[Git][reproducible-builds/reproducible-website][master] 2 commits: 2020-05: Misc changes prior to release.
Chris Lamb
gitlab at salsa.debian.org
Thu Jun 4 14:42:48 UTC 2020
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
bb57654b by Chris Lamb at 2020-06-04T15:40:45+01:00
2020-05: Misc changes prior to release.
- - - - -
73edfb5c by Chris Lamb at 2020-06-04T15:42:37+01:00
published as https://reproducible-builds.org/reports/2020-05/
- - - - -
1 changed file:
- _reports/2020-05.md
Changes:
=====================================
_reports/2020-05.md
=====================================
@@ -3,21 +3,24 @@ layout: report
year: "2020"
month: "05"
title: "Reproducible Builds in May 2020"
-draft: true
+draft: false
+published: 2020-06-04 14:42:37
---
-**Welcome to the May 2020 report from the [Reproducible Builds]({{ "/" | relative_url }}) project.** In our regular reports we outline the most important things that we and the rest of the community have been up to over the past month.
+**Welcome to the May 2020 report from the [Reproducible Builds]({{ "/" | relative_url }}) project.**
{: .lead}
[![]({{ "/images/reports/2020-05/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. Nonetheless, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes.
+In these reports we outline the most important things that we and the rest of the community have been up to over the past month.
+
## News
The [Corona-Warn](https://www.coronawarn.app/en/) app that helps trace infection chains of SARS-CoV-2/COVID-19 in Germany had a [feature request filed against it that it build reproducibly](https://github.com/corona-warn-app/cwa-documentation/issues/14).
-A number of academics from [Cornell University](https://www.cornell.edu/) have published a paper titled [*Backstabber's Knife Collection*](https://arxiv.org/abs/2005.09535), reviewing open source software supply chain attacks:
+A number of academics from [Cornell University](https://www.cornell.edu/) have published a paper titled [*Backstabber's Knife Collection*](https://arxiv.org/abs/2005.09535) which reviews various open source software supply chain attacks:
> Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle.
@@ -27,26 +30,25 @@ Marcin Jachymiak of the [Sia](https://sia.tech/) decentralised cloud storage pla
> This means that anyone can recreate the same binaries produced from our official release process. Now anyone can verify that the release binaries were created using the source code we say they were created from. No single person or computer needs to be trusted when producing the binaries now, which greatly reduces the attack surface for Sia users.
-[Synchronicity](https://github.com/iqlusioninc/synchronicity) is a distributed build system for [Rust](https://www.rust-lang.org/) artifacts which have been published to [crates.io](https://crates.io/). The goal of *Synchronicity* is to provide a [distributed binary](https://wiki.mozilla.org/Security/Binary_Transparency) transparency system which is independent of any central operator.
-
-The [*Comparison of Linux distributions*](https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions) article Wikipedia article now features a *Reproducible Builds* column indicating whether distributions approach and progress towards achieving reproducible builds.
+[Synchronicity](https://github.com/iqlusioninc/synchronicity) is a distributed build system for [Rust](https://www.rust-lang.org/) build artifacts which have been published to [crates.io](https://crates.io/). The goal of *Synchronicity* is to provide a [distributed binary](https://wiki.mozilla.org/Security/Binary_Transparency) transparency system which is independent of any central operator.
+The [*Comparison of Linux distributions*](https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions) article on Wikipedia now features a *Reproducible Builds* column indicating whether distributions approach and progress towards achieving reproducible builds.
<br>
## Distribution work
-[![]({{ "/images/reports/2020-05/debian.png#right" | relative_url }})](https://debian.org/)
-
In Debian this month:
-* [Paul Wise](https://bonedaddy.net/pabs3/) continued a discussion that was started in February regarding the [storing and distribution of build logs and other related artifacts](https://bugs.debian.org/950585) and their relationship to reproducible builds. For example, the `binutils` package ships its own — unreproducible — log files in its binary packages. It was followed up by replies from Chris Lamb and Matthias Klose.
+[![]({{ "/images/reports/2020-05/debian.png#right" | relative_url }})](https://debian.org/)
+
+* [Paul Wise](https://bonedaddy.net/pabs3/) continued a discussion that was started in February regarding the [storing and distribution of build logs and other related artifacts](https://bugs.debian.org/950585) and their relationship to reproducible builds. For example, the `binutils` package ships its own, unreproducible, log files in its binary packages. It was followed-up by replies from Chris Lamb and Matthias Klose.
-* 34 reviews of Debian packages were added, 20 were updated and 122 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb added and categorised a new [`ocaml_cmti_files` toolchain issue](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/1b9ce3c9).
+* 34 reviews of Debian packages were added, 20 were updated and 122 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb added and categorised a new [`ocaml_cmti_files`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/1b9ce3c9) toolchain issue.
[![]({{ "/images/reports/2020-05/alpine.png#right" | relative_url }})](https://www.opensuse.org/)
-In [Alpine Linux](https://alpinelinux.org/) an issue was filed — and closed — regarding the [reproducibility of `.apk` packages](https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10693).
+In [Alpine Linux](https://alpinelinux.org/), an issue was filed — and closed — regarding the [reproducibility of `.apk` packages](https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10693).
Allan McRae of the [ArchLinux](https://www.archlinux.org/) project posted their third [*Reproducible builds progress report*](https://lists.archlinux.org/pipermail/arch-dev-public/2020-May/029981.html) to the [`arch-dev-public` mailing list](https://lists.archlinux.org/listinfo/arch-dev-public) which includes the following call for help:
@@ -62,7 +64,7 @@ In [openSUSE](https://www.opensuse.org/), Bernhard M. Wiedemann published his [m
[![]({{ "/images/reports/2020-05/diffoscope.png#right" | relative_url }})](https://diffoscope.org)
-Chris Lamb made the following changes to [diffoscope](https://diffoscope.org), our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, including preparing and uploading versions `142`, `143`, `144`, `145` and `146` to Debian:
+Chris Lamb made the changes listed below to [diffoscope](https://diffoscope.org), our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. He also prepared and uploaded versions `142`, `143`, `144`, `145` and `146` to Debian, PyPI, etc.
* Comparison improvements:
@@ -135,7 +137,7 @@ In addition:
* Emanuel Bronshtein provided a patch to prevent a build of the [Docker](https://www.docker.com/) image containing parts of the build's. ([#123](https://salsa.debian.org/reproducible-builds/diffoscope/issues/123))
-* Mattia Rizzolo added an entry to `debian/py3dist-overrides" to ensure the `rpm-python` module is used in package dependencies ([#89](https://salsa.debian.org/reproducible-builds/diffoscope/issues/89)) and moved to using the new `execute_after_*` and `execute_before_*` Debhelper rules [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f469abc)].
+* Mattia Rizzolo added an entry to `debian/py3dist-overrides` to ensure the `rpm-python` module is used in package dependencies ([#89](https://salsa.debian.org/reproducible-builds/diffoscope/issues/89)) and moved to using the new `execute_after_*` and `execute_before_*` Debhelper rules [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f469abc)].
<br>
@@ -252,7 +254,7 @@ We operate a large and many-featured [Jenkins](https://jenkins.io/)-based testin
* Further work on a Debian package rebuilder:
- * Workaround and document various issues in the `debrebuild` script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e1b6201c)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/26bf92ba)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d1545750)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b89d482f)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cb5aeaf9)]
+ * Workaround and document various issues in the `debrebuild` script. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e1b6201c)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/26bf92ba)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b89d482f)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cb5aeaf9)]
* Improve output in the case of errors. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4a364fb7)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/54d8e59f)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c6783a8e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/bb2dc461)]
* Improve documentation and future goals [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2ac104da)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/09c24a46)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fe8c07e2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c6143fa2)], in particular documentiing two real world tests case for an "impossible to recreate build environment" [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/98347cff)].
* Find the right source package to rebuild. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/80636eac)]
@@ -278,11 +280,11 @@ Lastly, Vagrant Cascadian clarified in the documentation that you need to be use
## [Mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/):
-There were a number of discussions on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month.
+There were a number of discussions on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
[![]({{ "/images/reports/2020-05/verification-format-thread.png#right" | relative_url }})](https://lists.reproducible-builds.org/pipermail/rb-general/2020-May/thread.html#1922)
-For example, Paul Spooren started a thread titled [*Reproducible Builds Verification Format*](https://lists.reproducible-builds.org/pipermail/rb-general/2020-May/001922.html) which reopens the discussion around a schema for sharing the results from distributed rebuilders:
+Paul Spooren started a thread titled [*Reproducible Builds Verification Format*](https://lists.reproducible-builds.org/pipermail/rb-general/2020-May/001922.html) which reopens the discussion around a schema for sharing the results from distributed rebuilders:
> To make the results accessible, storable and create tools around them, they should all follow the same schema, a *reproducible builds verification format*. The format tries to be as generic as possible to cover all open source projects offering precompiled source code. It stores the rebuilder results of what is reproducible and what not.
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/6e6ce0e1a6f0a31c411bfd0a53d64b568c18444e...73edfb5cddcd189c86fc0e603ecee62f2b6af31e
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/6e6ce0e1a6f0a31c411bfd0a53d64b568c18444e...73edfb5cddcd189c86fc0e603ecee62f2b6af31e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20200604/5f1cbf6d/attachment.htm>
More information about the rb-commits
mailing list