[Git][reproducible-builds/reproducible-website][master] 5 commits: 2020-06: Drop duplicated "issue".
Chris Lamb
gitlab at salsa.debian.org
Mon Jul 6 08:11:18 UTC 2020
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
649ed2cf by Chris Lamb at 2020-07-06T08:55:40+01:00
2020-06: Drop duplicated "issue".
- - - - -
9ba032da by Chris Lamb at 2020-07-06T08:57:13+01:00
2020-06: Insert missing whitespace.
- - - - -
16774d3e by Chris Lamb at 2020-07-06T09:08:24+01:00
2020-06: Misc cosmetic updates.
- - - - -
4f30cc9f by Chris Lamb at 2020-07-06T09:10:32+01:00
2020-06: Update authors.
- - - - -
925f7b7b by Chris Lamb at 2020-07-06T09:11:05+01:00
published as https://reproducible-builds.org/reports/2020-06/
- - - - -
1 changed file:
- _reports/2020-06.md
Changes:
=====================================
_reports/2020-06.md
=====================================
@@ -3,15 +3,16 @@ layout: report
year: "2020"
month: "06"
title: "Reproducible Builds in June 2020"
-draft: true
+draft: false
+published: 2020-07-06 08:11:05
---
-[![]({{ "/images/reports/2020-06/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
-
*Welcome to the June 2020 report from the [Reproducible Builds]({{ "/" | relative_url }}) project.* In these reports we outline the most important things that we and the rest of the community have been up to over the past month.
### What are reproducible builds?
+[![]({{ "/images/reports/2020-06/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
+
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security.
But whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes.
@@ -20,21 +21,21 @@ But whilst anyone may inspect the source code of free and open source software f
[![]({{ "/images/reports/2020-06/octopus.png#right" | relative_url }})](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain)
-The [GitHub Security Lab](https://securitylab.github.com) published a long article revealing the discovery and analysis of a piece of malware designed to backdoor open source projects using the build process and the resulting artifacts to spread itself. In the course of their investigation, the GitHub team uncovered 26 open source projects that were backdoored by this malware and were actively serving malicious code. ([Full article](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain))
+The [GitHub Security Lab](https://securitylab.github.com) published a long article on the discovery of a piece of malware designed to backdoor open source projects that used the build process and its resulting artifacts to spread itself. In the course of their analysis and investigation, the GitHub team uncovered 26 open source projects that were backdoored by this malware and were actively serving malicious code. ([Full article](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain))
-Carl Dong from Chaincode Labs published an approachable presentation on [*Bitcoin Build System Security*](https://www.youtube.com/watch?v=I2iShmUTEl8) to YouTube:
+Carl Dong from Chaincode Labs uploaded a presentation on [*Bitcoin Build System Security*](https://www.youtube.com/watch?v=I2iShmUTEl8) and reproducible builds to YouTube:
[![]({{ "/images/reports/2020-06/I2iShmUTEl8.jpg#center" | relative_url }})](https://www.youtube.com/watch?v=I2iShmUTEl8)
-The app intended to [trace infection chains of Covid-19 in Switzerland](https://github.com/DP-3T/dp3t-app-android-ch) has published information on [how to perform a reproducible build](https://github.com/DP-3T/dp3t-app-android-ch/blob/master/REPRODUCIBLE_BUILDS.md).
+The app intended to [trace infection chains of Covid-19 in Switzerland](https://github.com/DP-3T/dp3t-app-android-ch) published information on [how to perform a reproducible build](https://github.com/DP-3T/dp3t-app-android-ch/blob/master/REPRODUCIBLE_BUILDS.md).
[![]({{ "/images/reports/2020-06/opentechfund.png#right" | relative_url }})](https://www.opentech.fund/)
The Reproducible Builds project has received funding in the past from the [Open Technology Fund (OTF)](https://www.opentech.fund/) to reach specific technical goals, as well as to enable the project to meet in-person at our summits. The OTF has actually also assisted countless other organisations that promote transparent, civil society as well as those that provide tools to circumvent censorship and repressive surveillance. However, the OTF has now [been threatened with closure](https://saveinternetfreedom.tech). ([More info](https://lists.reproducible-builds.org/pipermail/rb-general/2020-June/001968.html))
-It was noticed that reproducible builds were mentioned in the book [*End-user Computer Security*](https://en.wikibooks.org/wiki/End-user_Computer_Security) by Mark Fernandes (published by [WikiBooks](https://wikibooks.org/)) in the section titled [*Detection of malware in software*](https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Software_based#Detection_of_malware_in_software).
+It was noticed that Reproducible Builds was mentioned in the book [*End-user Computer Security*](https://en.wikibooks.org/wiki/End-user_Computer_Security) by Mark Fernandes (published by [WikiBooks](https://wikibooks.org/)) in the section titled [*Detection of malware in software*](https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Software_based#Detection_of_malware_in_software).
-Lastly, reproducible builds were mentioned in a recent episode of the [Ubuntu Podcast](https://ubuntupodcast.org/) in a [wider discussion about the Snap and application stores](https://ubuntupodcast.org/2020/06/25/s13e14-ace-of-spades/) (at approx 16:00).
+Lastly, reproducible builds and other ideas around software supply chain were mentioned in a recent episode of the [Ubuntu Podcast](https://ubuntupodcast.org/) in a [wider discussion about the Snap and application stores](https://ubuntupodcast.org/2020/06/25/s13e14-ace-of-spades/) (at approx 16:00).
<br>
@@ -42,7 +43,7 @@ Lastly, reproducible builds were mentioned in a recent episode of the [Ubuntu Po
[![]({{ "/images/reports/2020-06/archlinux.png#right" | relative_url }})](https://www.archlinux.org/)
-In the [ArchLinux](https://www.archlinux.org/) distribution, a goal to [remove `.doctrees` from installed files](https://www.archlinux.org/todo/remove-doctrees-from-installed-files-for-reproducible-builds/) was created via Arch's '[TODO list](https://www.archlinux.org/todo/)' mechanism. These files are build caches generated by the [Sphinx documentation generator](https://www.sphinx-doc.org/) when developing documentation so that Sphinx does not have to reparse all input files. They shouldn't be packaged, especially as they lead to the package being unreproducible as their [pickled](https://docs.python.org/3/library/pickle.html) format contains unreproducible data. Jelle van der Waa and Eli Schwartz submitted various upstream patches to fix projects which install these by default.
+In the [ArchLinux](https://www.archlinux.org/) distribution, a goal to [remove `.doctrees` from installed files](https://www.archlinux.org/todo/remove-doctrees-from-installed-files-for-reproducible-builds/) was created via Arch's '[TODO list](https://www.archlinux.org/todo/)' mechanism. These `.doctree` files are caches generated by the [Sphinx documentation generator](https://www.sphinx-doc.org/) when developing documentation so that Sphinx does not have to reparse all input files across runs. They should not be packaged, especially as they lead to the package being unreproducible as their [pickled](https://docs.python.org/3/library/pickle.html) format contains unreproducible data. Jelle van der Waa and Eli Schwartz submitted various upstream patches to fix projects that install these by default.
Dimitry Andric was able to determine why the reproducibility status of [FreeBSD](https://www.freebsd.org/)'s `base.txz` depended on the number of CPU cores, attributing it to an optimisation made to the [Clang](https://clang.llvm.org/) C compiler [[...](https://github.com/llvm/llvm-project/commit/b4a99a061f517e60985667e39519f60186cbb469)]. After [further detailed discussion on the FreeBSD bug](https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246630#c18) it was possible to get the binaries reproducible again [[...](https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246630#c34)].
@@ -143,6 +144,7 @@ The Reproducible Builds project attempts to fix unreproducible packages and we t
* [`PHP`](https://github.com/php/php-src/pull/5671)
* Eli Schwartz:
+
* [`ghc`](https://gitlab.haskell.org/ghc/ghc/-/merge_requests/3573)
* [`vigra`](https://github.com/ukoethe/vigra/pull/477)
@@ -155,7 +157,7 @@ The Reproducible Builds project attempts to fix unreproducible packages and we t
* [#963518](https://bugs.debian.org/963518) filed against [`source-highlight`](https://tracker.debian.org/pkg/source-highlight).
-Bernhard M. Wiedemann also filed reports for [`frr`](https://github.com/FRRouting/frr/issues/6576) (build fails on single-processor machines), [`ghc-yesod-static/git-annex`](https://github.com/yesodweb/yesod/issues/1684) (filesystem ordering issue) and [`ooRexx`](https://sourceforge.net/p/oorexx/bugs/1712/) ([ASLR](https://en.wikipedia.org/wiki/Address_space_layout_randomization)-related issue).
+Bernhard M. Wiedemann also filed reports for [`frr`](https://github.com/FRRouting/frr/issues/6576) (build fails on single-processor machines), [`ghc-yesod-static/git-annex`](https://github.com/yesodweb/yesod/issues/1684) (a filesystem ordering issue) and [`ooRexx`](https://sourceforge.net/p/oorexx/bugs/1712/) ([ASLR](https://en.wikipedia.org/wiki/Address_space_layout_randomization)-related issue).
### diffoscope
@@ -215,7 +217,7 @@ In addition Jean-Romain Garnier made the following changes:
* Make child pages open in new window in the `--html-dir` presenter format. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6b40118)]
* Improve the diffs in the `--html-dir` format. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/db15a42)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7d350df)]
-Lastly, Daniel Fullmer fixed the [Coreboot](https://doc.coreboot.org/) filesystem comparator [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c4c1a46)] and Mattia Rizzolo prevented warnings from the [`tlsh`](https://github.com/trendmicro/tlsh) fuzzy-matching library during tests [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/cbf8a2c)] and tweaked the build system to remove an unwanted `.build` directory [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0abfbdf)]. For the [GNU Guix](https://guix.gnu.org/) distribution Vagrant Cascadian updated the version of *diffoscope* to version 147[[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=526a0066ac243f9b740cd2df9e6bb56bcd51e378)] and later 148[[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=d72009bf0841b55e460bcc049e3723c3bd4f6603)].
+Lastly, Daniel Fullmer fixed the [Coreboot](https://doc.coreboot.org/) filesystem comparator [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c4c1a46)] and Mattia Rizzolo prevented warnings from the [`tlsh`](https://github.com/trendmicro/tlsh) fuzzy-matching library during tests [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/cbf8a2c)] and tweaked the build system to remove an unwanted `.build` directory [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0abfbdf)]. For the [GNU Guix](https://guix.gnu.org/) distribution Vagrant Cascadian updated the version of *diffoscope* to version 147 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=526a0066ac243f9b740cd2df9e6bb56bcd51e378)] and later 148 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=d72009bf0841b55e460bcc049e3723c3bd4f6603)].
#### Testing framework
@@ -250,10 +252,12 @@ We operate a large and many-featured [Jenkins](https://jenkins.io/)-based testin
[![]({{ "/images/reports/2020-06/fdroid.png#right" | relative_url }})](https://f-droid.org/)
-In addition Marcus Hoffmann was added as a maintainer of the [F-Droid](https://f-droid.org/) reproducible checking components [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d3925c3f)], Jelle van der Waa updated the "is diffoscope up-to-date in every platform" check for [Arch Linux](https://www.archlinux.org/) and [diffoscope](https://diffoscope.org/) [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0762e782)] and Mattia Rizzolo backed up a copy of a "remove script" run on the [Codethink](https://www.codethink.co.uk/)-hosted '[jump server](https://en.wikipedia.org/wiki/Jump_server)' [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/82da22af)] and Vagrant Cascadian [temporarily disabled the `fixfilepath` on *bullseye*](https://salsa.debian.org/qa/jenkins.debian.net/-/commit/f2a447ea), to get better data about the [`ftbfs_due_to_f-file-prefix-map_issue`](https://tests.reproducible-builds.org/debian/issues/unstable/ftbfs_due_to_f-file-prefix-map_issue.html) categorised issue.
+In addition: Marcus Hoffmann was added as a maintainer of the [F-Droid](https://f-droid.org/) reproducible checking components [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d3925c3f)], Jelle van der Waa updated the "is diffoscope up-to-date in every platform" check for [Arch Linux](https://www.archlinux.org/) and [diffoscope](https://diffoscope.org/) [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0762e782)], Mattia Rizzolo backed up a copy of a "remove script" run on the [Codethink](https://www.codethink.co.uk/)-hosted '[jump server](https://en.wikipedia.org/wiki/Jump_server)' [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/82da22af)] and Vagrant Cascadian [temporarily disabled the `fixfilepath` on *bullseye*](https://salsa.debian.org/qa/jenkins.debian.net/-/commit/f2a447ea), to get better data about the [`ftbfs_due_to_f-file-prefix-map`](https://tests.reproducible-builds.org/debian/issues/unstable/ftbfs_due_to_f-file-prefix-map_issue.html) categorised issue.
Lastly, the usual build node maintenance was performed by Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/91a99356)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a4aec7ef)], Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d84583a9)] and Vagrant Cascadian [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b40c4a9b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ddf89320)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1d7653ed)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a01e745c)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f238c7ed)].
+<br>
+
---
If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website. However, you can get in touch with us via:
@@ -270,5 +274,5 @@ If you are interested in contributing to the Reproducible Builds project, please
---
-This month's report was written by Bernhard M. Wiedemann, Chris Lamb, Eli Schwartz, Holger Levsen and Jelle van der Waa. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
+This month's report was written by Bernhard M. Wiedemann, Chris Lamb, Eli Schwartz, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
{: .small}
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/3921755a3de10730989a93b554d16a2ca8238953...925f7b7bcfd991d0100f298461d6ad2dacb081a5
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/3921755a3de10730989a93b554d16a2ca8238953...925f7b7bcfd991d0100f298461d6ad2dacb081a5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20200706/5021c95d/attachment.htm>
More information about the rb-commits
mailing list