[Git][reproducible-builds/reproducible-website][master] 2019-12: Initial draft.

Chris Lamb gitlab at salsa.debian.org
Fri Jan 3 13:21:50 UTC 2020



Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
d6ec6d13 by Chris Lamb at 2020-01-03T13:21:19+00:00
2019-12: Initial draft.

- - - - -


17 changed files:

- _reports/2019-12.md
- + images/reports/2019-12/alpine.png
- + images/reports/2019-12/archlinux.png
- + images/reports/2019-12/debian.png
- + images/reports/2019-12/diffoscope.png
- + images/reports/2019-12/diffoscope.svg
- + images/reports/2019-12/gnu.png
- + images/reports/2019-12/guix.png
- + images/reports/2019-12/leaving-legacy-behind.jpg
- + images/reports/2019-12/ocaml.png
- + images/reports/2019-12/opensuse.png
- + images/reports/2019-12/reproducible-builds.png
- + images/reports/2019-12/summit.gif
- + images/reports/2019-12/summit.jpg
- + images/reports/2019-12/testframework.png
- + images/reports/2019-12/tuf.png
- + images/reports/2019-12/website.png


Changes:

=====================================
_reports/2019-12.md
=====================================
@@ -2,134 +2,293 @@
 layout: report
 year: "2019"
 month: "12"
-title: "Reproducible builds in December 2019"
+title: "Reproducible Builds in December 2019"
 draft: true
 ---
 
+**Welcome to the December 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
+{: .lead}
+
+
+[![]({{ "/images/reports/2019-12/reproducible-builds.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
+
+In these reports we outline the most important things that we have been up over the past month. As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries.
+
+The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
+
+In this report for December, we cover:
+
+* **Media coverage** — *The Update Framework joins Cloud Native Computing, a Google whitepaper, etc.*
+* **Reproducible Builds Summit 2019** — *What happened at our recent meetup*
+* **Distribution work** — *The latest reports from Arch, Debian and openSUSE, etc.*
+* **Software development** — *Patches, patches, patches.*
+* **Mailing list summary**
+* **Contact** — *How to contribute, etc.*
+
+If you are interested in contributing to our project, please visit our [*Contribute*]({{ "/contribute/" | prepend: site.baseurl }}) page on our website.
+
+---
+
+## Media coverage
+
+Google published [*Binary Authorization for Borg*](https://cloud.google.com/security/binary-authorization-for-borg/), a whitepaper on how they reduce exposure of user data to unauthorised code as well as methods for verifying code provenance within their [Borg](https://en.wikipedia.org/wiki/Borg_(cluster_manager)) cluster manager. In particular, the paper notes how they attempt to limit their "insider risk", ie. the potential for internal personnel to use organisational credentials or knowledge to perform malicious activities.
+
+[![]({{ "/images/reports/2019-12/tuf.png#right" | prepend: site.baseurl }})](https://theupdateframework.io/)
+
+The [Linux Foundation](https://www.linuxfoundation.org/) announced that [The Update Framework](https://theupdateframework.io/) (TUF) has joined the [Cloud Native Computing Foundation](https://www.cncf.io/). TUF is a technology that secures software update systems initially developed by [Justin Cappos](https://engineering.nyu.edu/faculty/justin-cappos) at the [NYU Tandon School of Engineering](https://engineering.nyu.edu/).
+
+[Andrew "*bunnie*" Huang](https://bunniestudios.com/) published a blog post asking [*Can We Build Trustable Hardware?*](https://www.bunniestudios.com/blog/?p=5706) Whilst it concludes pessimistically that "open hardware is precisely as trustworthy as closed hardware" it does mention that reproducible builds is a tool to:
+
+> Enable any third-party auditor to download, build, and confirm (above, green check marks) that the program a user is downloading matches the intent of the developers.
+
+[![]({{ "/images/reports/2019-12/leaving-legacy-behind.jpg#right" | prepend: site.baseurl }})](https://media.ccc.de/v/36c3-11172-leaving_legacy_behind)
+
+At the [36th Chaos Communication Congress](https://events.ccc.de/congress/2019/wiki/index.php/Main_Page) (36C3) in Leipzig, Hannes Mehnert from the [MirageOS](https://mirage.io/) project gave a presentation called [*Leaving legacy behind*](https://media.ccc.de/v/36c3-11172-leaving_legacy_behind) which talks generally about this operating system offering a potential alternative and minimalist approach to security but has a section on reproducible builds. ([Direct link to 38:41](https://media.ccc.de/v/36c3-11172-leaving_legacy_behind#t=2321))
+
+---
+
+## Reproducible Builds Summit 2019
+
+[![]({{ "/images/reports/2019-12/summit.gif#right" | prepend: site.baseurl }})]({{ "/events/Marrakesh2019/" | prepend: site.baseurl }})
+
+***We held our [fifth annual Reproducible Builds summit]({{ "/events/Marrakesh2019/" | prepend: site.baseurl }}) between the 1st and 8th December at [Priscilla, Queen of the Medina](https://www.queenscollective.org/artistryasactivism) in Marrakesh, Morocco.***
+
+The aim of the meeting was to spend some days dicussing and working on Reproducible Builds across every possible and was a great success. During our time together, we updated & exchanged the status of reproducible builds in our respective projects, improved collaboration between and within these efforts, expanded the scope and reach of reproducible builds to yet more interested parties, established and continued strategic long-term thinking than is typical possible via remote channels and brainstormed designs for tools to enabling end-users to get the most benefits from reproducible builds.
+
+Outside of these achievements, in the hacking sessions *kpcyrd* made a breakthrough in [Alpine Linux](https://alpinelinux.org/) by producing the first reproducible package (specifically, [`py3-uritemplate`](https://tests.reproducible-builds.org/alpine/main/py3-uritemplate/py3-uritemplate-3.0.0-r4.apk.html)) in this operating system. After this, progress was accelerated and at the end of the meeting the [reproducibility status in Alpine](https://tests.reproducible-builds.org/alpine/alpine.html) reached 94%. In addition, Jelle van der Waa, Mattia Rizzolo and Paul Spooren discussed and implemented substantial changes to the database that underpins the testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org) in order to further abstract the schema in a distribution agnostic way (for example, to allow submitting the results of attempts to verify officially distributed [Arch Linux](https://www.archlinux.org/) packages).
+
+[![]({{ "/images/reports/2019-12/ocaml.png#right" | prepend: site.baseurl }})](https://ocaml.org/)
+
+A number of reports and blog posts have already been written, including for:
+
+* [openSUSE](https://lizards.opensuse.org/2019/12/13/opensuse-on-reproducible-builds-summit/)
+* [OCaml, `opam` and MirageOS](https://hannes.nqsb.io/Posts/ReproducibleOPAM)
+* [GNU Guix](https://guix.gnu.org/blog/2019/reproducible-builds-summit-5th-edition/)
+
+... as well as a number of tweets including ones from Jan Nieuwenhuizen celebrating progress in [GNU Guix](http://guix.gnu.org/) [[...](https://twitter.com/JANieuwenhuizen/status/1017497499089633280)] and Hannes [[...](https://twitter.com/h4nnes/status/1204347645206126592)]. The "official" report from the summit is pending publication.
+
+[![]({{ "/images/reports/2019-12/summit.jpg#right" | prepend: site.baseurl }})]({{ "/events/Marrakesh2019/" | prepend: site.baseurl }})
+
+The event was held at [Priscilla, Queen of the Medina](https://www.queenscollective.org/artistryasactivism) in Marrakesh, a location *sui generis* that stands for gender equality, female empowerment and the engagement of vulnerable communities locally through cultural activism. The event was open to anybody interested on working on Reproducible Builds issues, with or without prior experience.
+
+---
+
+### Distribution work
+
+[![]({{ "/images/reports/2019-12/debian.png#right" | prepend: site.baseurl }})](https://debian.org/)
+
+Within Debian, Chris Lamb categorised a large number of packages and issues in the Reproducible Builds "[notes](https://salsa.debian.org/reproducible-builds/reproducible-notes/activity)" repository, including identifying and creating [`markdown_random_email_address_html_entities`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/09b4867b) and [`nondeterministic_devhelp_documentation_generated_by_gtk_doc`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b48e8b14).
+
+[![]({{ "/images/reports/2019-12/opensuse.png#right" | prepend: site.baseurl }})](https://www.opensuse.org/)
+
+In [openSUSE](https://www.opensuse.org/) news, Bernhard published his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-12/msg00174.html) and filed the following patches:
+
+* [`hidviz`](https://build.opensuse.org/request/show/754485) (use `convert -strip`)
+* [`python-ipydatawidgets`](https://build.opensuse.org/request/show/760182) (make `pip install reproducible`, avoid trouble with Zip order & [mtime](https://en.wikipedia.org/wiki/Mtime))
+* [`python-jupyterlab-templates`](https://build.opensuse.org/request/show/757375) (make `pip install` reproducible)
+* [`python-jupyterlab`](https://build.opensuse.org/request/show/755664) (make `pip install` reproducible)
+* [`python-mox3`](https://build.opensuse.org/request/show/760190) (drop [Sphinx](http://www.sphinx-doc.org/) `environment.pickle` file)
+* [`rpmlint-mini`](https://build.opensuse.org/request/show/754705) (sort Python compile file list)
+* [`rubygem-ronn`](https://build.opensuse.org/request/show/757287) ( Ruby date, [ submitted upstream](https://github.com/kamontat/ronn/pull/3) with updated patch)
+* [`syslinux6`](https://build.opensuse.org/request/show/759820) (sort `find` / `readdir`; already upstream)
+
+Bernhard also filed bugs against:
+
+* [`libhugetlbfs`](https://bugzilla.opensuse.org/show_bug.cgi?id=1159558) (unreproducible `.ldscript` file)
+* [`libmicro`](https://bugzilla.opensuse.org/show_bug.cgi?id=1159556) ([Link-Time Optimisation](https://en.wikipedia.org/wiki/Interprocedural_optimization) causing unreproducible object files; [fix by Martin Pluskal](https://build.opensuse.org/request/show/758238))
+* [`python-swifter`](https://bugzilla.opensuse.org/show_bug.cgi?id=1158578) (report failure to build on single-core CUPs)
+* [`tesseract-ocr`](https://bugzilla.opensuse.org/show_bug.cgi?id=1159231) (report variations via their build machine's CPU)
+
+[![]({{ "/images/reports/2019-12/archlinux.png#right" | prepend: site.baseurl }})](https://www.archlinux.org/)
+
+In [Arch Linux](https://www.archlinux.org/), the database structure on [tests.reproducible-builds.org](https://tests.reproducible-builds.org/) was changed and the testing jobs updated. Work has been started on a verification test job which rebuilds the officially released packages and verifies if they are reproducible or not. In the "hacking" time after the summit, several packages were made reproducible, raising the amount of reproducible packages by approximately 1.5%. For example [`libxslt`](https://www.archlinux.org/packages/extra/x86_64/libxslt/) was patched with the patch adopted from Debian and openSUSE.
+
+---
+
 ## Software development
 
 #### Upstream patches
 
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+
 * Arnout Engelen:
+
     * [`sbt`](https://github.com/sbt/sbt/pull/5344) (timestamps and file order in generated archives)
     * [NixOS](https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+label%3A%226.topic%3A+reproducible+builds%22+is%3Aclosed) [`installer/iso-image`](https://github.com/NixOS/nixpkgs/pull/75484) (timestamps in ISO installer image)
 
 * Bernhard M. Wiedemann:
-    * multiple patches to [the grass Geographic Information System](https://github.com/OSGeo/grass):
-        * [sort readdir + dict](https://github.com/OSGeo/grass/pull/247)
-        * [use `SOURCE_DATE_EPOCH` to seed the pseudo-random generator](https://github.com/OSGeo/grass/pull/251)
-        * [do not install config.status](https://github.com/OSGeo/grass/pull/263) because it contained the build host name
-    * [various OpenStack python packages](https://review.opendev.org/700810) (Dont package .pickl file)
-    * [`python-psychtoolbox`](https://github.com/Psychtoolbox-3/Psychtoolbox-3/pull/614) (sort python readdir)
-    * [`python-autobahn`](https://github.com/crossbario/autobahn-python/issues/1275) (report stuck tests on 1-core-VM)
+
     * [`bowtie`](https://github.com/BenLangmead/bowtie/pull/99) (date)
+    * [`charybdis`](https://github.com/charybdis-ircd/charybdis/pull/297) (shell date & time)
+    * [`coq`](https://github.com/coq/coq/issues/11229) (report that `.vo` files vary from build order)
+    * [`coq`](https://github.com/coq/coq/pull/11227) (OCaml date)
     * [`kismet`]( https://github.com/kismetwireless/kismet/pull/195) (date)
-    * [`coq`](https://github.com/coq/coq/pull/11227) (ocaml date)
-    * [`coq`](https://github.com/coq/coq/issues/11229) (report that .vo files vary from build order)
-    * [`php7-pear`](https://github.com/pear/pear-core/pull/105) (sort php readdir)
-    * [`orthanc`](https://bitbucket.org/sjodogne/orthanc/pull-requests/12/sort-file-lists/diff) (sort python readdir, toolchain)
-    * [`vpp`](https://gerrit.fd.io/r/c/vpp/+/23819) (shell date, regression fix)
-    * [`pw3270`](https://github.com/PerryWerneck/pw3270/pull/2) (make date + convert -strip)
-    * [`pmix`](https://github.com/openpmix/openpmix/pull/1560) (date+time+host+user)
-    * [`charybdis`](https://github.com/charybdis-ircd/charybdis/pull/297) (shell date+time)
+    * [`libcec`](https://github.com/Pulse-Eight/libcec/pull/487) (CMake: use `TIMESTAMP` variable instead of build date)
     * [`lifelines`](https://github.com/lifelines/lifelines/pull/389) (date)
+    * [OpenStack Python packages](https://review.opendev.org/700810) (don't package a `.pickle` file)
+    * [`orthanc`](https://bitbucket.org/sjodogne/orthanc/pull-requests/12/sort-file-lists/diff) (sort Python `readdir`)
+    * [`perl`](https://github.com/Perl/perl5/pull/17390) (fix documentation-related build failure in 2020)
+    * [`php7-pear`](https://github.com/pear/pear-core/pull/105) (sort a PHP-based `readdir`)
+    * [`pmix`](https://github.com/openpmix/openpmix/pull/1560) (date, time, host & user)
+    * [`pw3270`](https://github.com/PerryWerneck/pw3270/pull/2) (make date & `convert -strip`)
+    * [`python-autobahn`](https://github.com/crossbario/autobahn-python/issues/1275) (report stuck tests on single CPU machine)
+    * [`python-psychtoolbox`](https://github.com/Psychtoolbox-3/Psychtoolbox-3/pull/614) (sort Python `readdir`)
+    * [`python-python-crfsuite`](https://github.com/scrapinghub/python-crfsuite/pull/115) (sort Python [`glob`](https://docs.python.org/3/library/glob.html) / `readdir`)
     * [`ripgrep`](https://github.com/BurntSushi/ripgrep/issues/1441) (report variations from CPU)
-    * [`libcec`](https://github.com/Pulse-Eight/libcec/pull/487) (cmake: use TIMESTAMP instead of date)
     * [`rubygem-ronn`](https://github.com/kamontat/ronn/pull/3) (updated date patch)
-    * [`perl`](https://github.com/Perl/perl5/pull/17390) (fix doc-based FTBFS-2020)
-    * [`python-python-crfsuite`](https://github.com/scrapinghub/python-crfsuite/pull/115) (sort python glob / readdir)
+    * [`vpp`](https://gerrit.fd.io/r/c/vpp/+/23819) (shell date, regression fix)
+    * Multiple patches to the [grass](https://github.com/OSGeo/grass) Geographic Information System]:
+[[...](https://github.com/OSGeo/grass/pull/247)][[...](https://github.com/OSGeo/grass/pull/251)][[...](https://github.com/OSGeo/grass/pull/263)]
+
+* Jelle van der Waa:
+
+    * [`tbb`](https://github.com/intel/tbb/issues/202) (hostname, date & time)
+    * [`pcp`](https://github.com/performancecopilot/pcp/pull/805) (date & time)
+    * [`libcec`](https://github.com/Pulse-Eight/libcec/issues/485) (date & time)
+    * [`cgdb`](https://github.com/cgdb/cgdb/pull/215) (date &  time)
+    * [`cloc`](https://github.com/AlDanial/cloc/pull/438) (date & time)
+    * [`dlang`](https://issues.dlang.org/show_bug.cgi?id=20444) (please add support `SOURCE_DATE_EPOCH` in the [D programming language](https://dlang.org/) compiler, `dlang`)
+    * [`dlang`](https://issues.dlang.org/show_bug.cgi?id=20445) (date & time in the D `dtools` library)
+
+* Chris Lamb:
+
+    * [#857454](https://bugs.debian.org/857454) re-opened against [qtltools](https://tracker.debian.org/pkg/qtltools).
+    * [#946315](https://bugs.debian.org/946315) filed against [infernal](https://tracker.debian.org/pkg/infernal) ([forwarded upstream](https://github.com/EddyRivasLab/infernal/pull/19)).
+    * [#946330](https://bugs.debian.org/946330) filed against [usb-modeswitch-data](https://tracker.debian.org/pkg/usb-modeswitch-data) (applied upstream).
+    * [#946331](https://bugs.debian.org/946331) filed against [gtk-doc](https://tracker.debian.org/pkg/gtk-doc) ([forwarded upstream](https://gitlab.gnome.org/GNOME/gtk-doc/merge_requests/37)).
+    * [#946332](https://bugs.debian.org/946332) filed against [nftables](https://tracker.debian.org/pkg/nftables).
+    * [#946333](https://bugs.debian.org/946333) filed against [node-chart.js](https://tracker.debian.org/pkg/node-chart.js) ([forwarded upstream](https://github.com/chartjs/Chart.js/pull/6817)).
+    * [#946335](https://bugs.debian.org/946335) filed against [parsinsert](https://tracker.debian.org/pkg/parsinsert).
+    * [#947608](https://bugs.debian.org/947608) filed against [markdown](https://tracker.debian.org/pkg/markdown).
+    * [#947708](https://bugs.debian.org/947708) filed against [libtext-markdown-perl](https://tracker.debian.org/pkg/libtext-markdown-perl).
+
+
+#### [diffoscope](https://diffoscope.org)
+
+[![]({{ "/images/reports/2019-12/diffoscope.png#right" | prepend: site.baseurl }})](https://diffoscope.org)
+
+[`diffoscope`](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. It is run countless times a day on [our testing infrastructure](https://tests.reproducible-builds.org/debian/reproducible.html) and is essential for identifying fixes and causes of non-deterministic behaviour.
+
+This month, diffoscope version `134` was uploaded to Debian unstable by Chris Lamb. He also made the following changes to diffoscope itself, including:
+
+* Always pass a filename with a `.zip` extension to `zipnote` otherwise it will return with an [UNIX exit code](https://en.wikipedia.org/wiki/Exit_status) of 9 and we fallback to displaying a binary difference for the entire file. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a93aa33)]
+* Include the [libarchive](https://www.libarchive.org/) file listing for ISO images to ensure that timestamps -- and not just dates -- are visible in any difference. ([#81](https://salsa.debian.org/reproducible-builds/diffoscope/issues/81))
+* Ensure that our [autopkgtests](https://ci.debian.net/) are run with our [`pyproject.toml`](https://snarky.ca/clarifying-pep-518/) present for the correct black source code formatter settings. ([#945993](https://bugs.debian.org/945993))
+* Rename the `text_option_with_stdiout` test to `text_option_with_stdout` [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/cb1c732)] and tidy some unnecessary boolean logic in the [ISO9660](https://wiki.osdev.org/ISO_9660) tests [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/341b98a)].
+
+In addition, Eli Schwartz fixed an error in the handling of the progress bar [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8706b87)] and Vagrant Cascadian added external tool reference for the [zstd](https://github.com/facebook/zstd) compression format for the [GNU Guix](https://guix.gnu.org/) distribution [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8c1b357)] as well as updated the version to 133 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6a65185ee46babca0630db1d64eaa8c1447d1cd6)].
+
+#### Project website & documentation
+
+[![]({{ "/images/reports/2019-12/website.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
+
+There was more work performed on [our website](https://reproducible-builds.org/) this month, including:
+
+* Bernhard M. Wiedemann:
+
+    * Add an [OCaml](https://ocaml.org/) example to our [`SOURCE_DATE_EPOCH` documentation]({{ "/docs/source-date-epoch/" | prepend: site.baseurl }}) and simplify the POSIX shell and `date` format usage [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/93610af)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/00e78cf)]
+    * Add a few "logo only" variations of our logo. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8094672)]
 
 * Chris Lamb:
-    * [gtk-doc](https://gitlab.gnome.org/GNOME/gtk-doc/merge_requests/37) (toolchain, sort python set random order)
+
+    * Add a link to the [Tails](https://tails.boum.org/) privacy-related operating system's instructions on [how to verify a downloaded image](https://tails.boum.org/contribute/build/reproducible/). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fed9dea)]
+
+    * Add a link to the [Reproducible Builds subreddit](https://www.reddit.com/r/reproduciblebuilds/) to the page footer. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/20)]
+
+    * Correct a "name" typo [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f0840a1)], add a missing "to" [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/024b8cd)] and adjust capitalisations of "OCaml" throughout the site [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3b9b869)].
 
 * Jelle van der Waa:
-    * [`tbb`](https://github.com/intel/tbb/issues/202) (hostname, date+time)
-    * [`pcp`](https://github.com/performancecopilot/pcp/pull/805) (date+time)
-    * [`libcec`](https://github.com/Pulse-Eight/libcec/issues/485) (date+time)
-    * [`cgdb`](https://github.com/cgdb/cgdb/pull/215) (date+time)
-    * [`cloc`](https://github.com/AlDanial/cloc/pull/438) (date+time)
-    * [`dlang`](https://issues.dlang.org/show_bug.cgi?id=20444) (please support `SOURCE_DATE_EPOCH` in the D lang compiler)
-    * [`dlang`](https://issues.dlang.org/show_bug.cgi?id=20445) (date+time in dtools)
 
-#### openSUSE
+    * Update the [GNU Guix](http://guix.gnu.org/) logo to the new design. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/87bb32e)]
+    * Fix "signed tarballs are available" link on our [*Tools*]({{ "/docs/jvm/" | prepend: site.baseurl }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/870fbbe)]
+
+* Mattia Rizzolo:
 
-* Bernhard published his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-12/msg00174.html)
+    * Add an explicit [`robots.txt`](https://www.robotstxt.org/) file. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/63253b6)]
 
-* patches:
-    * [`hidviz`](https://build.opensuse.org/request/show/754485) (use convert -strip)
-    * [`rpmlint-mini`](https://build.opensuse.org/request/show/754705) (sort python compile file list)
-    * [`rubygem-ronn`](https://build.opensuse.org/request/show/757287) (toolchain, ruby date ; [also submitted upstream](https://github.com/kamontat/ronn/pull/3) with updated patch)
-    * [`python-jupyterlab`](https://build.opensuse.org/request/show/755664) (make pip install reproducible)
-    * [`python-jupyterlab-templates`](https://build.opensuse.org/request/show/757375) (make pip install reproducible)
-    * [`python-ipydatawidgets`](https://build.opensuse.org/request/show/760182) (make pip install reproducible ; avoid trouble with zip order+mtime)
-    * [`python-mox3`](https://build.opensuse.org/request/show/760190) (drop sphinx environment.pickl)
-    * [`syslinux6`](https://build.opensuse.org/request/show/759820) (sort find / readdir ; already upstream)
+    * Add a Google ["site verification"](https://support.google.com/webmasters/answer/9008080?hl=en) token. (Also added to the [diffoscope website](https://diffoscope.org/)). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1b9ad40)][[...](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/875ea3d)]
 
-* bugs:
-    * [`python-swifter`](https://bugzilla.opensuse.org/show_bug.cgi?id=1158578) (report failure to build on 1-core VM)
-    * [`libmicro`](https://bugzilla.opensuse.org/show_bug.cgi?id=1159556) (report LTO causing unreproducible .o files ; [fix by Martin Pluskal](https://build.opensuse.org/request/show/758238))
-    * [`libhugetlbfs`](https://bugzilla.opensuse.org/show_bug.cgi?id=1159558) (report unreproducible .ldscript file)
-    * [`tesseract-ocr`](https://bugzilla.opensuse.org/show_bug.cgi?id=1159231) (report variations from build machine CPU)
+In addition, Paul Spooren added a new page overviewing our [*Continuous Tests*]({{ "/citests/" | prepend: site.baseurl }}) overview [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1c19f5c)], Hervé Boutemy made a number of improvements to [our Java and JVM documentation]({{ "/docs/jvm/" | prepend: site.baseurl }}) expanding and clarifying various definitions as well as adding external links [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/79a6937)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/938e970)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f396daa)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fde8e54)] and Mariana Moreira added a `.jekyll-cache` entry to the [`.gitignore`](https://git-scm.com/docs/gitignore) file [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/eb51a49)]. 
 
-#### Arch Linux
 
-During the summit the database structure on tests.reproducible-builds.org was
-changed and the testing jobs updated. Work has been started on a verification
-test job which rebuilds officially released packages and verifies if they are
-reproducible. In the hacking time after the summit several packages where made
-reproducible which raised the amount of reproducible packages by 1.5%. For example [libxslt](https://www.archlinux.org/packages/extra/x86_64/libxslt/) was patched with the patch already used openSUSE and Debian.
+#### Test framework
 
-#### Debian
+[![]({{ "/images/reports/2019-10/testframework.png#right" | prepend: site.baseurl }})](https://tests.reproducible-builds.org/)
 
-* [946315](https://bugs.debian.org/946315) [forwarded upstream](https://github.com/EddyRivasLab/infernal/pull/19)
+We operate a comprehensive [Jenkins](https://jenkins.io/)-based testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org). This month, the following changes were made:
 
-* [946333](https://bugs.debian.org/946333) [forwarded upstream](https://github.com/chartjs/Chart.js/pull/6817)
+* Holger Levsen:
 
-* [946331](https://bugs.debian.org/946331) [forwarded upstream](https://gitlab.gnome.org/GNOME/gtk-doc/merge_requests/37)
+    * [Alpine](https://alpinelinux.org/):
 
-* [#946330 applied upstream](https://bugs.debian.org/946330) - FIXME link to upstream
+        * Indicate where Alpine is being built on the node overview page. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4af96f16)]
+        * Turn off debugging output. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6a461023)]
+        * Sleep longer if no packages are to be built. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f1d3c700)]
 
-#### GNU Guix
+    * Misc:
 
-* Vagrant Cascadian updated [diffoscope to 133](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6a65185ee46babca0630db1d64eaa8c1447d1cd6) in GNU Guix.
+        * Add some help text to our script to powercycle [IONOS](https://www.ionos.com/) (*neé* Profitbricks) nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/23442fc2)]
+        * Install [mosh](https://mosh.org/) everywhere. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/25e3d43b)]
+        * Only install [ripgrep](https://github.com/BurntSushi/ripgrep) on Debian nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f3a3ce6b)]
 
-## rb5 summit
+* Mattia Rizzolo:
 
-* kpcyrd made https://tests.reproducible-builds.org/alpine/main/py3-uritemplate/py3-uritemplate-3.0.0-r4.apk.html the first reproducible alpine package in our CI ;   https://tests.reproducible-builds.org/alpine/alpine.html shows 94% reproducible in main repo
-* mattia, jelle and apacar discussed some database changes for the tests.r.o database to allow submitting results of attempts to verify officially distributed packages from for example Arch Linux.
-* mattia did some maintenance work on the reproducible builds database to convert timestamps from strings to real timestamps data types
-* mattia renamed the Arch Linux suites from `archlinux_$suite` to `$suite`.
+    * [Arch Linux](https://www.archlinux.org/):
 
-* Maven:
-  * Hervé Boutemy wrote in Message-ID: <3067075.YCjHTnBDQv at giga> on rb-general:
-  "I just launched a vote for Maven Release Plugin 3.0.0-M1 with instructions on how to check that this build is as reproducible as I expect it to be. Don't hesitate to check and vote on the release: https://lists.apache.org/thread.html/db3dea44d827d0a5cc557407d4cfe69b4304475f6e41030517aea29e%40%3Cdev.maven.apache.org%3E - Thanks for your help to make in the future Reproducible Builds a normal feature for any Java project published to Maven Central."
-  * Hans-Christoph Steiner added in Message-ID: <6ce61db3-af20-df3a-fe93-bebee7b04e7f at guardianproject.info>
-  "After working with Maven and Bazel devs at the summit,  I wanted to follow up to keep the buildinfo work moving.  I have buildinfo generation working with gradle, and it is now working in Maven plugins. I'd heard it was working with Bazel, but I haven't seen it yet.
-  The JARs produced with Maven and Gradle now only differ in the sort order of files in the ZIP header.  `mvn deploy` even pushes the buildinfo file to the maven repo: https://gitlab.com/eighthave/jtorctl/-/packages/59404
-  In this process, I found a small bug in maven archiver, which puts the META-INF/ dir entry after the META-INF/MANIFEST.MF entry in the ZIP: https://issues.apache.org/jira/browse/MSHARED-849"
-  * Later he added in Message-ID: <7c8245e1-8b57-368e-a09a-00f1de0c3fce at guardianproject.info>
-  "More progress!  The jtorctl library that we hacked on in Marrakesh is now published using Maven with a .buildinfo file: https://repo1.maven.org/maven2/info/guardianproject/jtorctl/0.4/"
+        * Normalise the suite names in the database. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7a0295e8)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/231884e8)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/62750403)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d8473a13)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/77d3b173)]
+        * Drop an unneeded line in the scheduler. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/035f6170)]
 
-* summit reports / tweets / blogposts / commits
-    * https://twitter.com/JANieuwenhuizen/status/1017497499089633280
-    * https://twitter.com/h4nnes/status/1204347645206126592
-    * https://guix.gnu.org/blog/2019/reproducible-builds-summit-5th-edition/
+    * [Debian](https://debian.org/):
 
+        * Fix a number of SQL errors. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cd4ee15d)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e380dad1)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8c515b2d)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/528f3bce)]
+        * Use the `debian.debian_support` Python library over `apt_pkg` to perform version comparisons. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7677b378)]
 
+    * Misc:
 
-#### unsorted
+        * Permit other distributions to use our web-based package scheduling script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cb775560)]
+        * Reformat our power-cycling script using using [Black](https://black.readthedocs.io/) and use the Python [`logging`](https://docs.python.org/3/library/logging.html) module. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/325b9f57)]
+        * Introduce a `dsources` database view to simplify some queries [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/95eb84e6)] and add a `build_type` field to support both "doublelrebuilds" and verification rebuilds [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/86160814)].
+        * Move (almost) all the timestamps in the database schema from raw strings to "real" timestamp data types. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6e7a475c)]
+        * Only block bots on [jenkins.debian.net](https://jenkins.debian.net/) and [tests.reproducible-builds.org](http://tests.reproducible-builds.org/), not any other sites. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e09cda74)]
 
+[![]({{ "/images/reports/2019-12/alpine.png#right" | prepend: site.baseurl }})](https://alpinelinux.org/)
 
+* *kpcyrd* (for [Alpine Linux](https://alpinelinux.org/)):
 
+    * Patch/install the `abuild` utility to one that is reproducible. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3b55b4d3)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b4cfe3d3)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2d81fa1a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6c3c15e0)]
+    * Bump the number of build workers and collect garbage more frequently. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/35a3dd33)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a97cb13c)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/83cc9dca)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/30138aa1)]
+    * Classify and display build results consistently. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/21026d76)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/70a8fe35)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9eeb3a5a)]
+    * Ensure that [tmux](https://tmux.github.io/) and [ripgrep](https://github.com/BurntSushi/ripgrep) is installed. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/332f2549)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3b43b4f9)]
+    * Support building packages in the future. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/912f3126)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/71380c9a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5ee25a02)]
 
+Lastly, Paul Spooren removed the project overiew from the bottom-left of the generated pages [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/23eb5845)] and the usual node maintenance was performed by Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dea04259)] and Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7587e568)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6d8111ce)].
+
+---
 
+## Mailing list summary
 
-* [FIXME](https://cloud.google.com/security/binary-authorization-for-borg/) a whitepaper on how Google reduces exposure of user-data to unauthorized code - by the team of summit attendee Colleen.
+There was considerable activity on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month. Firstly, Bernhard M. Wiedemann posted an activity-provoking thread asking [*What is the goal of reproducible builds?*](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001732.html) in order to encourage refinements, extra questions and other contributions to what an end-user experience of reproducible builds should look like.
 
-* [FIXME](https://media.ccc.de/v/36c3-11172-leaving_legacy_behind#t=2321) the talk titled "Leaving legacy behind" about MirageOS by Hannes Mehnert had a section on reproducible builds.
+Eli Schwartz then resurrected a previous thread titled [*Progress in rpm and openSUSE in 2019*](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001741.html]) to clarify some points around [Arch Linux](https://www.archlinux.org/) and Python package installation. Hans-Christoph Steiner [followed-up to a separate thread](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001744.html) originally started by Hervé Boutemy announcing the status `.buildinfo` file support in the Java ecosystem and Paul Spooren then [informed the list](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001743.html) that [Google Summer of Code](https://summerofcode.withgoogle.com/) is now looking for projects for the latest cohort.
 
-* [857454 reopened](857454)
+Lastly, Lars Wirzenius enquired about the status of [*Reproducible system images*](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001750.html) which [resulted in a large number of responses](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/thread.html#1750).
 
-* https://www.cncf.io/announcement/2019/12/18/cloud-native-computing-foundation-announces-tuf-graduation/
+---
+
+## Contact
+
+If you are interested in contributing the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+
+ * Reddit: [/r/reproduciblebuilds](https://reddit.com/r/reproduciblebuilds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
+
+<br>
+
+---
 
-* https://www.bunniestudios.com/blog/?p=5706
+This month's report was written by Arnout Engelen, Bernhard M. Wiedemann, Chris Lamb, Hervé Boutemy, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.


=====================================
images/reports/2019-12/alpine.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/alpine.png differ


=====================================
images/reports/2019-12/archlinux.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/archlinux.png differ


=====================================
images/reports/2019-12/debian.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/debian.png differ


=====================================
images/reports/2019-12/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/diffoscope.png differ


=====================================
images/reports/2019-12/diffoscope.svg
=====================================
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   version="1.1"
+   width="128"
+   height="128"
+   id="svg2">
+  <defs
+     id="defs4" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     transform="matrix(1.0692573,0,0,1.0692573,-328.34726,-503.5515)"
+     id="layer1">
+    <g
+       id="g5409">
+      <g
+         transform="translate(5.418238,0)"
+         id="g5386">
+        <rect
+           width="90.304001"
+           height="50.999996"
+           x="316.36414"
+           y="472.80621"
+           id="rect4667-3"
+           style="fill:none;stroke:none" />
+        <g
+           id="text4673-8"
+           style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+          <path
+             d="m 316.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+             id="path5371"
+             style="fill:#c00000;fill-opacity:1" />
+          <path
+             d="m 348.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+             id="path5373"
+             style="fill:#c00000;fill-opacity:1" />
+          <path
+             d="m 380.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+             id="path5375"
+             style="fill:#c00000;fill-opacity:1" />
+        </g>
+        <g
+           id="text5366"
+           style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+          <path
+             d="m 327.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+             id="path5378" />
+          <path
+             d="m 359.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+             id="path5380" />
+          <path
+             d="m 391.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+             id="path5382" />
+        </g>
+      </g>
+      <use
+         id="use5399"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+      <use
+         transform="matrix(0.8,0,0,0.8,82.417275,133.65028)"
+         id="use5401"
+         style="opacity:0.85"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+      <use
+         transform="matrix(0.6,0,0,0.6,164.83455,260.05454)"
+         id="use5403"
+         style="opacity:0.7"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+      <use
+         transform="matrix(0.4,0,0,0.4,247.25182,379.25208)"
+         id="use5405"
+         style="opacity:0.55"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+    </g>
+  </g>
+</svg>


=====================================
images/reports/2019-12/gnu.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/gnu.png differ


=====================================
images/reports/2019-12/guix.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/guix.png differ


=====================================
images/reports/2019-12/leaving-legacy-behind.jpg
=====================================
Binary files /dev/null and b/images/reports/2019-12/leaving-legacy-behind.jpg differ


=====================================
images/reports/2019-12/ocaml.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/ocaml.png differ


=====================================
images/reports/2019-12/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/opensuse.png differ


=====================================
images/reports/2019-12/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/reproducible-builds.png differ


=====================================
images/reports/2019-12/summit.gif
=====================================
Binary files /dev/null and b/images/reports/2019-12/summit.gif differ


=====================================
images/reports/2019-12/summit.jpg
=====================================
Binary files /dev/null and b/images/reports/2019-12/summit.jpg differ


=====================================
images/reports/2019-12/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/testframework.png differ


=====================================
images/reports/2019-12/tuf.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/tuf.png differ


=====================================
images/reports/2019-12/website.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/website.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d6ec6d135f6fe4191c6a0f5e0906593541423e64

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d6ec6d135f6fe4191c6a0f5e0906593541423e64
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20200103/3f72da1a/attachment.htm>


More information about the rb-commits mailing list