[Git][reproducible-builds/reproducible-website][master] 4 commits: Correct word omissions in the report template.
Chris Lamb
gitlab at salsa.debian.org
Mon Jan 6 12:54:38 UTC 2020
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
7b541247 by Chris Lamb at 2020-01-06T12:17:42+00:00
Correct word omissions in the report template.
- - - - -
09bb7cd9 by Chris Lamb at 2020-01-06T12:18:09+00:00
2019-12: Add Lukas Puehringer to authors.
- - - - -
0e845475 by Chris Lamb at 2020-01-06T12:54:09+00:00
2019-12: Misc cosmetic changes.
- - - - -
89687984 by Chris Lamb at 2020-01-06T12:54:25+00:00
published as https://reproducible-builds.org/reports/2019-12/
- - - - -
4 changed files:
- _reports/2019-12.md
- bin/generate-draft.template
- − images/reports/2019-12/ocaml.png
- + images/reports/2019-12/yocto-logo.png
Changes:
=====================================
_reports/2019-12.md
=====================================
@@ -3,7 +3,8 @@ layout: report
year: "2019"
month: "12"
title: "Reproducible Builds in December 2019"
-draft: true
+draft: false
+published: 2020-01-06 12:54:25
---
**Welcome to the December 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
@@ -18,32 +19,32 @@ The motivation behind the reproducible builds effort is to ensure no flaws have
In this report for December, we cover:
-* **Media coverage** — *The Update Framework graduates in Cloud Native Computing, a Google whitepaper, etc.*
-* **Reproducible Builds Summit 2019** — *What happened at our recent meetup*
+* **Media coverage** — *A Google whitepaper, The Update Framework graduates within the Cloud Native Computing Foundation, etc.*
+* **Reproducible Builds Summit 2019** — *What happened at our recent meetup?*
* **Distribution work** — *The latest reports from Arch, Debian and openSUSE, etc.*
-* **Software development** — *Patches, patches, patches.*
+* **Software development** — *Patches, patches, patches...*
* **Mailing list summary**
-* **Contact** — *How to contribute, etc.*
+* **Contact** — *How to contribute
-If you are interested in contributing to our project, please visit our [*Contribute*]({{ "/contribute/" | prepend: site.baseurl }}) page on our website.
+If you are interested in contributing to our project, please visit the [*Contribute*]({{ "/contribute/" | prepend: site.baseurl }}) page on our website.
---
## Media coverage
-Google published [*Binary Authorization for Borg*](https://cloud.google.com/security/binary-authorization-for-borg/), a whitepaper on how they reduce exposure of user data to unauthorised code as well as methods for verifying code provenance within their [Borg](https://en.wikipedia.org/wiki/Borg_(cluster_manager)) cluster manager. In particular, the paper notes how they attempt to limit their "insider risk", ie. the potential for internal personnel to use organisational credentials or knowledge to perform malicious activities.
+Google published [*Binary Authorization for Borg*](https://cloud.google.com/security/binary-authorization-for-borg/), a whitepaper on how they reduce exposure of user data to unauthorised code as well as methods for verifying code provenance using their [Borg](https://en.wikipedia.org/wiki/Borg_(cluster_manager)) cluster manager. In particular, the paper notes how they attempt to limit their "insider risk", ie. the potential for internal personnel to use organisational credentials or knowledge to perform malicious activities.
[![]({{ "/images/reports/2019-12/tuf.png#right" | prepend: site.baseurl }})](https://theupdateframework.io/)
-The [Linux Foundation](https://www.linuxfoundation.org/) announced that [The Update Framework](https://theupdateframework.io/) (TUF) has [*graduated*](https://www.cncf.io/announcement/2019/12/18/cloud-native-computing-foundation-announces-tuf-graduation/), and thus becomes the first specification and first security-focused project to reach the highest maturity level of the [Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF). TUF is a technology that secures software update systems initially developed by [Justin Cappos](https://engineering.nyu.edu/faculty/justin-cappos) at the [NYU Tandon School of Engineering](https://engineering.nyu.edu/).
+The [Linux Foundation](https://www.linuxfoundation.org/) announced that [The Update Framework](https://theupdateframework.io/) (TUF) [has graduated within](https://www.cncf.io/announcement/2019/12/18/cloud-native-computing-foundation-announces-tuf-graduation/) the [Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF) and thus becomes the first specification and first security-focused project to reach the highest maturity level in that group. TUF is a technology that secures software update systems initially developed by [Justin Cappos](https://engineering.nyu.edu/faculty/justin-cappos) at the [NYU Tandon School of Engineering](https://engineering.nyu.edu/).
-[Andrew "*bunnie*" Huang](https://bunniestudios.com/) published a blog post asking [*Can We Build Trustable Hardware?*](https://www.bunniestudios.com/blog/?p=5706) Whilst it concludes pessimistically that "open hardware is precisely as trustworthy as closed hardware" it does mention that reproducible builds is a tool to:
+[Andrew "*bunnie*" Huang](https://bunniestudios.com/) published a blog post asking [*Can We Build Trustable Hardware?*](https://www.bunniestudios.com/blog/?p=5706) Whilst it concludes pessimistically that "open hardware is precisely as trustworthy as closed hardware" it does mention that reproducible builds can:
-> Enable any third-party auditor to download, build, and confirm (above, green check marks) that the program a user is downloading matches the intent of the developers.
+> Enable any third-party auditor to download, build, and confirm that the program a user is downloading matches the intent of the developers.
[![]({{ "/images/reports/2019-12/leaving-legacy-behind.jpg#right" | prepend: site.baseurl }})](https://media.ccc.de/v/36c3-11172-leaving_legacy_behind)
-At the [36th Chaos Communication Congress](https://events.ccc.de/congress/2019/wiki/index.php/Main_Page) (36C3) in Leipzig, Hannes Mehnert from the [MirageOS](https://mirage.io/) project gave a presentation called [*Leaving legacy behind*](https://media.ccc.de/v/36c3-11172-leaving_legacy_behind) which talks generally about this operating system offering a potential alternative and minimalist approach to security but has a section on reproducible builds. ([Direct link to 38:41](https://media.ccc.de/v/36c3-11172-leaving_legacy_behind#t=2321))
+At the [36th Chaos Communication Congress](https://events.ccc.de/congress/2019/wiki/index.php/Main_Page) (36C3) in Leipzig, Hannes Mehnert from the [MirageOS](https://mirage.io/) project gave a presentation called [*Leaving legacy behind*](https://media.ccc.de/v/36c3-11172-leaving_legacy_behind) which talks generally about *Mirage* system offering a potential alternative and minimalist approach to security but has a section on reproducible builds ([at link to 38m41s](https://media.ccc.de/v/36c3-11172-leaving_legacy_behind#t=2321)).
---
@@ -53,13 +54,17 @@ At the [36th Chaos Communication Congress](https://events.ccc.de/congress/2019/w
***We held our [fifth annual Reproducible Builds summit]({{ "/events/Marrakesh2019/" | prepend: site.baseurl }}) between the 1st and 8th December at [Priscilla, Queen of the Medina](https://www.queenscollective.org/artistryasactivism) in Marrakesh, Morocco.***
-The aim of the meeting was to spend some days dicussing and working on Reproducible Builds across every possible FIXME and was a great success. During our time together, we updated & exchanged the status of reproducible builds in our respective projects, improved collaboration between and within these efforts, expanded the scope and reach of reproducible builds to yet more interested parties, established and continued strategic long-term thinking (more than is typically possible via remote channels) and brainstormed designs for tools to enable end-users to get the most benefits from reproducible builds.
+The aim of the meeting was to spend time dicussing and working on Reproducible Builds with a widely diverse agenda and the event was a huge success.
-Outside of these achievements, in the hacking sessions *kpcyrd* made a breakthrough in [Alpine Linux](https://alpinelinux.org/) by producing the first reproducible package (specifically, [`py3-uritemplate`](https://tests.reproducible-builds.org/alpine/main/py3-uritemplate/py3-uritemplate-3.0.0-r4.apk.html)) in this operating system. After this, progress was accelerated and at the end of the meeting the [reproducibility status in Alpine](https://tests.reproducible-builds.org/alpine/alpine.html) reached 94%. In addition, Jelle van der Waa, Mattia Rizzolo and Paul Spooren discussed and implemented substantial changes to the database that underpins the testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org) in order to further abstract the schema in a distribution agnostic way (for example, to allow submitting the results of attempts to verify officially distributed [Arch Linux](https://www.archlinux.org/) packages).
+During our time together, we updated and exchanged the status of reproducible builds in our respective projects, improved collaboration between and within these efforts, expanded the scope and reach of reproducible builds to yet more interested parties, established and continued strategic long-term thinking in a way not typically possible via remote channels, and brainstormed designs for tools to enable end-users to get the most benefit from reproducible builds.
-Jan Nieuwenhuizen, David FIXME and Vagrant Cascadian used three different distros ([GNU Guix](https://guix.gnu.org), [Nix](https://nixos.org) and [Debian](https://debian.org)) to produce a bit-for-bit identical [GNU Mes](https://www.gnu.org/software/mes/) binary, despite using three different major versions of GCC and other toolchains to build the initial Mes, which was then used to build the bit-for-bit identical Mes binary.
+Outside of these achievements in the hacking sessions *kpcyrd* made a breakthrough in [Alpine Linux](https://alpinelinux.org/) by producing the first reproducible package — specifically, [`py3-uritemplate`](https://tests.reproducible-builds.org/alpine/main/py3-uritemplate/py3-uritemplate-3.0.0-r4.apk.html) — in this operating system. After this, progress was accelerated and by the denouement of our meeting the [reproducibility status in Alpine](https://tests.reproducible-builds.org/alpine/alpine.html) reached 94%. In addition, Jelle van der Waa, Mattia Rizzolo and Paul Spooren discussed and implemented substantial changes to the database that underpins the testing framework that powers [tests.reproducible-builds.org](https://tests.reproducible-builds.org) in order to abstract the schema in a distribution agnostic way, for example to allow submitting the results of attempts to verify officially distributed [Arch Linux](https://www.archlinux.org/) packages.
-[![]({{ "/images/reports/2019-12/ocaml.png#right" | prepend: site.baseurl }})](https://ocaml.org/)
+Lastly, Jan Nieuwenhuizen, David Terry and Vagrant Cascadian used three entirely-separate distributions ([GNU Guix](https://guix.gnu.org), [NixOS](https://nixos.org) and [Debian](https://debian.org)) to produce a bit-for-bit identical [GNU Mes](https://www.gnu.org/software/mes/) binary despite using three different major versions of GCC and other toolchain components to build an initial binary, which was then used to build a final, bit-for-bit identical, binary of *Mes*.
+
+[![]({{ "/images/reports/2019-12/summit.jpg#right" | prepend: site.baseurl }})]({{ "/events/Marrakesh2019/" | prepend: site.baseurl }})
+
+The event was held at [Priscilla, Queen of the Medina](https://www.queenscollective.org/artistryasactivism) in Marrakesh, a location *sui generis* that stands for gender equality, female empowerment and the engagement of vulnerable communities locally through cultural activism. The event was open to anybody interested in working on Reproducible Builds issues, with or without prior experience.
A number of reports and blog posts have already been written, including for:
@@ -67,11 +72,7 @@ A number of reports and blog posts have already been written, including for:
* [OCaml, `opam` and MirageOS](https://hannes.nqsb.io/Posts/ReproducibleOPAM)
* [GNU Guix](https://guix.gnu.org/blog/2019/reproducible-builds-summit-5th-edition/)
-... as well as a number of tweets including ones from Jan Nieuwenhuizen celebrating progress in [GNU Guix](http://guix.gnu.org/) [[...](https://twitter.com/JANieuwenhuizen/status/1017497499089633280)] and Hannes [[...](https://twitter.com/h4nnes/status/1204347645206126592)]. The "official" report from the summit is pending publication.
-
-[![]({{ "/images/reports/2019-12/summit.jpg#right" | prepend: site.baseurl }})]({{ "/events/Marrakesh2019/" | prepend: site.baseurl }})
-
-The event was held at [Priscilla, Queen of the Medina](https://www.queenscollective.org/artistryasactivism) in Marrakesh, a location *sui generis* that stands for gender equality, female empowerment and the engagement of vulnerable communities locally through cultural activism. The event was open to anybody interested in working on Reproducible Builds issues, with or without prior experience.
+... as well as a number of tweets including ones from Jan Nieuwenhuizen celebrating progress in [GNU Guix](http://guix.gnu.org/) [[...](https://twitter.com/JANieuwenhuizen/status/1017497499089633280)] and Hannes [[...](https://twitter.com/h4nnes/status/1204347645206126592)].
---
@@ -79,11 +80,11 @@ The event was held at [Priscilla, Queen of the Medina](https://www.queenscollect
[![]({{ "/images/reports/2019-12/debian.png#right" | prepend: site.baseurl }})](https://debian.org/)
-Within Debian, Chris Lamb categorised a large number of packages and issues in the Reproducible Builds "[notes](https://salsa.debian.org/reproducible-builds/reproducible-notes/activity)" repository, including identifying and creating [`markdown_random_email_address_html_entities`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/09b4867b) and [`nondeterministic_devhelp_documentation_generated_by_gtk_doc`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b48e8b14).
+Within Debian, Chris Lamb categorised a large number of packages and issues in the Reproducible Builds [`notes.git`](https://salsa.debian.org/reproducible-builds/reproducible-notes/activity) repository, including identifying and creating [`markdown_random_email_address_html_entities`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/09b4867b) and [`nondeterministic_devhelp_documentation_generated_by_gtk_doc`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b48e8b14).
[![]({{ "/images/reports/2019-12/opensuse.png#right" | prepend: site.baseurl }})](https://www.opensuse.org/)
-In [openSUSE](https://www.opensuse.org/) news, Bernhard published his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-12/msg00174.html) and filed the following patches:
+In [openSUSE](https://www.opensuse.org/), Bernhard published his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-12/msg00174.html) and filed the following patches:
* [`hidviz`](https://build.opensuse.org/request/show/754485) (use `convert -strip`)
* [`python-ipydatawidgets`](https://build.opensuse.org/request/show/760182) (make `pip install reproducible`, avoid trouble with Zip order & [mtime](https://en.wikipedia.org/wiki/Mtime))
@@ -101,18 +102,65 @@ Bernhard also filed bugs against:
* [`python-swifter`](https://bugzilla.opensuse.org/show_bug.cgi?id=1158578) (report failure to build on single-core CUPs)
* [`tesseract-ocr`](https://bugzilla.opensuse.org/show_bug.cgi?id=1159231) (report variations via their build machine's CPU)
-[![]({{ "/images/reports/2019-12/archlinux.png#right" | prepend: site.baseurl }})](https://www.archlinux.org/)
+[![]({{ "/images/reports/2019-12/yocto-logo.png#right" | prepend: site.baseurl }})](https://www.yoctoproject.org/)
-In [Arch Linux](https://www.archlinux.org/), the database structure on [tests.reproducible-builds.org](https://tests.reproducible-builds.org/) was changed and the testing jobs updated. Work has been started on a verification test job which rebuilds the officially released packages and verifies if they are reproducible or not. In the "hacking" time after the summit, several packages were made reproducible, raising the amount of reproducible packages by approximately 1.5%. For example [`libxslt`](https://www.archlinux.org/packages/extra/x86_64/libxslt/) was patched with the patch adopted from Debian and openSUSE.
+The [Yocto Project](https://www.yoctoproject.org/) announced that it is running [continuous tests on the reproducibility of its output](http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/lib/oeqa/selftest/cases/reproducible.py) which can observed through the `oe-selftest` runs on [their build server](https://autobuilder.yoctoproject.org/typhoon/#/console). This was previously limited to just the mini images but this has now been extended to the larger graphical images. The test framework is available for end users to use against their own builds. Of particular interest is the production of binary identical results — despite arbitrary build paths — to allow more efficient builds through reuse of previously built objects, a topic covered in more-depth in [a recent LWN article](https://lwn.net/Articles/804640/).
-The [Yocto Project](https://www.yoctoproject.org/) is pleased to announce that it has now implemented and is regularly running [tests](http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/lib/oeqa/selftest/cases/reproducible.py) on the reproducibility of its output. These can be seen as a line item in our "oe-selftest" test runs on our [autobuilder](https://autobuilder.yoctoproject.org/typhoon/#/console). In October in our 3.0 biannual release this was for minimal images, now this has been extended to our sato graphical images in current development. The tests are generic, available for our users to use against their own images and our plan is to extend this to cover all our core recipes over the next months.
+[![]({{ "/images/reports/2019-12/archlinux.png#right" | prepend: site.baseurl }})](https://www.archlinux.org/)
-Of particular interest is the fact that Yocto Project builds allow builds in arbitrary paths yet produce binary identical output and that new technology in the system uses output comparisons to allow more efficient builds through reuse of previously built objects. This topic was covered in a [recent LWN article](https://lwn.net/Articles/804640/).
+In [Arch Linux](https://www.archlinux.org/), the database structure on [tests.reproducible-builds.org](https://tests.reproducible-builds.org/) was changed and the testing jobs updated to match and work has been started on a verification test job which rebuilds the officially released packages and verifies if they are reproducible or not. In the "hacking" time after our recent summit, several key packages were made reproducible, raising the amount of reproducible packages by approximately 1.5%. For example [`libxslt`](https://www.archlinux.org/packages/extra/x86_64/libxslt/) was patched with the patch originating from Debian and openSUSE.
---
## Software development
+#### [diffoscope](https://diffoscope.org)
+
+[![]({{ "/images/reports/2019-12/diffoscope.png#right" | prepend: site.baseurl }})](https://diffoscope.org)
+
+[`diffoscope`](https://diffoscope.org) is our in-depth and content-aware diff-like utility that can locate and diagnose reproducibility issues. It is run countless times a day on [our testing infrastructure](https://tests.reproducible-builds.org/debian/reproducible.html) and is essential for identifying fixes and causes of non-deterministic behaviour.
+
+This month, diffoscope version `134` was uploaded to Debian unstable by Chris Lamb. He also made the following changes to diffoscope itself, including:
+
+* Always pass a filename with a `.zip` extension to `zipnote` otherwise it will return with an [UNIX exit code](https://en.wikipedia.org/wiki/Exit_status) of 9 and we fallback to displaying a binary difference for the entire file. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a93aa33)]
+* Include the [libarchive](https://www.libarchive.org/) file listing for ISO images to ensure that timestamps -- and not just dates -- are visible in any difference. ([#81](https://salsa.debian.org/reproducible-builds/diffoscope/issues/81))
+* Ensure that our [autopkgtests](https://ci.debian.net/) are run with our [`pyproject.toml`](https://snarky.ca/clarifying-pep-518/) present for the correct black source code formatter settings. ([#945993](https://bugs.debian.org/945993))
+* Rename the `text_option_with_stdiout` test to `text_option_with_stdout` [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/cb1c732)] and tidy some unnecessary boolean logic in the [ISO9660](https://wiki.osdev.org/ISO_9660) tests [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/341b98a)].
+
+In addition, Eli Schwartz fixed an error in the handling of the progress bar [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8706b87)] and Vagrant Cascadian added external tool reference for the [zstd](https://github.com/facebook/zstd) compression format for [GNU Guix](https://guix.gnu.org/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8c1b357)] as well as updated the version to 133 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6a65185ee46babca0630db1d64eaa8c1447d1cd6)] and 134 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5de06b9dfb7e8fa5e32187d6a118cfeb04eff0a3)] in that distribution.
+
+#### Project website & documentation
+
+[![]({{ "/images/reports/2019-12/website.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
+
+There was more work performed on [our website](https://reproducible-builds.org/) this month, including:
+
+* Bernhard M. Wiedemann:
+
+ * Add an [OCaml](https://ocaml.org/) example to our [`SOURCE_DATE_EPOCH` documentation]({{ "/docs/source-date-epoch/" | prepend: site.baseurl }}) and simplify the POSIX shell and `date` format usage [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/93610af)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/00e78cf)]
+ * Add a few "logo only" variations of our logo. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8094672)]
+
+* Chris Lamb:
+
+ * Add a link to the [Tails](https://tails.boum.org/) privacy-related operating system's instructions on [how to verify a downloaded image](https://tails.boum.org/contribute/build/reproducible/). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fed9dea)]
+
+ * Add a link to the [Reproducible Builds subreddit](https://www.reddit.com/r/reproduciblebuilds/) to the page footer. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/20)]
+
+ * Correct a "name" typo [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f0840a1)], add a missing "to" [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/024b8cd)] and adjust capitalisations of "OCaml" throughout the site [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3b9b869)].
+
+* Jelle van der Waa:
+
+ * Update the [GNU Guix](http://guix.gnu.org/) logo to the new design. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/87bb32e)]
+ * Fix "signed tarballs are available" link on our [*Tools*]({{ "/docs/jvm/" | prepend: site.baseurl }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/870fbbe)]
+
+* Mattia Rizzolo:
+
+ * Add an explicit [`robots.txt`](https://www.robotstxt.org/) file. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/63253b6)]
+
+ * Add a Google ["site verification"](https://support.google.com/webmasters/answer/9008080?hl=en) token. (Also added to the [diffoscope website](https://diffoscope.org/)). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1b9ad40)][[...](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/875ea3d)]
+
+In addition, Paul Spooren added a new page overviewing our [*Continuous Tests*]({{ "/citests/" | prepend: site.baseurl }}) overview [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1c19f5c)], Hervé Boutemy made a number of improvements to [our Java and JVM documentation]({{ "/docs/jvm/" | prepend: site.baseurl }}) expanding and clarifying various definitions as well as adding external links [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/79a6937)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/938e970)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f396daa)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fde8e54)] and Mariana Moreira added a `.jekyll-cache` entry to the [`.gitignore`](https://git-scm.com/docs/gitignore) file [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/eb51a49)].
+
#### Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
@@ -121,7 +169,7 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
* [`sbt`](https://github.com/sbt/sbt/pull/5344) (timestamps and file order in generated archives)
* [NixOS](https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+label%3A%226.topic%3A+reproducible+builds%22+is%3Aclosed) [`installer/iso-image`](https://github.com/NixOS/nixpkgs/pull/75484) (timestamps in ISO installer image)
- * Generated an updated [NixOS r13y report](https://arnout.engelen.eu/nixos-r13y/report/) for `nixos-unstable`'s `iso_minimal` installer image.
+ * Generated an updated [NixOS reproducibility report](https://arnout.engelen.eu/nixos-r13y/report/) for `nixos-unstable`'s `iso_minimal` installer image.
* Bernhard M. Wiedemann:
@@ -170,52 +218,6 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
* [#947708](https://bugs.debian.org/947708) filed against [libtext-markdown-perl](https://tracker.debian.org/pkg/libtext-markdown-perl).
-#### [diffoscope](https://diffoscope.org)
-
-[![]({{ "/images/reports/2019-12/diffoscope.png#right" | prepend: site.baseurl }})](https://diffoscope.org)
-
-[`diffoscope`](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. It is run countless times a day on [our testing infrastructure](https://tests.reproducible-builds.org/debian/reproducible.html) and is essential for identifying fixes and causes of non-deterministic behaviour.
-
-This month, diffoscope version `134` was uploaded to Debian unstable by Chris Lamb. He also made the following changes to diffoscope itself, including:
-
-* Always pass a filename with a `.zip` extension to `zipnote` otherwise it will return with an [UNIX exit code](https://en.wikipedia.org/wiki/Exit_status) of 9 and we fallback to displaying a binary difference for the entire file. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a93aa33)]
-* Include the [libarchive](https://www.libarchive.org/) file listing for ISO images to ensure that timestamps -- and not just dates -- are visible in any difference. ([#81](https://salsa.debian.org/reproducible-builds/diffoscope/issues/81))
-* Ensure that our [autopkgtests](https://ci.debian.net/) are run with our [`pyproject.toml`](https://snarky.ca/clarifying-pep-518/) present for the correct black source code formatter settings. ([#945993](https://bugs.debian.org/945993))
-* Rename the `text_option_with_stdiout` test to `text_option_with_stdout` [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/cb1c732)] and tidy some unnecessary boolean logic in the [ISO9660](https://wiki.osdev.org/ISO_9660) tests [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/341b98a)].
-
-In addition, Eli Schwartz fixed an error in the handling of the progress bar [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8706b87)] and Vagrant Cascadian added external tool reference for the [zstd](https://github.com/facebook/zstd) compression format for the [GNU Guix](https://guix.gnu.org/) distribution [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8c1b357)] as well as updated the version to 133 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6a65185ee46babca0630db1d64eaa8c1447d1cd6)] and 134 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5de06b9dfb7e8fa5e32187d6a118cfeb04eff0a3)].
-
-#### Project website & documentation
-
-[![]({{ "/images/reports/2019-12/website.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
-
-There was more work performed on [our website](https://reproducible-builds.org/) this month, including:
-
-* Bernhard M. Wiedemann:
-
- * Add an [OCaml](https://ocaml.org/) example to our [`SOURCE_DATE_EPOCH` documentation]({{ "/docs/source-date-epoch/" | prepend: site.baseurl }}) and simplify the POSIX shell and `date` format usage [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/93610af)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/00e78cf)]
- * Add a few "logo only" variations of our logo. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8094672)]
-
-* Chris Lamb:
-
- * Add a link to the [Tails](https://tails.boum.org/) privacy-related operating system's instructions on [how to verify a downloaded image](https://tails.boum.org/contribute/build/reproducible/). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fed9dea)]
-
- * Add a link to the [Reproducible Builds subreddit](https://www.reddit.com/r/reproduciblebuilds/) to the page footer. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/20)]
-
- * Correct a "name" typo [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f0840a1)], add a missing "to" [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/024b8cd)] and adjust capitalisations of "OCaml" throughout the site [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3b9b869)].
-
-* Jelle van der Waa:
-
- * Update the [GNU Guix](http://guix.gnu.org/) logo to the new design. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/87bb32e)]
- * Fix "signed tarballs are available" link on our [*Tools*]({{ "/docs/jvm/" | prepend: site.baseurl }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/870fbbe)]
-
-* Mattia Rizzolo:
-
- * Add an explicit [`robots.txt`](https://www.robotstxt.org/) file. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/63253b6)]
-
- * Add a Google ["site verification"](https://support.google.com/webmasters/answer/9008080?hl=en) token. (Also added to the [diffoscope website](https://diffoscope.org/)). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1b9ad40)][[...](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/875ea3d)]
-
-In addition, Paul Spooren added a new page overviewing our [*Continuous Tests*]({{ "/citests/" | prepend: site.baseurl }}) overview [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1c19f5c)], Hervé Boutemy made a number of improvements to [our Java and JVM documentation]({{ "/docs/jvm/" | prepend: site.baseurl }}) expanding and clarifying various definitions as well as adding external links [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/79a6937)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/938e970)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f396daa)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fde8e54)] and Mariana Moreira added a `.jekyll-cache` entry to the [`.gitignore`](https://git-scm.com/docs/gitignore) file [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/eb51a49)].
#### Test framework
@@ -274,11 +276,11 @@ Lastly, Paul Spooren removed the project overview from the bottom-left of the ge
## Mailing list summary
-There was considerable activity on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month. Firstly, Bernhard M. Wiedemann posted an activity-provoking thread asking [*What is the goal of reproducible builds?*](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001732.html) in order to encourage refinements, extra questions and other contributions to what an end-user experience of reproducible builds should look like.
+There was considerable activity on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month. Firstly, Bernhard M. Wiedemann posted a thread asking [*What is the goal of reproducible builds?*](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001732.html) in order to encourage refinements, extra questions and other contributions to what an end-user experience of reproducible builds should or even could look like.
-Eli Schwartz then resurrected a previous thread titled [*Progress in rpm and openSUSE in 2019*](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001741.html]) to clarify some points around [Arch Linux](https://www.archlinux.org/) and Python package installation. Hans-Christoph Steiner [followed-up to a separate thread](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001744.html) originally started by Hervé Boutemy announcing the status `.buildinfo` file support in the Java ecosystem and Paul Spooren then [informed the list](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001743.html) that [Google Summer of Code](https://summerofcode.withgoogle.com/) is now looking for projects for the latest cohort.
+Eli Schwartz then resurrected a previous thread titled [*Progress in rpm and openSUSE in 2019*](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001741.html]) to clarify some points around [Arch Linux](https://www.archlinux.org/) and Python package installation. Hans-Christoph Steiner [followed-up to a separate thread](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001744.html) originally started by Hervé Boutemy announcing the status of `.buildinfo` file support in the Java ecosystem, and Paul Spooren then [informed the list](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001743.html) that [Google Summer of Code](https://summerofcode.withgoogle.com/) is now looking for projects for the latest cohort.
-Lastly, Lars Wirzenius enquired about the status of [*Reproducible system images*](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001750.html) which [resulted in a large number of responses](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/thread.html#1750).
+Lastly, Lars Wirzenius enquired about the [status of *Reproducible system images*](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/001750.html) which [resulted in a large number of responses](https://lists.reproducible-builds.org/pipermail/rb-general/2019-December/thread.html#1750).
---
@@ -298,4 +300,4 @@ If you are interested in contributing to the Reproducible Builds project, please
---
-This month's report was written by Arnout Engelen, Bernhard M. Wiedemann, Chris Lamb, Hervé Boutemy, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
+This month's report was written by Arnout Engelen, Bernhard M. Wiedemann, Chris Lamb, Hervé Boutemy, Holger Levsen, Jelle van der Waa, Lukas Puehringer and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
=====================================
bin/generate-draft.template
=====================================
@@ -13,7 +13,7 @@ draft: true
[![]({{ "/images/reports/{{ title_year }}-{{ title_month }}/reproducible-builds.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
{% endraw %}
-In these reports we outline the most important things that we have been up over the past month. As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries.
+In these reports we outline the most important things that we have been up to over the past month. As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries.
The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
@@ -91,7 +91,7 @@ In addition, build failure bugs were reported by:
---
-If you are interested in contributing the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
* IRC: `#reproducible-builds` on `irc.oftc.net`.
=====================================
images/reports/2019-12/ocaml.png deleted
=====================================
Binary files a/images/reports/2019-12/ocaml.png and /dev/null differ
=====================================
images/reports/2019-12/yocto-logo.png
=====================================
Binary files /dev/null and b/images/reports/2019-12/yocto-logo.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/03c5d1acce88339dd3cc2ca8d105c4e2066f7e62...89687984ce7d64123a6ccd368b36a45264e0bf79
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/03c5d1acce88339dd3cc2ca8d105c4e2066f7e62...89687984ce7d64123a6ccd368b36a45264e0bf79
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20200106/c83fdca7/attachment.htm>
More information about the rb-commits
mailing list