks.png
- + images/reports/2019-05/u-boot.png
- + images/reports/2019-05/wired.png


Changes:

=====================================
_reports/2019-05.md
=====================================
@@ -6,46 +6,52 @@ title: "Reproducible Builds in May 2019"
 draft: true
 ---
 
-**Welcome to the May 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
-
-In our reports we outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains over the past month.
-
 [![]({{ "/images/reports/2019-05/reproducible-builds.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
 
-As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing third-parties to come to a consensus on whether a build was compromised.
+**Welcome to the May 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports we outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains over the past month.
+
+As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no malicious flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing third-parties to come to a consensus on whether a build was compromised.
 
 In this month's report, we will cover:
 
-* **Media coverage** — *More supply chain attacks, Reproducible Builds on the conference circuit, etc.*
-* **Upstream news** — *Mozilla updating their add-on policy, etc.*
-* **Distribution work** — *Debian Installer progress, openSUSE updates, etc.*
-* **Software development** — *try.diffoscope.org rewrite, upstream patches, etc.*
+* **Media coverage** — *More supply chain attacks, Reproducible Builds at conferences, etc.*
+* **Upstream news** — *Mozilla updates their add-on policy, etc.*
+* **Distribution work** — *Debian Installer progress, openSUSE updates.*
+* **Software development** — *A try.diffoscope.org rewrite, more upstream patches, etc.*
 * **Misc news** — *From our mailing list, etc.*
-* **Getting in touch** — *How to contribute, etc.*
+* **Getting in touch** — *How to contribute, contact details, etc.*
+
+If you are interested in contributing to our project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website.
 
 ---
 
 ## Media coverage
 
-* Adam Greenberg reported on [Wired](https://www.wired.com) about the [Barium](https://www.wired.com/story/barium-supply-chain-hackers/), detailing a single group of malicious actors who appear responsible for a variety supply chain hacks of [CCleaner](https://www.ccleaner.com/), [Asus](https://www.asus.com/) and more, therefore planting backdoors on and gaining access to millions of machines.
+[![]({{ "/images/reports/2019-05/wired.png#right" | prepend: site.baseurl }})](https://www.wired.com/)
 
-* The work of Chris Lamb in/around Debian's Reproducible Builds effort [won a Google Open Source Peer Bonus award](https://opensource.googleblog.com/2019/04/google-open-source-peer-bonus-winners.html), a program with the goal of recognising and supporting the ecosystem and sustainability of free software by rewarding and recognising developers for their contributions to open source projects
+* Adam Greenberg reported on [Wired](https://www.wired.com) about the "mysterious hacker group" [Barium](https://www.wired.com/story/barium-supply-chain-hackers/), detailing a single group of malicious actors who appear responsible for a variety supply chain attacks of [CCleaner](https://www.ccleaner.com/), [Asus](https://www.asus.com/) and more, planting backdoors on & gaining access to millions of end-user machines.
 
-* Kushal Das presented at [PyCon](https://us.pycon.org/2019/about/) 2019 on [building reproducible Python applications for secured environments](https://www.youtube.com/watch?v=wRHi8Ui5vWA). In the talk, Kushal argues that validating the dependencies of the project is very critical along with the actual project source code, referring to incidents where people were [able to steal bitcoins using a popular library](https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/). His talk uses the [SecureDrop client application](https://github.com/freedomofpress/securedrop-client) for journalists as an example project and see how he tried to tackle the similar problem.
+* The work of Chris Lamb in/around Debian's Reproducible Builds effort [was awarded a Google Open Source Peer Bonus award](https://opensource.googleblog.com/2019/04/google-open-source-peer-bonus-winners.html), a program with the goal of recognising and supporting the ecosystem and sustainability of free software by recognising developers for their contributions to open source projects.
 
-* [GitHub](https://github.com/) announced [adding a package registry feature](https://github.com/features/package-registry) which [suggest but alas not guarantee](https://github.com/ipfs/package-managers/issues/55) a strong link between the Git repository and the published packages, highlighting the need for Reproducible Builds.
+* Kushal Das presented at [PyCon](https://us.pycon.org/2019/about/) 2019 on [building reproducible Python applications for secured environments](https://www.youtube.com/watch?v=wRHi8Ui5vWA). Here, Kushal argues that validating the dependencies of the project is as critical as actual project source code, referring to incidents where actors [were able to steal bitcoins using a popular library](https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/). His talk uses the [SecureDrop client application](https://github.com/freedomofpress/securedrop-client) for journalists as an example project to see how to tackle the more general problem.
 
-* [Andrew Martin](https://www.binarysludge.com/) [published his slides](https://drive.google.com/a/control-plane.io/file/d/1xUDrcWmB3a_5oMxeIJuqf6vtXZN/view?usp=sharing) for his talk titled [*Rootless, Reproducible and Hermetic: Secure Container Build Showdown*](https://www.youtube.com/watch?v=X_Sb96EKFPA) that he gave at [KubeCon 2019](https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2019/).
+[![]({{ "/images/reports/2019-05/kubecon.png#right" | prepend: site.baseurl }})](https://www.youtube.com/watch?v=X_Sb96EKFPA)
+
+* [GitHub](https://github.com/) announced [adding a package registry feature](https://github.com/features/package-registry) which "[suggest but alas not guarantee](https://github.com/ipfs/package-managers/issues/55)" a strong link between the Git repository and the published packages, highlighting the need for Reproducible Builds in this area.
+
+* [Andrew Martin](https://www.binarysludge.com/) has [published his slides](https://drive.google.com/a/control-plane.io/file/d/1xUDrcWmB3a_5oMxeIJuqf6vtXZN/view?usp=sharing) for his talk entitled [*Rootless, Reproducible and Hermetic: Secure Container Build Showdown*](https://www.youtube.com/watch?v=X_Sb96EKFPA) that he gave at [KubeCon 2019](https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2019/).
 
 ---
 
 ## Upstream news
 
-* The [IPFS](https://ipfs.io) "[Package Managers Special Interest Group](https://github.com/ipfs/package-managers#readme)" is [gathering research around package management](https://github.com/ipfs/package-managers/blob/master/docs/papers.md), much of which is relevant to the Reproducible Builds effort.
+The [IPFS](https://ipfs.io) "[Package Managers Special Interest Group](https://github.com/ipfs/package-managers#readme)" is [gathering research around package management](https://github.com/ipfs/package-managers/blob/master/docs/papers.md), much of which is relevant to the Reproducible Builds effort.
+
+[![]({{ "/images/reports/2019-05/buildroot.png#right" | prepend: site.baseurl }})](https://buildroot.org/)
 
-* [Mozilla](https://www.mozilla.org)'s update "Add-on Policy" document for the [Firefox web browser](https://www.mozilla.org/en-GB/firefox/) now [dictates that add-ons may contain "transpiled, minified or otherwise machine-generated code"](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews-2019-05), but Mozilla needs to review a copy of the human-readable source code. The author must provide this information to Mozilla during submission along with instructions on how to reproduce the build.
+Atharva Lele plans to work on reproducible builds for the [Buildroot](https://buildroot.org/) embedded Linux project as part of [Google Summer of Code](https://summerofcode.withgoogle.com/), [ensuring that two instances of buildroot running with the same configuration for the same device yield the same result](https://summerofcode.withgoogle.com/projects/#5992608243908608).
 
-* Atharva Lele is going to work on reproducible builds for the [Buildroot](https://buildroot.org/) embedded Linux project as part of [Google Summer of Code](https://summerofcode.withgoogle.com/), [ensuring that two instances of buildroot running with the same configuration for the same device yield the same result](https://summerofcode.withgoogle.com/projects/#5992608243908608).
+[Mozilla](https://www.mozilla.org)'s latest update to the [Firefox](https://www.mozilla.org/en-GB/firefox/) add-on policy [now dictates that add-ons may contain "transpiled, minified or otherwise machine-generated code"](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews-2019-05) but Mozilla needs to review a copy of the human-readable source code. The author must provide this information to Mozilla during submission along with instructions on how to reproduce the build.
 
 ---
 
@@ -53,15 +59,15 @@ In this month's report, we will cover:
 
 [![]({{ "/images/reports/2019-05/opensuse.png#right" | prepend: site.baseurl }})](https://www.opensuse.org/)
 
-Holger Levsen filed a wishlist request requesting that `.buildinfo` build attestation documents from the [Debian Long Term Support (LTS)](https://wiki.debian.org/LTS/) project [are also distributed by the build/archive infrastructure](https://bugs.debian.org/929397) so that the reproducibility status of these security packages can be validated.
-
 Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-05/msg00341.html) for the [openSUSE](https://opensuse.org/) distribution.
 
+Holger Levsen filed a wishlist request requesting that Debian's `.buildinfo` build environment specification documents from the [Debian Long Term Support (LTS)](https://wiki.debian.org/LTS/) project are [also distributed by the build/archive infrastructure](https://bugs.debian.org/929397) so that the reproducibility status of these security packages can be validated.
+
 [![]({{ "/images/reports/2019-05/debian.png#left" | prepend: site.baseurl }})](https://debian.org/)
 
 There was yet more progress towards making the [Debian Installer](https://www.debian.org/devel/debiah-installer/) images reproducible. Following-on from last months, [Chris Lamb](https://chris-lamb.co.uk/) performed some further testing of the generated images and [requested a status update](https://bugs.debian.org/926242#67) which resulted in a call for testing the [possible removal of a now-obsolete workaround](https://bugs.debian.org/926242#87) that is hindering progress.
 
-68 reviews of Debian packages were added, 30 were updated and 11 were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb discovered, identified and triaged two new issue types, the first identifying randomness in [Fontconfig](https://www.freedesktop.org/wiki/Software/fontconfig/) `.uuid` files [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/0b9e9668) and another [`randomness_in_output_from_perl_deparse`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/430c2d21).
+68 reviews of Debian packages were added, 30 were updated and 11 were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb discovered, identified and triaged two new issue types, the first identifying randomness in [Fontconfig](https://www.freedesktop.org/wiki/Software/fontconfig/) `.uuid` files [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/0b9e9668)] and another [`randomness_in_output_from_perl_deparse`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/430c2d21).
 
 Finally, [GNU Guix](https://www.gnu.org/software/guix) announced its [1.0.0 release](https://www.gnu.org/software/guix/blog/2019/gnu-guix-1.0.0-released/).
 
@@ -71,7 +77,7 @@ Finally, [GNU Guix](https://www.gnu.org/software/guix) announced its [1.0.0 rele
 
 #### Upstream patches
 
-The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream wherever possible. This month, we wrote a large number of such patches, including:
 
 [![]({{ "/images/reports/2019-05/notion.png#right" | prepend: site.baseurl }})](https://notionwm.net/)
 
@@ -105,6 +111,8 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
     * [#929791](https://bugs.debian.org/929791) filed against [ghmm](https://tracker.debian.org/pkg/ghmm).
     * [#929793](https://bugs.debian.org/929793) filed against [liblopsub](https://tracker.debian.org/pkg/liblopsub).
 
+[![]({{ "/images/reports/2019-05/u-boot.png#center" | prepend: site.baseurl }})](https://www.denx.de/wiki/U-Boot/)
+
 Finally, Vagrant Cascadian [submitted a patch](https://patchwork.ozlabs.org/patch/1093969/) for [u-boot](https://www.denx.de/wiki/U-Boot/) boot loader fixing reproducibility when building a new type of compressed image. This [was subsequently merged in version `2019.07-rc2`](https://git.denx.de/?p=u-boot.git;a=commit;h=878e2a50b50199cb06ee28df53151e396a29d838).
 
 #### diffoscope
@@ -129,7 +137,7 @@ Finally, Vagrant Cascadian [submitted a patch](https://patchwork.ozlabs.org/patc
     * Adjust various build and test-dependencies, including specifying the [ffmpeg](https://ffmpeg.org/) video encoding tool/library and the [Black](https://ffmpeg.org/) code formatter [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0eddfab)] in the build-dependencies [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d2d3dec)] and reinstating the [oggvideotools](https://sourceforge.net/projects/oggvideotools/) and `procyon-decompiler` as test dependencies, now that are no-longer buggy [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6940757)], etc.
     * Make the Debian autopkgtests not fail when a limited subset of "required tools" are temporarily unavailable. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f584fa2)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3d74240)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2e11182)]
 
-In addition, Santiago Torres altered the behaviour of the tests to ensure compatibility with various versions of [file(1)]() [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0f02296)] and Vagrant Cascadian added support for various external tools in [GNU Guix](https://www.gnu.org/software/guix/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7f3416f)] and updated the version of *diffoscope* in that distribution [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ff793da66918ace85048f90dc069415ef067ba06)].
+In addition, Santiago Torres altered the behaviour of the tests to ensure compatibility with various versions of [`file(1)`]() [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0f02296)] and Vagrant Cascadian added support for various external tools in [GNU Guix](https://www.gnu.org/software/guix/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7f3416f)] and updated the version of *diffoscope* in that distribution [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ff793da66918ace85048f90dc069415ef067ba06)].
 
 
 #### try.diffoscope.org
@@ -189,7 +197,9 @@ Bernhard M. Wiedemann then [documented a more concise C code example](https://re
 
 ## Misc news
 
-* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month [Lars Wirzenius](https://liw.fi/) asked [various questions about reproducible builds and their bearing on building a distributed continuous integration system](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/001566.html) which had many replies ([view thread index](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/thread.html#1566)).
+* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month [Lars Wirzenius](https://liw.fi/) asked [various questions about reproducible builds](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/001566.html) and their bearing on building a distributed continuous integration system which received many replies ([view thread index](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/thread.html#1566)).
+
+[![]({{ "/images/reports/2019-05/profitbricks.png#right" | prepend: site.baseurl }})](https://www.profitbricks.com)
 
 * The server powering [`lists.reproducible-builds.org`](http://lists.reproducible-builds.org/) changed home. Thanks to [`potager.org`](https://potager.org/) for hosting us all this time and many thanks to [Profitbricks](https://www.profitbricks.com) for hosting our new mail server.
 
@@ -206,14 +216,15 @@ Thanks, Sam!
 
 ## Getting in touch
 
-If you are interested in contributing the Reproducible Builds project, please visit our [Contribute](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+![]({{ "/images/reports/2019-05/irc.png#right" | prepend: site.baseurl }})
 
- * IRC: `#reproducible-builds` on `irc.oftc.net`.
+If you are interested in contributing the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
 
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
 
  * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
 
- * Mailing list: [`rb-general`](https://lists.reproducible-builds.org/listinfo/rb-general)
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
 
 <br>
 


=====================================
assets/styles/custom.scss
=====================================
@@ -9,6 +9,7 @@ main {
 
   img {
     max-width: 100%;
+    padding-bottom: 0.5rem;
   }
 
   img[src$="#left"] {


=====================================
images/reports/2019-05/buildroot.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/buildroot.png differ


=====================================
images/reports/2019-05/irc.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/irc.png differ


=====================================
images/reports/2019-05/kubecon.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/kubecon.png differ


=====================================
images/reports/2019-05/profitbricks.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/profitbricks.png differ


=====================================
images/reports/2019-05/u-boot.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/u-boot.png differ


=====================================
images/reports/2019-05/wired.png
=====================================
Binary files /dev/null and b/images/reports/2019-05/wired.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/e54666aa2b4321b9832da1b1e82572fda9e25e67...73b7ed5484bcb375d4a40e64c03092aeb5b4af82

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/e54666aa2b4321b9832da1b1e82572fda9e25e67...73b7ed5484bcb375d4a40e64c03092aeb5b4af82
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190606/1e0a2a17/attachment.html>


More information about the rb-commits mailing list