[Git][reproducible-builds/reproducible-website][master] 3 commits: Justify post content on larger screens.

Chris Lamb gitlab at salsa.debian.org
Thu May 2 09:38:58 UTC 2019

Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website

edef6f82 by Chris Lamb at 2019-05-02T09:27:56Z
Justify post content on larger screens.

- - - - -
07e00dad by Chris Lamb at 2019-05-02T09:35:02Z
Correct draft source links.

- - - - -
651186c6 by Chris Lamb at 2019-05-02T09:35:02Z
2019-04: Initial draft.

- - - - -

3 changed files:

- _layouts/new/report.html
- _reports/2019-04.md
- assets/styles/custom.scss


@@ -9,7 +9,7 @@ layout: new/default
 {% unless page.published %}
 <div class="col-12 alert alert-warning" role="alert">
   <strong>This is an unpublished draft report.</strong>
-  <a href="https://salsa.debian.org/reproducible-builds/reproducible-website.git/tree/_reports/{{ page.year }}{{ page.month }}.md">(source)</a>
+  <a href="https://salsa.debian.org/reproducible-builds/reproducible-website/blob/master/_reports/{{ page.year }}-{{ page.month }}.md">(source)</a>
 {% endunless %}

@@ -6,71 +6,200 @@ title: "Reproducible Builds in April 2019"
 draft: true
-* fontconfig
-    * The fontconfig developers merged patches to allow font cache files to be reproducible
-    * [FIXME](https://lists.freedesktop.org/archives/fontconfig/2019-April/006508.html)
-    * [FIXME](https://gitlab.freedesktop.org/fontconfig/fontconfig/issues/130#note_144421)
+Welcome to the April 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!
-* the recent `bootstrap-sass` incident
-    * David A. Wheeler published [an essay on the incident](https://dwheeler.com/essays/bootstrap-sass-subversion.html) that proposes reproducible builds as one way to reduce the impact of such software supply chain attacks in the future.
-    * Jake Edge had similar thoughts on [LWN](https://lwn.net/Articles/785386/)
+In this post we will detail the most important things have been up to in/around the world of reproducible builds and secure toolchains.
-* Chris Lamb [updated the certificate](https://github.com/lamby/try.diffoscope.org/commit/aa3cc35451dd7fedfdc30af7b248b39d0e9f7898) of try.diffoscope.org ; FIXME: background/details
+As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
-* [debian-installer upload](https://bugs.debian.org/920676#50)
-* Bernhard M. Wiedemann [posted his monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-04/msg00414.html) for the [openSUSE](https://opensuse.org/) distribution.
+In this week's report, we will cover:
-* The first non-trivial library written in [Scala](https://www.scala-lang.org/) (on the [JVM](https://reproducible-builds.org/docs/jvm/)) was released with Arnout Engelen's [sbt-reproducible-builds](https://github.com/raboof/sbt-reproducible-builds) plugin enabled during the build: [Akka 2.5.22](https://akka.io/blog/news/2019/04/03/akka-2.5.22-released). The artifacts built with version 2.12.8 and 2.13.0-RC1 of the Scala compiler could be [successfully reproduced](https://arnout.engelen.eu/rb/akka/2.12/2.5.22/). For 2.12.8 the original release was performed on a Mac and the validation on a Debian machine, so it appears the build is reproducible across diverse systems.
+* Media coverage
+* Upstream news
+* Distributions
+* Software development
+* Misc
+* Contact & contribute
-## Packages reviewed and fixed, and bugs filed
+## Media coverage
+* The [SecureList](https://securelist.com) website [reported on Operation "ShadowHammer"](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/), a high-profile supply chain attack involving the [ASUS](https://en.wikipedia.org/wiki/Asus) Live Update Utility. As their post describes in more detail, tampering with binaries usually breaks the digital signature but in this case the digital signature appeared to have been compromised. ([Read more](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/))
+* [Linux Weekly News (LWN)](https://lwn.net/) covered the [recent `bootstrap-sass` backdoor incident](https://lwn.net/Articles/785386/) which speaks to the prevalence of supply-chain and mirror-based attacks. [David A. Wheeler](https://dwheeler.com) also [published an essay on the incident](https://dwheeler.com/essays/bootstrap-sass-subversion.html) that explicitly proposes reproducible builds as a potential way to reduce the impact of such attacks in the future.
+* There was an interesting discussion on [Hacker News](https://news.ycombinator.com/) regarding the release of [WAPM](https://wapm.io/), a package manager for [WebAssembly](https://webassembly.org/) packages that are typically embedded into browsers and web-pages. In [the discussion there was a query](https://news.ycombinator.com/item?id=19732794) and distinction raised by commenter *whyrusleeping* between the ability to reproduce any generated packages versus simply signing packages in the usual manner which received warm reception by the upstream authors.
+* An issue was reported against the [libsodium](https://libsodium.org) crypto library which [asked for clarification why the `1.0.17` release was modified on the download server](https://github.com/jedisct1/libsodium/issues/813). In response to this, [a pull request was created by Philip Crockett](https://github.com/sodiumoxide/sodiumoxide/pull/329) to verify the project with the `minisign` algorithm instead of `sha2`.
+* [Anmol Sarma](https://www.anmolsarma.in/) wrote a blog post requesting that developers "[Stop Memsettings Structures](https://www.anmolsarma.in/post/stop-struct-memset/)". This is relevant to the Project as `memset(3)` system call is often used to ensure determistic output of packages or of binaries themselves; if the build artifacts contain the contents uninitialised memory, to ensure a reproducible build a developer would typically "zero out" the memory using `memset(3)` to ensure that it does not contain the so-called random data.
+* Bobby Richter proposed [the addition of reproducible builds](https://github.com/TheDigitalStandard/TheDigitalStandard/pull/115) as indicator of good digital products.
+### Upstream news
+The first non-trivial library written in the [Scala](https://www.scala-lang.org/) programming language on the [Java Virtual Machine](https://reproducible-builds.org/docs/jvm/) was released with Arnout Engelen's [`sbt-reproducible-builds`](https://github.com/raboof/sbt-reproducible-builds) plugin enabled during the build. This resulted in [Akka 2.5.22](https://akka.io/blog/news/2019/04/03/akka-2.5.22-released) becoming reproducible, although it was noted that the artifacts built with version 2.12.8 and 2.13.0-RC1 of the Scala compiler [could be successfully reproduced](https://arnout.engelen.eu/rb/akka/2.12/2.5.22/). For 2.12.8, the original release was additionally performed on a Mac and the validation on a Debian-bsaed machine so it appears the build is reproducible across diverse systems. ([Mailing list thread](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001529.html))
+Jeremiah "DTMB" Orians announced the 1.3.0 release of [M2-Planet](https://github.com/oriansj/M2-Planet), a self-hosting C compiler written in a subset of the features it supports. It has been bootstrapped entirely from hexadecimal (!) with 100% reproducible output/binaries. This new release sports a self-hosting port for an additional architecture amongst other changes.
+The [Go](https://golang.org) programming language has been making progress in making their builds reproducible. Ximin Luo had previously created [issue #16860](https://github.com/golang/go/issues/16860) in 2016 requesting that the compiler generates the same result regardless of the path in which the package is built. However, progress was recently made in [Change #173344](https://go-review.googlesource.com/c/go/+/173344/) (and similar) that will permit a `-trimpath` mode that will generate binaries that do not contain any local path names, similar to [`-fpath-prefix-map`](https://reproducible-builds.org/specs/build-path-prefix-map/).
+The [fontconfig](https://www.freedesktop.org/wiki/Software/fontconfig/) library for configuring and customising font access in a number of distributions [announced they had merged patches](https://lists.freedesktop.org/archives/fontconfig/2019-April/006508.html) to allow various cache files to be reproducible. This is after Chris Lamb posted a historical summary and [a request for action](https://lists.freedesktop.org/archives/fontconfig/2019-January/006420.html) to [Fontconfig](https://www.freedesktop.org/wiki/Software/fontconfig/)'s mailing list in January 2019.
+### Distributions
+In Debian, [Chris Lamb](https://chris-lamb.co.uk/) added 90 reviews of Debian packages, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html) and 14 issues were automatically removed. Chris also added two issue types: [`build_date_in_egg_info_directory_name`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/61bf6116) & [`randomness_in_perl6_precompiled_libraries`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b718ab29).
+Holger Levsen started a [discussion regarding the distribution of `.buildinfo` files](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001550.html). These files record the environment that was used as part of a particular build in order that — along with the source code — ensure that the aforementioned environment can be recreated at a later date to reproduce the exact binary. Distributing these files is important so that others can validate that a build is actually reproducible. In his post, Holger refers to two services that now exist, [buildinfo.debian.net](https://buildinfo.debian.net) and [buildinfos.debian.net](https://buildinfos.debian.net).
+In addition, Holger restarted a long-running discussion regarding the [reproducibility status of Debian buster](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001549.html) touching on questions of potentially performing mass rebuilds of all packages in order that they use updated toolchains.
+There was yet more progress towards making the [Debian Installer](https://www.debian.org/devel/debiah-installer/) images reproducible. Following-on from last months, [Chris Lamb](https://chris-lamb.co.uk/) performed some further testing of the generated images. Cyril Brulebois then made an [upload of the `debian-installer` package](https://bugs.debian.org/920676#50) to Debian that included a number of Chris' patches and Vagrant Cascadian filed a patch to [fix the reproducibility of "u-boot" images](https://salsa.debian.org/installer-team/debian-installer/commit/deeee34bc0ee5ec879182111b809896752ad0df9) by using `-n` argument to `gzip(1)`.
+Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-04/msg00414.html) for the [openSUSE](https://opensuse.org/) distribution. Bernhard also posted to our mailing list regarding [enabling the normalisation of file modification times in Python `.pyc` files](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001548.html) and opened issue [#1133809](https://bugzilla.opensuse.org/show_bug.cgi?id=1133809) on the openSUSE bug tracker.
+## Software development
+### Patches
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
 * Bernhard M. Wiedemann:
-    * [dovecot23](https://bugzilla.opensuse.org/show_bug.cgi?id=1131699) (report random build failure with -j1)
-    * [rash](https://github.com/willghatch/racket-rash/issues/52) (report parallelism-related non-determinism)
-    * [maven-compiler-plugin](https://issues.apache.org/jira/browse/MCOMPILER-380) (report copyright year / date)
-    * [python-textX](https://github.com/textX/textX/pull/181) (sort python glob / readdir)
-    * [python-pyOpenSSL](https://github.com/pyca/pyopenssl/pull/828) (fix FTBFS-2020)
-    * [python-pyngus](https://github.com/kgiusti/pyngus/pull/13) (fix FTBFS-2028)
-    * [python-ldap](https://github.com/python-ldap/python-ldap/pull/277) (fix FTBFS-2027)
-    * [python-pysaml2](https://github.com/IdentityPython/pysaml2/pull/606) (FTBFS-2024)
-    * [gnutls](https://gitlab.com/gnutls/gnutls/merge_requests/979) (fix FTBFS-2024)
-    * [python-autobahn](https://build.opensuse.org/request/show/692210) (CPU-detection - consider upstreaming some variant)
-    * [python-pocketsphinx-python](https://build.opensuse.org/request/show/692544) (https://github.com/bambocher/pocketsphinx-python/pull/45 sort python glob in setup.py)
-    * [python-py-ubjson](https://build.opensuse.org/request/show/692636) (https://github.com/Iotic-Labs/py-ubjson/pull/7 sort python glob/readdir in setup.py)
-    * [python-debtcollector/python-openstackdocstheme](https://review.openstack.org/652669) (python date)
-    * [branding-openSUSE](https://github.com/openSUSE/branding/pull/111) (rediscovered already fixed parallelism race)
-    * [python-irc](https://build.opensuse.org/request/show/699679) (drop file with varying pyc timestamp)
+    * [`dovecot23`](https://bugzilla.opensuse.org/show_bug.cgi?id=1131699) (Report random build failure with -j1)
+    * [`rash`](https://github.com/willghatch/racket-rash/issues/52) (Report parallelism-related nondeterminism)
+    * [`maven-compiler-plugin`](https://issues.apache.org/jira/browse/MCOMPILER-380) (Report copyright year / date)
+    * [`python-textX`](https://github.com/textX/textX/pull/181) (Sort Python [glob](https://docs.python.org/3/library/glob.html))
+    * [`python-pyOpenSSL`](https://github.com/pyca/pyopenssl/pull/828) (Fix FTBFS-2020)
+    * [`python-pyngus`](https://github.com/kgiusti/pyngus/pull/13) (Fix FTBFS-2028)
+    * [`python-ldap`](https://github.com/python-ldap/python-ldap/pull/277) (Fix FTBFS-2027)
+    * [`python-pysaml2`](https://github.com/IdentityPython/pysaml2/pull/606) (Fix FTBFS-2024)
+    * [`gnutls`](https://gitlab.com/gnutls/gnutls/merge_requests/979) (Fix FTBFS-2024)
+    * [`python-autobahn`](https://build.opensuse.org/request/show/692210) (CPU-detection - consiuer upstreaming some variant)
+    * [`python-pocketsphinx-python`](https://build.opensuse.org/request/show/692544) ([upstream](https://github.com/bambocher/pocketsphinx-python/pull/45)) (sort Python `glob` in `setup.py`)
+    * [`python-py-ubjson`](https://build.opensuse.org/request/show/692636) ([upstream](https://github.com/Iotic-Labs/py-ubjson/pull/7)) (sort Python `glob` in `setup.py`)
+    * [`python-debtcollector/python-openstackdocstheme`](https://review.openstack.org/652669) (Python date)
+    * [`branding-openSUSE`](https://github.com/openSUSE/branding/pull/111) (Dediscovered already-fixed parallelism race)
+    * [`python-irc`](https://build.opensuse.org/request/show/699679) (Drop file with varying `.pyc` timestamp)
+* Chris Lamb:
+    * [#926298](https://bugs.debian.org/926298) filed against [`adms`](https://tracker.debian.org/pkg/adms) ([merged upstream](https://github.com/Qucs/ADMS/pull/84#issuecomment-484791782)).
+    * [#926300](https://bugs.debian.org/926300) filed against [`qpid-proton`](https://tracker.debian.org/pkg/qpid-proton).
+    * [#926301](https://bugs.debian.org/926301) filed against [`coda`](https://tracker.debian.org/pkg/coda).
+    * [#926421](https://bugs.debian.org/926421) filed against [`netcdf-parallel`](https://tracker.debian.org/pkg/netcdf-parallel).
+    * [#928183](https://bugs.debian.org/928183) filed against [`fim`](https://tracker.debian.org/pkg/fim).
+    * In addition, Chris' previous patch to the `shadow` password utility [was merged upstream](https://github.com/shadow-maint/shadow/pull/146#issuecomment-485286090).
 * Vagrant Cascadian:
-    * [linux](https://salsa.debian.org/kernel-team/linux/merge_requests/140) [Sort list of modules before adding to .json file](https://salsa.debian.org/kernel-team/linux/commit/58ef63e9e2c71ffd8a21e9c620db71cb96d2d5a9)
-    * debian-installer: [Fix reproducibility of u-boot images by using gzip -n](https://salsa.debian.org/installer-team/debian-installer/commit/deeee34bc0ee5ec879182111b809896752ad0df9)
+    * [linux](https://salsa.debian.org/kernel-team/linux/merge_requests/140): Sort list of modules before adding to `.json` file. [[...](https://salsa.debian.org/kernel-team/linux/commit/58ef63e9e2c71ffd8a21e9c620db71cb96d2d5a9)]
+### diffoscope
+![]({{ "/images/reports/2019-04/diffoscope.svg" | prepend: site.baseurl }})
+[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. It does not define reproducibility, but rather provides a helpful and human-readable guidance for packages that are not reproducible, rather than relying essentially-useless diffs.
+This month, Chris Lamb did a lot of development of diffoscope, including:
+* [Updating the certificate](https://github.com/lamby/try.diffoscope.org/commit/aa3cc35451dd7fedfdc30af7b248b39d0e9f7898) of the [try.diffoscope.org](https://try.diffoscope.org) web-based version of the tool.
+* [Uploaded version 114](https://tracker.debian.org/news/1038940/accepted-diffoscope-114-source-all-into-experimental/) to the Debian *experimental* distribution and made the corresponding upload to the [PyPI](https://pypi.org/project/diffoscope/) package repository.
+* Added support for semantic comparison of [GnuPG](https://www.gnupg.org/) "keybox" (`.kbx`) files. ([#871244](https://bugs.debian.org/871244))
-* [https://github.com/Qucs/ADMS/pull/84#issuecomment-484791782 merged](https://github.com/Qucs/ADMS/pull/84#issuecomment-484791782)
+* Add the ability to treat missing tools as failures if a "magic" environment variable is detected in order to faciliate interpreting required tools on the [Debian autopkgtests](https://ci.debian.net/) as actual test failures, rather than skipping them. The behaviour of the existing testsuite remains unchanged. ([#905885](https://bugs.debian.org/905885))
-* [https://github.com/shadow-maint/shadow/pull/146#issuecomment-485286090 merged](https://github.com/shadow-maint/shadow/pull/146#issuecomment-485286090)
+* Filed a "request for packaging" for the [annocheck](https://sourceware.org/git/?p=annobin.git) tool which can be used to "analyse an application's compilation". This is as part of [an outstanding wishlist issue](https://salsa.debian.org/reproducible-builds/diffoscope/issues/51). ([#926470](https://bugs.debian.org/926470))
-* [libsodium https://github.com/sodiumoxide/sodiumoxide/pull/329 https://github.com/jedisct1/libsodium/issues/813](https://github.com/sodiumoxide/sodiumoxide/pull/329)
+* Consolidated on a single alias as the exception value across the entire codebase. [[...](https://salsa.debian.org/reproducible-builds/diffoscope.git/commit/39e7b6b)]
-* ['The Single UNIX Specification, version-3, known as SUSv3 or POSIX-2001, notes that for portability, the character string that identifies the timezone description should begin with a colon character.'](https://unix.stackexchange.com/a/48104/222284)
+In addition, Vibhu Agrawal ensured that diffoscope failed more gracefully when running out of diskspace to resolve Debian bug [#874582](https://bugs.debian.org/874582). Thanks!
-FIXME: "Orians, Jeremiah (DTMB)" <OriansJ at michigan.gov> announced the release of M2-Planet v1.3.0 and 0.6.1
-For those who are not aware M2-Planet is a self-hosting C compiler written in a subset of the features it supports
-that has been bootstrapped entirely from hex0 with 100% reproducible output/binaries.
+### strip-nondeterminism
-* A [discussion on HackerNews](https://news.ycombinator.com/item?id=19732794) discussed reproducible builds for WebAssembly and other formats that currently use binary uploads.
+[strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism) is our tool to remove specific non-deterministic results from a completed build. It is used automatically in most Debian package builds. This month, Chris Lamb made the following improvements:
-* A patch to the go compiler was proposed to extend the [`-trimpath`](https://go-review.googlesource.com/c/go/+/173344/) syntax. This helps to fix [variations from buildpath](https://github.com/golang/go/issues/16860).
+* Workaround [`Archive::Zip`](https://metacpan.org/pod/Archive::Zip)'s incorrect handling of the `localExtraField` class member field by monkey-patching the accessor methods to always return normalised values. This fixes the normalisation of Unix ownership metadata within `.zip` and `.epub` files. ([#858431](https://bugs.debian.org/858431))
-* [FIXME](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/)
+* Actually check the return status from `Archive::Zip` when writing file to disk. [[...](https://salsa.debian.org/reproducible-builds/strip-nondeterminism.git/commit/b164403)]
-* Reproducible Builds participated in GSoC but sadly we didnt find any suitable students.
+* Catch an edge-case where we can't parse the length of a particular field within `.zip` files. [[...](https://salsa.debian.org/reproducible-builds/strip-nondeterminism.git/commit/783d44e)]
-* Bobby Richter proposed [an addition of reproducible builds](https://github.com/TheDigitalStandard/TheDigitalStandard/pull/115) as indicator of good digital products.
+Chris then [uploaded version `1.1.3-1`](https://tracker.debian.org/news/1038943/accepted-strip-nondeterminism-113-1-source-all-into-experimental/) to the Debian *experimental* distribution.
-* [Stop Memsettings Structures](https://www.anmolsarma.in/post/stop-struct-memset/)
-* Vagrant Cascadian submitted an [update to diffoscope 114](https://issues.guix.info/issue/35478) in [GNU Guix](https://www.gnu.org/software/guix/).
+#### Project website
+Chris Lamb made a number of improvements to [our project website](https://reproducible-builds.org) this month, including:
+* Using an explicit "draft" boolean flag for posts. [Jekyll](https://jekyllrb.com/) in Debian stable silently (!) does not support the `where_exp` filter. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/2f27517)]
+* Moving more pages away from the old design with HTML to [Markdown](https://en.wikipedia.org/wiki/Markdown) formatting and the new design template. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/19c7951)]
+* Addding a simple [Makefile](https://en.wikipedia.org/wiki/Makefile) to implicitly document how to build the site [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/172bcfd)] and add a simple `.gitlab-ci.yml` to test branches/builds [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/595d29b)].
+* Adding as simple "lint" command so we can see how many pages are using the old style. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/2b12ff7)]
+* Adding an explicit link to our "[Who is involved?](https://reproducible-builds.org/who/)" page in the footer of the newer design [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/2d14946)] and add a link to donation page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/7a95a81)].
+* Moved various bits of infrastructure to support a monthly report structure. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/eb0ae67)]
+#### Test framework
+We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). The following changes were done this week:
+* Holger Levsen ([Debian](https://www.debian.org/)-related changes):
+    * Add new experimental [buildinfos.debian.net](https://buildinfos.debian.net) service. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4bcef9ec)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1012c656)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/41152533)]
+    * Allow pushing of `.buildinfo` files from [coccia](https://db.debian.org/machines.cgi?host=coccia). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cce3dbcd)]
+    * Permit [rsync](https://rsync.samba.org/) to write into subdirectories. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/002ca47d)]
+    * Include the meta "pool" job in the overall job health view. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3aabae72)]
+    * Add support for host-specific SSH `authorized_keys` files used on a particular build node. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c5b38ef7)]
+    * Dhow link to maintenance jobs for offline nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/416c60f4)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2639e5ef)]
+    * Increase the job timeout for for some runners from 3 to 5 days. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/293b6563)]
+    * Don't try to turn Jenkins or nodes offline too quickly. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/413d585a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0e33802d)]
+    * Fix pbuilder lock files if necessary. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dd632698)]
+* Mattia Rizzolo:
+    * Special-case the `debian-installer` package when building to allow it access to the internet.. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e3117ca2)]
+    * Force installing the `debootstrap` from [`stretch` backports](https://backports.debian.org/) and remove `cdebootstrap`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9e252095)]
+    * Install the `python3-yaml` package on nodes as it is needed by the deploy script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/46d33b21)]
+    * Add/update the new `reproducible-builds.org` [MX records](https://en.wikipedia.org/wiki/MX_record). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9ddd1042)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/711267ec)]
+    * Fix typo in comment; thanks to `ijc` for reporting! [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2435823c)]
+Holger Levsen ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4a79527a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a24c3aa9)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/363a02f3)]), Mattia Rizzolo ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9d4d39d1)]) and Vagrant Cascadian ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a6412217)]) all performed a large amount of build node maintenance and system administration and Chris Lamb provided a patch to avoid double spaces in IRC notifications. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f4b80011)]
+## Misc
+* AJ Jordan updated `reprotest`, our "end-user" tool to build arbitrary software and check it for reproducibility — to reference `--no-clean-on-error` in the `--store-dir text`. [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/19b0669)]
+* David A. Wheeler started a thread on our mailing list regarding [changing the front page definition](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001523.html) and, Daniel Shahaf [posted an April Fool's joke](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001517.html).
+* Whilst the Reproducible Builds project intended to participate in [Google Summer of Code](https://summerofcode.withgoogle.com/) in 2019 we sadly we didnt find any suitable students. We do plan to be involved in future rounds where possible.
+ * Chris Lamb noticed that SUSv3/POSIX that UNIX specification mentions that for portability-reasons [the character string that identifies the timezone description should begin with a colon character](https://unix.stackexchange.com/a/48104/222284) which may have future implications regarding ensuring a particular timezone to ensure a reproducible build.
+## Contact & contribute
+If you are interested in contributing the Reproducible Builds project, please visit our "[Contribute](https://reproducible-builds.org/contribute/)" page on our website. However, you can get in touch with us via:
+ * Mailing list: [rb-general](https://lists.reproducible-builds.org/listinfo/rb-general)
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+This months's report was written by Arnout Engelen, Bernhard M. Wiedemann, [Chris Lamb](https://chris-lamb.co.uk/), Holger Levsen and Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

@@ -28,6 +28,7 @@ main {
   @media (min-width: 750px) {
     .blog-post-content {
       max-width: 750px;
+      text-align: justify;

View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/b2410c01924cfbd4befec5e9fba067ac7dc18252...651186c60bd1f99b0b8ad8ad8c4a29a16ab88493

View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/b2410c01924cfbd4befec5e9fba067ac7dc18252...651186c60bd1f99b0b8ad8ad8c4a29a16ab88493
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190502/e576cd2f/attachment.html>

More information about the rb-commits mailing list