[Git][reproducible-builds/reproducible-website][master] Misc cosmetic updates.
Chris Lamb
gitlab at salsa.debian.org
Sun May 5 16:05:11 UTC 2019
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
b2eb425e by Chris Lamb at 2019-05-05T16:04:54Z
Misc cosmetic updates.
- - - - -
3 changed files:
- _reports/2019-04.md
- + images/reports/2019-04/debian.png
- + images/reports/2019-04/reproducible-builds.png
Changes:
=====================================
_reports/2019-04.md
=====================================
@@ -6,56 +6,58 @@ title: "Reproducible Builds in April 2019"
draft: true
---
-Welcome to the April 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!
+**Welcome to the April 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In these now-monthly reports we will outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains.
-As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
+[![]({{ "/images/reports/2019-04/reproducible-builds.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
-In this post we will detail the most important things which have been up to in/around the world of reproducible builds and secure toolchains in the month of April — starting this month we have changed the frequency of our blog to monthly.
+As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
In this months's report, we will cover:
-* Media coverage
-* Upstream news
-* Distribution work
-* Software development
-* Misc news
-* Getting in touch
+* **Media coverage** — *Compromised toolchains, what makes a good digital product?, etc.*
+* **Upstream news** — *Scala and Go working on reproducibility, etc.*
+* **Distribution work** — *Distributing build certificates, an update from openSUSE, etc.*
+* **Software development** — *New features in diffoscope, yet more test framework development, etc*
+* **Misc news** — *From our mailing list, etc.*
+* **Getting in touch** — *How to contribute, etc*
+---
## Media coverage
-* The [SecureList](https://securelist.com) website [reported on Operation "ShadowHammer"](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/), a high-profile supply chain attack involving the [ASUS](https://en.wikipedia.org/wiki/Asus) Live Update Utility. As their post describes in more detail, tampering with binaries usually breaks the digital signature but in this case the digital signature appeared to have been compromised. ([Read more](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/))
-
-![]({{ "/images/reports/2019-04/lwn.png#right" | prepend: site.baseurl }})
+* The [SecureList](https://securelist.com) website [reported on Operation "ShadowHammer"](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/), a high-profile supply chain attack involving the [ASUS](https://en.wikipedia.org/wiki/Asus) Live Update Utility. As their post describes in more detail tampering with binaries would usually break the digital signature, but in this case the digital signature itself appeared to have been compromised. ([Read more](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/))
-* [Linux Weekly News (LWN)](https://lwn.net/) covered the [recent `bootstrap-sass` backdoor incident](https://lwn.net/Articles/785386/) which speaks to the prevalence of supply-chain and mirror-based attacks. [David A. Wheeler](https://dwheeler.com) also [published an essay on the incident](https://dwheeler.com/essays/bootstrap-sass-subversion.html) that explicitly proposes reproducible builds as a potential way to reduce the impact of such attacks in the future.
+[![]({{ "/images/reports/2019-04/lwn.png#right" | prepend: site.baseurl }})](https://lwn.net/)
-* There was an interesting discussion on [Hacker News](https://news.ycombinator.com/) regarding the release of [WAPM](https://wapm.io/), a package manager for [WebAssembly](https://webassembly.org/) packages that are typically embedded into browsers and web-pages. In [the discussion there was a query](https://news.ycombinator.com/item?id=19732794) and distinction raised by commenter *whyrusleeping* between the ability to reproduce any generated packages versus simply signing packages in the usual manner which received warm reception by the upstream authors.
+* [Linux Weekly News (LWN)](https://lwn.net/) covered the [recent `bootstrap-sass` backdoor incident](https://lwn.net/Articles/785386/) which speaks to the impact and potential prevalence of supply-chain and mirror-based attacks. [David A. Wheeler](https://dwheeler.com) also [published an essay on the incident](https://dwheeler.com/essays/bootstrap-sass-subversion.html) that explicitly proposes reproducible builds as a potential way to reduce the impact of such attacks in the future.
-* An issue was reported against the [libsodium](https://libsodium.org) crypto library which [asked for clarification why the `1.0.17` release was modified on the download server](https://github.com/jedisct1/libsodium/issues/813). In response to this, [a pull request was created by Philip Crockett](https://github.com/sodiumoxide/sodiumoxide/pull/329) to verify the project with the `minisign` algorithm instead of `sha2`.
+* There was an interesting discussion on [Hacker News](https://news.ycombinator.com/) regarding the release of [WAPM](https://wapm.io/), a package manager for [WebAssembly](https://webassembly.org/) packages (typically embedded into browsers and web-pages). In [the discussion there was a query](https://news.ycombinator.com/item?id=19732794) and distinction raised by commenter *whyrusleeping* between the ability to reproduce any generated packages versus simply signing packages in the usual manner which received warm reception by the upstream authors.
-* [Anmol Sarma](https://www.anmolsarma.in/) wrote a blog post requesting that developers "[Stop Memsettings Structures](https://www.anmolsarma.in/post/stop-struct-memset/)". This is relevant to the Project as `memset(3)` system call is often used to ensure deterministic output of packages or of binaries themselves; if the build artifacts contain the contents uninitialised memory, to ensure a reproducible build a developer would typically "zero out" the memory using `memset(3)` to ensure that it does not contain the so-called random data.
+* An issue was reported against the [`libsodium`](https://libsodium.org) crypto library which [asked for clarification why the `1.0.17` release was modified on the download server](https://github.com/jedisct1/libsodium/issues/813). In response to this, [a pull request was created by Philip Crockett](https://github.com/sodiumoxide/sodiumoxide/pull/329) to verify the project with the `minisign` algorithm instead of `sha2`.
* Bobby Richter [proposed the addition of reproducible builds](https://github.com/TheDigitalStandard/TheDigitalStandard/pull/115) as indicator of good digital products.
+* [Anmol Sarma](https://www.anmolsarma.in/) wrote a blog post requesting that developers "[Stop Memsettings Structures](https://www.anmolsarma.in/post/stop-struct-memset/)". This is relevant to the Project as `memset(3)` system call is often used to ensure deterministic output of packages or of binaries themselves; if the build artifacts contain the contents uninitialised memory, to ensure a reproducible build a developer would typically "zero out" the memory using `memset(3)` to ensure that it does not contain the so-called random data.
-### Upstream news
+## Upstream news
-![]({{ "/images/reports/2019-04/scala.png#right" | prepend: site.baseurl }})
+[![]({{ "/images/reports/2019-04/scala.png#right" | prepend: site.baseurl }})](https://www.scala-lang.org/)
The first non-trivial library written in the [Scala](https://www.scala-lang.org/) programming language on the [Java Virtual Machine](https://reproducible-builds.org/docs/jvm/) was released with Arnout Engelen's [`sbt-reproducible-builds`](https://github.com/raboof/sbt-reproducible-builds) plugin enabled during the build. This resulted in [Akka 2.5.22](https://akka.io/blog/news/2019/04/03/akka-2.5.22-released) becoming reproducible, both for the artifacts built with version [2.12.8](https://arnout.engelen.eu/rb/akka/2.12/2.5.22/) and 2.13.0-RC1 of the Scala compiler. For 2.12.8, the original release was performed on a Mac and the validation was done on a Debian-based machine, so it appears the build is reproducible across diverse systems. ([Mailing list thread](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001529.html))
-Jeremiah "DTMB" Orians announced the 1.3.0 release of [M2-Planet](https://github.com/oriansj/M2-Planet), a self-hosting C compiler written in a subset of the features it supports. It has been bootstrapped entirely from hexadecimal (!) with 100% reproducible output/binaries. This new release sports a self-hosting port for an additional architecture amongst other changes.
+Jeremiah "DTMB" Orians announced the 1.3.0 release of [M2-Planet](https://github.com/oriansj/M2-Planet), a self-hosting C compiler written in a subset of the features it supports. It has been bootstrapped entirely from hexadecimal (!) with 100% reproducible output/binaries. This new release sports a self-hosting port for an additional architecture amongst other changes. Being "self-hosted" is an important property as it can provide a method of validating the legitimancy of the build toolchain.
-![]({{ "/images/reports/2019-04/golang.png#left" | prepend: site.baseurl }})
+[![]({{ "/images/reports/2019-04/golang.png#left" | prepend: site.baseurl }})](https://golang.org/)
-The [Go](https://golang.org) programming language has been making progress in making their builds reproducible. Ximin Luo had previously created [issue #16860](https://github.com/golang/go/issues/16860) in 2016 requesting that the compiler generates the same result regardless of the path in which the package is built. However, progress was recently made in [Change #173344](https://go-review.googlesource.com/c/go/+/173344/) (and similar) that will permit a `-trimpath` mode that will generate binaries that do not contain any local path names, similar to [`-fpath-prefix-map`](https://reproducible-builds.org/specs/build-path-prefix-map/).
+The [Go](https://golang.org) programming language has been making progress in making their builds reproducible. In 2016, Ximin Luo had created [issue #16860](https://github.com/golang/go/issues/16860) requesting that the compiler generates the same result regardless of the path in which the package is built. However, progress was recently made in [Change #173344](https://go-review.googlesource.com/c/go/+/173344/) (and adjacent) that will permit a `-trimpath` mode that will generate binaries that do not contain any local path names, similar to [`-fpath-prefix-map`](https://reproducible-builds.org/specs/build-path-prefix-map/).
The [fontconfig](https://www.freedesktop.org/wiki/Software/fontconfig/) library for configuring and customising font access in a number of distributions [announced they had merged patches](https://lists.freedesktop.org/archives/fontconfig/2019-April/006508.html) to allow various cache files to be reproducible. This is after Chris Lamb posted a historical summary and [a request for action](https://lists.freedesktop.org/archives/fontconfig/2019-January/006420.html) to [Fontconfig](https://www.freedesktop.org/wiki/Software/fontconfig/)'s mailing list in January 2019
### Distribution work
+[![]({{ "/images/reports/2019-04/debian.png#right" | prepend: site.baseurl }})](https://debian.org/)
+
In Debian, [Chris Lamb](https://chris-lamb.co.uk/) added 90 reviews of Debian packages, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html) and 14 issues were automatically removed. Chris also added two issue types: [`build_date_in_egg_info_directory_name`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/61bf6116) & [`randomness_in_perl6_precompiled_libraries`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b718ab29).
Holger Levsen started a [discussion regarding the distribution of `.buildinfo` files](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001550.html). These files record the environment that was used as part of a particular build in order that — along with the source code — ensure that the aforementioned environment can be recreated at a later date to reproduce the exact binary. Distributing these files is important so that others can validate that a build is actually reproducible. In his post, Holger refers to two services that now exist, [buildinfo.debian.net](https://buildinfo.debian.net) and [buildinfos.debian.net](https://buildinfos.debian.net).
@@ -64,14 +66,15 @@ In addition, Holger restarted a long-running discussion regarding the [reproduci
There was yet more progress towards making the [Debian Installer](https://www.debian.org/devel/debiah-installer/) images reproducible. Following-on from last months, [Chris Lamb](https://chris-lamb.co.uk/) performed some further testing of the generated images. Cyril Brulebois then made an [upload of the `debian-installer` package](https://bugs.debian.org/920676#50) to Debian that included a number of Chris' patches and Vagrant Cascadian filed a patch to [fix the reproducibility of "u-boot" images](https://salsa.debian.org/installer-team/debian-installer/commit/deeee34bc0ee5ec879182111b809896752ad0df9) by using `-n` argument to `gzip(1)`.
-![]({{ "/images/reports/2019-04/opensuse.png#left" | prepend: site.baseurl }})
+[![]({{ "/images/reports/2019-04/opensuse.png#left" | prepend: site.baseurl }})](https://www.opensuse.org/)
-Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-04/msg00414.html) for the [openSUSE](https://opensuse.org/) distribution. Bernhard also posted to our mailing list regarding [enabling the normalisation of file modification times in Python `.pyc` files](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001548.html) and opened issue [#1133809](https://bugzilla.opensuse.org/show_bug.cgi?id=1133809) on the openSUSE bug tracker.
+Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-04/msg00414.html) for the [openSUSE](https://opensuse.org/) distribution. Bernhard also posted to our mailing list regarding [enabling the normalisation of file modification times in Python `.pyc` files](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001548.html) and opened issue [#1133809](https://bugzilla.opensuse.org/show_bug.cgi?id=1133809) in the openSUSE bug tracker.
+<hr>
## Software development
-### Patches
+#### Upstream Patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
@@ -104,9 +107,9 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
* [linux](https://salsa.debian.org/kernel-team/linux/merge_requests/140): Sort list of modules before adding to `.json` file. [[...](https://salsa.debian.org/kernel-team/linux/commit/58ef63e9e2c71ffd8a21e9c620db71cb96d2d5a9)]
-### diffoscope
+#### diffoscope
-![]({{ "/images/reports/2019-04/diffoscope.svg#right" | prepend: site.baseurl }})
+[![]({{ "/images/reports/2019-04/diffoscope.svg#right" | prepend: site.baseurl }})](https://diffoscope.org)
[diffoscope](https://diffoscope.org/) is our in-depth "diff-on-steroids" utility which helps us diagnose reproducibility issues in packages. It does not define reproducibility, but rather provides a helpful and human-readable guidance for packages that are not reproducible, rather than relying essentially-useless diffs.
@@ -127,7 +130,7 @@ This month, Chris Lamb did a lot of development of diffoscope, including:
In addition, Vibhu Agrawal ensured that diffoscope failed more gracefully when running out of diskspace to resolve Debian bug [#874582](https://bugs.debian.org/874582) and Vagrant Cascadian [updated to diffoscope 114](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=c31bec88a818a0ee112e1e80222e7beffa463057) in [GNU Guix](https://www.gnu.org/software/guix/). Thanks!
-### strip-nondeterminism
+#### strip-nondeterminism
[strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism) is our tool to remove specific non-deterministic results from a completed build. It is used automatically in most Debian package builds. This month, Chris Lamb made the following improvements:
@@ -144,7 +147,7 @@ Chris then [uploaded version `1.1.3-1`](https://tracker.debian.org/news/1038943/
Chris Lamb made a number of improvements to [our project website](https://reproducible-builds.org) this month, including:
-![]({{ "/images/reports/2019-04/website.png#right" | prepend: site.baseurl }})
+[![]({{ "/images/reports/2019-04/website.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
* Using an explicit "draft" boolean flag for posts. [Jekyll](https://jekyllrb.com/) in Debian stable silently (!) does not support the `where_exp` filter. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website.git/commit/2f27517)]
@@ -186,6 +189,7 @@ We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framewor
Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4a79527a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a24c3aa9)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/363a02f3)], Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9d4d39d1)] and Vagrant Cascadian [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a6412217)] all performed a large amount of build node maintenance, system & Jenkins administration and Chris Lamb provided a patch to avoid double spaces in IRC notifications [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f4b80011)].
+<hr>
## Misc news
@@ -193,16 +197,17 @@ Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4a795
* David A. Wheeler started a thread on our mailing list regarding [changing the front page definition](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001523.html) and, Daniel Shahaf [posted an April Fool's joke](https://lists.reproducible-builds.org/pipermail/rb-general/2019-April/001517.html).
-* Whilst the Reproducible Builds project intended to participate in [Google Summer of Code](https://summerofcode.withgoogle.com/) and [Outreachy](https://www.outreachy.org/) in 2019 we sadly did not find any suitable students. We do plan to be involved in future rounds where possible.
+* Whilst the Reproducible Builds project intended to participate in [Google Summer of Code](https://summerofcode.withgoogle.com/) and [Outreachy](https://www.outreachy.org/) in 2019 we sadly did not find any suitable students. We do plan to be involved in future rounds wherever possible.
- * Chris Lamb noticed that SUSv3/POSIX that UNIX specification mentions that for portability-reasons [the character string that identifies the timezone description should begin with a colon character](https://unix.stackexchange.com/a/48104/222284) which may have future implications regarding ensuring a particular timezone to ensure a reproducible build.
+ * Chris Lamb noticed that the SUSv3/POSIX UNIX specification mentions that for portability-reasons [the character string that identifies the timezone description should begin with a colon character](https://unix.stackexchange.com/a/48104/222284) which may have future implications regarding ensuring a particular timezone to ensure a reproducible build.
+---
## Getting in touch
If you are interested in contributing the Reproducible Builds project, please visit our [Contribute](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
- * Mailing list: [rb-general](https://lists.reproducible-builds.org/listinfo/rb-general)
+ * Mailing list: [`rb-general`](https://lists.reproducible-builds.org/listinfo/rb-general)
* IRC: `#reproducible-builds` on `irc.oftc.net`.
=====================================
images/reports/2019-04/debian.png
=====================================
Binary files /dev/null and b/images/reports/2019-04/debian.png differ
=====================================
images/reports/2019-04/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2019-04/reproducible-builds.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b2eb425e7c352a3f864c3833aab0e50956a93bb6
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b2eb425e7c352a3f864c3833aab0e50956a93bb6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190505/80046583/attachment.html>
More information about the rb-commits
mailing list