[Git][reproducible-builds/reproducible-website][master] 2 commits: 2020-03: Fixup some image locations.
Chris Lamb
gitlab at salsa.debian.org
Mon May 4 15:03:24 UTC 2020
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
875dc53a by Chris Lamb at 2020-05-04T16:02:59+01:00
2020-03: Fixup some image locations.
- - - - -
9f202d45 by Chris Lamb at 2020-05-04T16:02:59+01:00
2020-04: Initial draft
- - - - -
11 changed files:
- _reports/2020-03.md
- _reports/2020-04.md
- + images/reports/2020-04/archlinux.png
- + images/reports/2020-04/ccc-post.png
- + images/reports/2020-04/debian.png
- + images/reports/2020-04/diffoscope.png
- + images/reports/2020-04/opensuse.png
- + images/reports/2020-04/reproducible-builds.png
- + images/reports/2020-04/telegram.png
- + images/reports/2020-04/testframework.png
- + images/reports/2020-04/website.png
Changes:
=====================================
_reports/2020-03.md
=====================================
@@ -35,7 +35,7 @@ Vagrant Cascadian presented [*There and Back Again, Reproducibly!*](https://www.
Hervé Boutemy [mentioned on our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) in a thread titled [*Rebuilding and checking Reproducible Builds from Maven Central repository*](https://lists.reproducible-builds.org/pipermail/rb-general/2020-March/001862.html) that since the update of a central build script (the "parent [POM](https://maven.apache.org/guides/introduction/introduction-to-the-pom.html)") every Apache project using the Maven build system should build reproducibly. A [follow-up discussion](https://lists.apache.org/thread.html/ra05a971a2de961d27691bd4624850a06a862b4223116c0c904be8397%40%3Cdev.maven.apache.org%3E) regarding how to perform such rebuilds was also started on the Apache mailing list.
-[![]({{ "/images/reports/2020-01/telegram.png#right" | prepend: site.baseurl }})](https://telegram.org)
+[![]({{ "/images/reports/2020-03/telegram.png#right" | prepend: site.baseurl }})](https://telegram.org)
The [Telegram](https://telegram.org/) instant-messaging platform [announced that they had updated their iOS and Android OS applications](https://twitter.com/TelegramBeta/status/1244639594810871809) and claim that they are reproducible according to [their full instructions](https://core.telegram.org/reproducible-builds), verifying that its original source code is exactly the same code that is used to build the versions available on the Apple App Store and Google Play distribution platforms respectfully.
@@ -97,7 +97,7 @@ Finally, Holger opened a bug report against the software running [tracker.debian
#### [diffoscope](https://diffoscope.org)
-[![]({{ "/images/reports/2020-01/diffoscope.png#right" | prepend: site.baseurl }})](https://diffoscope.org)
+[![]({{ "/images/reports/2020-03/diffoscope.png#right" | prepend: site.baseurl }})](https://diffoscope.org)
Chris Lamb made the following changes to [diffoscope](https://diffoscope.org), the Reproducible Builds project's in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, including preparing and uploading version `138` to Debian:
@@ -158,7 +158,7 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
#### Project documentation
-[![]({{ "/images/reports/2020-02/website.png#right" | prepend: site.baseurl }})]({{ "/" | prepend: site.baseurl }})
+[![]({{ "/images/reports/2020-03/website.png#right" | prepend: site.baseurl }})]({{ "/" | prepend: site.baseurl }})
There was further work performed on [our documentation and website]({{ "/" | prepend: site.baseurl }}) this month including Alex Wilson adding [a section regarding using Gradle for reproducible builds]({{ "/docs/jvm/" | prepend: site.baseurl }}) in JVM projects [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5d0e646)] and Holger Levsen added the report from [our recent summit]({{ "/events/Marrakesh2019/" | prepend: site.baseurl }}) in Marrakesh [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/220770a)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f540070)].
=====================================
_reports/2020-04.md
=====================================
@@ -2,78 +2,260 @@
layout: report
year: "2020"
month: "04"
-title: "Reproducible builds in April 2020"
+title: "Reproducible Builds in April 2020"
draft: true
---
-<!--
-Please prefer to just add links with unannotated (but cited)
-commentary text is typically entirely rewritten before
-publication to ensure a consistent voice.
+**Welcome to the April 2020 report from the [Reproducible Builds]({{ "/" | prepend: site.baseurl }}) project.** In our regular reports we outline the most important things that we and the rest of the community have been up to over the past month.
+{: .lead}
-It is not necessary to add resources mentioned on our mailing
-list as the list archives are consulted when writing a draft.
--->
+[![]({{ "/images/reports/2020-04/reproducible-builds.png#right" | prepend: site.baseurl }})]({{ "/" | prepend: site.baseurl }})
-#### upstream
+*What are reproducible builds?* One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. But whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes.
-* Bernhard M. Wiedemann:
- * [moonjit/bcc](https://github.com/moonjit/moonjit/issues/110) (toolchain, report compile-time CPU-detection)
- * [gnutls](https://gitlab.com/gnutls/gnutls/-/merge_requests/1230) (fix FTBFS-2020-10-24)
- * [gnutls](https://gitlab.com/gnutls/gnutls/-/issues/971) (report certtool being unable to extend certs beyond 2049)
- * [openstack](https://review.opendev.org/#/c/717164) (backport of patch to drop unreproducible sphinx .pickl files)
- * [libxslt](https://gitlab.gnome.org/GNOME/libxslt/-/issues/37) (report bug about randomly nondeterministic output from data corruption)
- * [gnutls](https://gitlab.com/gnutls/gnutls/-/issues/980) (report copyright year variation)
- * [python-astropy](https://github.com/astropy/astropy/issues/10228) (report FTBFS-2021)
- * [x3270](https://sourceforge.net/p/x3270/code/merge-requests/2/) (merged, update date patch after upstream forgot 1 line in the merge)
- * [elixir](https://github.com/elixir-lang/elixir/issues/10000) (fixed, parallelism)
- * [cri-o](https://github.com/cri-o/cri-o/issues/3702) (report date)
- * [acoular](https://github.com/acoular/acoular/issues/36) (report unknown nondeterminism - may be ASLR/random in python marshal)
-
-#### openSUSE
+## News
+
+It was discovered that more than 725 malicious packages were downloaded thousands of times from [RubyGems](https://rubygems.org/), the official channel for distributing code for the Ruby programming language. Attackers used a variation of "[typosquatting](https://en.wikipedia.org/wiki/Typosquatting)" and replaced hyphens and underscores (for example, uploading a malevolent `atlas-client` in place of `atlas_client`) that [executed a script that intercepted Bitcoin payments](https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems). ([Ars Technica report](https://arstechnica.com/information-technology/2020/04/725-bitcoin-stealing-apps-snuck-into-ruby-repository/).)
+
+[![]({{ "/images/reports/2020-04/ccc-post.png#right" | prepend: site.baseurl }})](https://www.ccc.de/en/updates/2020/contact-tracing-requirements)
+
+There was a post on [Chaos Computer Club](https://www.ccc.de/en/)'s website listing [*Ten requirements for the evaluation of "Contact Tracing" apps*](https://www.ccc.de/en/updates/2020/contact-tracing-requirements) in relation to the SARS-CoV-2 epidemic. In particular:
+
+> **4. Transparency and verifiability:** The complete source code for the app and infrastructure must be freely available without access restrictions to allow audits by all interested parties. Reproducible build techniques must be used to ensure that users can verify that the app they download has been built from the audited source code.
+
+Elsewhere, nicolas Boulenguez [wrote a patch](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87972) for the [Ada programming language](https://en.wikipedia.org/wiki/Ada_(programming_language)) component of the [GCC compiler](https://gcc.gnu.org/) to skip `-f.*-prefix-map` options when writing [Ada Library Information](https://gcc.gnu.org/onlinedocs/gcc-9.3.0/gnat_ugn/The-Ada-Library-Information-Files.html) files. Amongst other properties, these `.ali` files embed the compiler flags used at the time of the build which results in the absolute build path being recorded via [`-ffile-prefix-map`](https://gcc.gnu.org/onlinedocs/gcc/Overall-Options.html#index-ffile-prefix-map), `-fdebug-prefix-map`, etc.
+
+[![]({{ "/images/reports/2020-04/archlinux.png#right" | prepend: site.baseurl }})](https://archlinux.org)
+
+In the [Arch Linux](https://archlinux.org/) project, *kpcyrd* reported that [they held their first "rebuilder workshop"](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001892.html). The session was held on IRC and participants were provided document with instructions on how to install and use Arch's [`repro`](https://github.com/archlinux/archlinux-repro/) tool. The meeting resulted in multiple people with no prior experience of Reproducible Builds validate their first package. Later in the month *kpcyrd* also announced that it was [now possible to run independent rebuilders](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001905.html) in Arch, a "hands-off, everything just works™" solution to distributed package verification.
+
+Bernhard M. Wiedemann set up a new [`ismypackagereproducibleyet.com`](https://ismypackagereproducibleyet.org/) service that takes a package name as input and concisely displays whether the package is reproducible in a number of distributions. For example, it can quickly [show the status of Perl](https://ismypackagereproducibleyet.org/?pkg=perl) as being reproducible on [OpenSuse](https://www.opensuse.org/) but not in [Debian](https://debian.org/). In addition, Bernhard improved the documentation of his deliberately ["unreproducible package"](https://github.com/bmwiedemann/theunreproduciblepackage) to add some example patches for hash issues. [[...](https://github.com/bmwiedemann/theunreproduciblepackage/commit/53d4263b461b7b7f1239e34536eaf77e5c61b174)].
+
+[Mathias Lang](https://twitter.com/Geod241) submitted a pull request against the canonical compiler for the ['D' programming language](https://dlang.org/), [`dmd`](https://dlang.org/dmd-linux.html) to add support for our [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/specs/source-date-epoch/) environment variable as well the other C preprocessor tokens such `__DATE__`, `__TIME__` and `__TIMESTAMP__` which was subsequently merged. `SOURCE_DATE_EPOCH` defines a distribution-agnostic standard for build toolchains to consume and emit timestamps in situations where they are deemed to be necessary. [[...](https://github.com/dlang/dmd/pull/11035)]
+
+[![]({{ "/images/reports/2020-04/telegram.png#right" | prepend: site.baseurl }})](https://telegram.org)
+
+The [Telegram](https://telegram.org/) instant-messaging platform [announced that they had updated to version 5.1.1](https://twitter.com/TelegramBeta/status/1256210359570046976) continuing their claim that they are reproducible according to [their full instructions](https://core.telegram.org/reproducible-builds) and therefore verifying that its original source code is exactly the same code that is used to build the versions available on the Apple App Store and Google Play distribution platforms respectfully.
+
+Lastly, Hervé Boutemy reported that 97% of the current [development versions of various Maven packages](https://github.com/jvm-repo-rebuild/reproducible-maven-HEAD) demonstrate that they have a reproducible build. [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001882.html)]
+
+<br>
+
+## Distribution work
+
+[![]({{ "/images/reports/2020-04/debian.png#right" | prepend: site.baseurl }})](https://debian.org/)
+
+In, [Debian](https://debian.org/) this month Holger Levsen filed a bug report against the [`debrebuild`](https://salsa.debian.org/debian/devscripts/-/blob/master/scripts/debrebuild.pl) tool that attempts to rebuild a Debian package given a `.buildinfo` file to [add a `--standalone` or `--one-shot-mode`](https://bugs.debian.org/958750) functionality.
+
+In addition, 89 reviews of Debian packages were added, 21 were updated and 33 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Many issue types were noticed, categorised and updated by Chris Lamb, including:
+
+* [`captures_build_path_in_hd5_database_files`](https://tests.reproducible-builds.org/debian/issues/unstable/captures_build_path_in_hd5_database_files.html)
+* [`cargo_installs_crates2_json`](https://tests.reproducible-builds.org/debian/issues/unstable/cargo_installs_crates2_json.html)
+* [`nondeterministic_devhelp_documentation_generated_by_gtk_doc`](https://tests.reproducible-builds.org/debian/issues/unstable/nondeterministic_devhelp_documentation_generated_by_gtk_doc.html)
+* [`ros_dynamic_reconfigure_captures_build_path`](https://tests.reproducible-builds.org/debian/issues/unstable/ros_dynamic_reconfigure_captures_build_path.html)
+
+[![]({{ "/images/reports/2020-04/opensuse.png#right" | prepend: site.baseurl }})](https://www.opensuse.org/)
+
+In [openSUSE](https://www.opensuse.org/), Bernhard M. Wiedemann made the following changes:
+
+* [`blender`](https://build.opensuse.org/request/show/791039) (sort C `readdir` call, [rejected upstream](https://developer.blender.org/D5858))
+* [`guile/guix`](https://bugzilla.opensuse.org/show_bug.cgi?id=1170378) (parallelism race condition)
+* [`mingw32-filesystem/mingw32-binutils`](https://build.opensuse.org/request/show/795715) (sort `readdir`, filesystem, toolchain)
+* [`mingw64-filesystem/mingw64-binutils`](https://build.opensuse.org/request/show/795584) (sort `readdir`, filesystem, toolchain)
+* [`musescore`](https://build.opensuse.org/request/show/798383) (non-deterministic `.zip` files)
+* [`OBS`](https://bugzilla.opensuse.org/show_bug.cgi?id=1170524) (FTBFS in rebuild)
+* [`perl-Image-Sane`](https://bugzilla.opensuse.org/show_bug.cgi?id=1170639) (report hung build on a single core VM)
+* [`ruby2.7`](https://build.opensuse.org/request/show/793752) (date, [already upstream](https://github.com/ruby/io-console/commit/679a941d05d869f5e575730f6581c027203b7b26))
+* [`vtk`](https://build.opensuse.org/request/show/798062) (drop unreproducible `.pyc` file)
+
+[![]({{ "/images/reports/2020-04/archlinux.png#right" | prepend: site.baseurl }})](https://archlinux.org)
+
+In [Arch Linux](https://archlinux.org), a rebuilder instance has been setup at [reproducible.archlinux.org](http://reproducible.archlinux.org/) that is rebuilding Arch's `[core]` repository directly. The first rebuild has led to approximately 75% packages reproducible contrasting with 94% on the Reproducible Build's project own [ArchLinux status page on `tests.reproducible-builds.org`](https://tests.reproducible-builds.org/archlinux/state_core_reproducible.html), likely due to a configuration error. More information may be found on the [corresponding wiki page](https://wiki.archlinux.org/index.php/Package_rebuilders) and the [underlying decisions were explained](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001892.html) on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/).
+
+<br>
+
+## Software development
+
+#### [diffoscope](https://diffoscope.org)
+
+[![]({{ "/images/reports/2020-04/diffoscope.png#right" | prepend: site.baseurl }})](https://diffoscope.org)
+
+Chris Lamb made the following changes to [diffoscope](https://diffoscope.org), the Reproducible Builds project's in-depth and content-aware diff utility that can locate and diagnose reproducibility issues (including preparing and uploading versions `139`, `140`, `141` and `142` to Debian):
+
+* Comparison improvements:
+
+ * [Dalvik](https://source.android.com/devices/tech/dalvik) `.dex` files can also serve as [APK containers](https://en.wikipedia.org/wiki/Android_application_package) so restrict the narrower identification of `.dex` files to files ending with this extension and widen the identification of APK files to when file(1) discovers a Dalvik file. ([#28](https://salsa.debian.org/reproducible-builds/diffoscope/issue/28))
+ * Add support for Hierarchical Data Format (HD5) files. ([#95](https://salsa.debian.org/reproducible-builds/diffoscope/issues/95))
+ * Add support for `.p7c` and `.p7b` certificates. ([#94](https://salsa.debian.org/reproducible-builds/diffoscope/issues/94))
+ * Strip paths from the output of `zipinfo(1)` warnings. ([#97](https://salsa.debian.org/reproducible-builds/diffoscope/issues/97))
+ * Don't uselessly include the JSON "similarity" percentage if it is "0.0%". [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f68a087)]
+ * Render multi-line difference comments in a way to show indentation. ([#101](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b72ff87))
+
+* Testsuite improvements:
+
+ * Add `pdftotext` as a requirement to run the PDF `test_metadata` text. ([#99](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c2a35f9))
+ * [apktool](https://ibotpeaches.github.io/Apktool/) 2.5.0 changed the handling of output of [XML schemas](https://en.wikipedia.org/wiki/XML_schema) so update and restrict the corresponding test to match. ([#96](https://salsa.debian.org/reproducible-builds/diffoscope/issues/96))
+ * Explicitly list `python3-h5py` in `debian/tests/control.in` to ensure that we have this module installed during a test run to generate the fixtures in these tests. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/451b8ab)]
+ * Correct parsing of `./setup.py test --pytest-args` arguments. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2fb1ac2)]
+
+* Misc:
+
+ * Capitalise "Ordering differences only" in text comparison comments. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/30be510)]
+ * Improve documentation of `FILE_TYPE_HEADER_PREFIX` and `FALLBACK_FILE_TYPE_HEADER_PREFIX` to highlight that only the first 16 bytes are used. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/5a8d64f)]
+
+Michael Osipov created a well-researched merge request to return *diffoscope* to using `zipinfo` directly instead of piping input via `/dev/stdin` in order to ensure portability to the [BSD operating system](https://en.wikipedia.org/wiki/Berkeley_Software_Distribution). [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/125b140)]
+
+In addition, [Ben Hutchings](https://www.decadent.org.uk/ben/) documented how `--exclude` arguments are matched against filenames [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/137111b)] and Jelle van der Waa updated the [LLVM](https://llvm.org/) test fixture difference for LLVM vesion 10 [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c645b97)] as well as adding an reference to the name of the `h5dump` tool in [Arch Linux](https://archlinux.org/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/86bbbec)].
+
+Lastly, Mattia Rizzolo also fixed in incorrect build dependency [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/beb845d)] and Vagrant Cascadian enabled *diffoscope* to locate the `openssl` and `h5dump` packages on [GNU Guix](https://guix.gnu.org/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/108bcb7)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e80650b)].
+
+#### [strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism)
+
+[strip-nondeterminism](https://tracker.debian.org/pkg/strip-nondeterminism) is our tool to remove specific non-deterministic results from a completed build. In April, Chris Lamb made the following changes:
+
+* Add deprecation plans to all handlers documenting how — or if — they could be disabled and eventually removed, etc. ([#3](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/c0d6b21))
+* Normalise `*.sym` files as Java archives. ([#15](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/issue/15))
+* Add support for custom `.zip` filename filtering and exclude two patterns of files generated by [Maven](http://maven.apache.org/) projects in "fork" mode. ([#13](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/issue/13))
+
+#### [disorderfs](https://tracker.debian.org/pkg/disorderfs)
+
+[disorderfs](https://tracker.debian.org/pkg/disorderfs) is our [FUSE](https://en.wikipedia.org/wiki/Filesystem_in_Userspace)-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.
+
+This month, Chris Lamb fixed a long-standing issue by not drop UNIX groups in FUSE multi-user mode when we are not root ([#1](https://salsa.debian.org/reproducible-builds/disorderfs/issues/1)) and uploaded version `0.5.9-1` to Debian *unstable*.
+
+#### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
- * [`blender`](https://build.opensuse.org/request/show/791039) (sort C readdir, [rejected upstream](https://developer.blender.org/D5858))
- * [`ruby2.7`](https://build.opensuse.org/request/show/793752) (date, [already upstream](https://github.com/ruby/io-console/commit/679a941d05d869f5e575730f6581c027203b7b26))
- * [`mingw64-filesystem/mingw64-binutils`](https://build.opensuse.org/request/show/795584) (sort readdir, filesystem, toolchain)
- * [`mingw32-filesystem/mingw32-binutils`](https://build.opensuse.org/request/show/795715) (sort readdir, filesystem, toolchain)
- * [`vtk`](https://build.opensuse.org/request/show/798062) (submit upstream patch, drop unreproducible .pyc file)
- * [`musescore`](https://build.opensuse.org/request/show/798383) (use strip-nondeterminism on .zip files)
- * [`OBS`](https://bugzilla.opensuse.org/show_bug.cgi?id=1170524) (FTBFS in rebuild)
- * [`perl-Image-Sane`](https://bugzilla.opensuse.org/show_bug.cgi?id=1170639) (report stuck build on 1-core-VM)
- * [`guile/guix`](https://bugzilla.opensuse.org/show_bug.cgi?id=1170378) (toolchain, parallelism race)
-#### Debian
+ * [`elixir`](https://github.com/elixir-lang/elixir/issues/10000) (parallelism)
+ * [`gnutls`](https://gitlab.com/gnutls/gnutls/-/merge_requests/1230) (build failure)
+ * [`moonjit/bcc`](https://github.com/moonjit/moonjit/issues/110) (compile-time CPU-detection)
+ * [`openstack`](https://review.opendev.org/#/c/717164) (backport of patch to drop unreproducible sphinx `.pickle` files)
+ * [`x3270`](https://sourceforge.net/p/x3270/code/merge-requests/2/) (merged, update date patch)
+
+* Chris Lamb:
+
+ * [#955501](https://bugs.debian.org/955501) filed against [`yaz`](https://tracker.debian.org/pkg/yaz).
+ * [#955783](https://bugs.debian.org/955783) filed against [`netgen-lvs`](https://tracker.debian.org/pkg/netgen-lvs).
+ * [#956304](https://bugs.debian.org/956304) filed against [`libcamera`](https://tracker.debian.org/pkg/libcamera).
+ * [#956408](https://bugs.debian.org/956408) filed against [`minetest-mod-xdecor`](https://tracker.debian.org/pkg/minetest-mod-xdecor).
+ * [#956473](https://bugs.debian.org/956473) filed against [`sprai`](https://tracker.debian.org/pkg/sprai).
+ * [#956477](https://bugs.debian.org/956477) filed against [`herbstluftwm`](https://tracker.debian.org/pkg/herbstluftwm).
+ * [#956549](https://bugs.debian.org/956549) filed against [`gmap`](https://tracker.debian.org/pkg/gmap).
+ * [#956583](https://bugs.debian.org/956583) filed against [`xxhash`](https://tracker.debian.org/pkg/xxhash).
+ * [#956588](https://bugs.debian.org/956588) filed against [`libctl`](https://tracker.debian.org/pkg/libctl).
+ * [#956589](https://bugs.debian.org/956589) filed against [`libctl`](https://tracker.debian.org/pkg/libctl).
+ * [#956591](https://bugs.debian.org/956591) filed against [`gpick`](https://tracker.debian.org/pkg/gpick).
+ * [#958110](https://bugs.debian.org/958110) filed against [`nickle`](https://tracker.debian.org/pkg/nickle).
+ * [#958301](https://bugs.debian.org/958301) filed against [`dh-cargo`](https://tracker.debian.org/pkg/dh-cargo).
+ * [#958381](https://bugs.debian.org/958381) filed against [`nmrpflash`](https://tracker.debian.org/pkg/nmrpflash).
+ * [#958382](https://bugs.debian.org/958382) filed against [`node-mqtt`](https://tracker.debian.org/pkg/node-mqtt).
+
+In addition, Bernhard informed the following projects that their packages are not reproducible:
+
+* [`acoular`](https://github.com/acoular/acoular/issues/36) (report nondeterminism)
+* [`cri-o`](https://github.com/cri-o/cri-o/issues/3702) (report a date)
+* [`gnutls`](https://gitlab.com/gnutls/gnutls/-/issues/971) (report `certtool` being unable to extend certificates beyond 2049)
+* [`gnutls`](https://gitlab.com/gnutls/gnutls/-/issues/980) (report copyright year variation)
+* [`libxslt`](https://gitlab.gnome.org/GNOME/libxslt/-/issues/37) (report bug about nondeterministic output from data corruption)
+* [`python-astropy`](https://github.com/astropy/astropy/issues/10228) (report a build failure in 2021)
+
+#### Project documentation
+
+[![]({{ "/images/reports/2020-04/website.png#right" | prepend: site.baseurl }})]({{ "/" | prepend: site.baseurl }})
+
+This month, Chris Lamb made a large number of changes to [our website and documentation](https://reproducible-builds.org/) in the following categories:
+
+* Community engagement improvements:
+
+ * Update instructions to register for Salsa on our [Contribute](https://reproducible-builds.org/contribute/) page now that the signup process has been overhauled. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7ba4ae1)]
+ * Make it clearer that joining the [`rb-general`](https://lists.reproducible-builds.org/listinfo/rb-general) mailing list is probably a first step for contributors to take. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/cbb4ce0)]
+ * Make our full contact information easier to find in the footer ([#19](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/19)) and improve text layout using bullets to separate sections [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e9da17c)].
+
+* Accessibility:
-* Holger filed a feature request for [«debrebuild: please add --standalone mode or --one-shot-mode»](https://bugs.debian.org/958750).
+ * To improve accessibility, make all links underlined. ([#12](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/12))
+ * Use an enhanced foreground/background contrast ratio of 7.04:1. ([#11](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/11))
-#### Arch Linux
+* General improvements:
+
+ * Add a new [Academic publications](https://reproducible-builds.org/docs/publications/) page. ([#22](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/22))
+ * Add [Trezor](https://trezor.io/) to our [list of affiliated projects](https://reproducible-builds.org/who/). ([#26](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/26))
+ * Add the [JVM](https://reproducible-builds.org/docs/jvm/) page to the [documentation index](https://reproducible-builds.org/docs/) ([#17](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/17)) and tidy the page itself a little [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c93eb81)].
+ * Add a [GNU Libtool](https://www.gnu.org/software/libtool/) pointer to the [Archive metadata](https://reproducible-builds.org/docs/archives/) documentation page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8e01958)]
+
+* Internals:
+ * Move to using [`jekyll-redirect-from`](https://github.com/jekyll/jekyll-redirect-from) over manual redirect pages [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1ab8fa4)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b3e79ff)] and add a redirect from `/docs/buildinfo/` to `/docs/recording/`. ([#23](https://salsa.debian.org/reproducible-builds/reproducible-website/issues/23))
+ * Limit the website self-check to not scan generated files [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e5e8424)] and remove the "old layout" checker now that I have migrated all them [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d9e24a9)].
+ * Move the news archive under the `/news/` namespace [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c7010eb)] and improve formatting of archived news links [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/49dacb3)].
+ * Various improvements to the draft template generation. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d31bafc)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2ac054e)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dba77a7)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/604af57)]
+
+In addition, Holger Levsen clarified exactly which month we ceased to do weekly reports [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3c08673)] and Mattia Rizzolo adjusted the title style of an event page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/156aa34)].
+
+Marcus Hoffman also started a discussion on our website's issue tracker asking for [clarification on embedded signatures](https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/25) and Chris Lamb [subsequently replied and asked Marcus to go ahead](https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/25#note_157047) and propose a concrete change.
+
+#### Testing framework
+
+[![]({{ "/images/reports/2019-10/testframework.png#right" | prepend: site.baseurl }})](https://tests.reproducible-builds.org/)
+
+We operate a large and many-featured [Jenkins](https://jenkins.io/)-based testing framework that powers [`tests.reproducible-builds.org`](https://tests.reproducible-builds.org) that, amongst many other tasks, tracks the status of our reproducibility efforts as well as identifies any regressions that have been introduced.
+
+* Chris Lamb:
+
+ * Print the build environment prior to executing a build. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f48b8542)]
+ * Drop a misleading `disorderfs-debug` prefix in log output when we change non-disorderfs things in the file and, as it happens, do not run disorderfs at all. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4d81837b)]
+ * The CSS for the package report pages added a margin to all `<a>` HTML elements under `<li>` ones, which was causing a comma/bullet spacing issue. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2220bac8)]
+ * Tidy the copy in the project links sidebar. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/011ada16)]
+
+* Holger Levsen:
+
+ * General:
+ * Install [`jekyll-redirect-from`](https://github.com/jekyll/jekyll-redirect-from) as it now needed by the [reproducible-builds.org]({{ "/" | prepend: site.baseurl }}) website. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2e545d4a)]
+ * Improve/correct log parsing rules. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c372890b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/99e3da67)]
+
+ * Debian:
+
+ * Reduce scheduling frequency of the *buster* distribution on the `arm64` architecture, etc.. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6d9be0f0)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/279054ab)]
+ * Show builds per day on a per-architecture basis for the last year on the Debian dashboard. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/28596ac5)]
+ * Drop the [Subgraph OS](https://subgraph.com/sgos/) package set as development halted in 2017 or 2018. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/484fcd47)]
+ * Update `debrebuild` to version from the latest version of `devscripts`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/31f3d3c5)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/08b0c032)]
+ * Add or improve various parts of the documentation. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/36c30638)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2ae360dd)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/52639584)]
+
+ * Work on a Debian rebuilder:
+
+ * Integrate `sbuild`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/73491c82)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f2a7c8fa)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e60191e9)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b654e217)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/927c1294)]
+ * Select a random `.buildinfo` file and attempt to build and compare the result. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/93287f6d)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fbb85afb)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/11860066)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4daa1127)]
+ * Improve output and related output formatting. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b8ddff93)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/120d4d5d)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b840ae4c)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/16a76140)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/010c12ee)]
+ * Outline next steps for the development of the tool. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9c148545)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cac53f4b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/bc4dd1d9)]
+ * Various refactoring and code improvements. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/343c9883)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ab3de238)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f4733b9f)]
+
+Lastly, Mattia Rizzolo fixed some log parsing code regarding potentially-harmless warnings from package installation [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/df904c04)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5201fb86)] and rhe usual build node maintenance was performed by Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4b51e82d)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fcd3fcfb)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/531448ab)] and Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/72bb2afd)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ee643fbb)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/16720116)].
+
+---
-A [rebuilderd](https://github.com/kpcyrd/rebuilderd) instance has been setup on [reproducible.archlinux.org](http://reproducible.archlinux.org/) working on reproducing the [core] repository. The ansible role to deploy the master rebuilderd instance is available on Arch Linux's [infrastructure repository](https://git.archlinux.org/infrastructure.git/). The first rebuild of [core] lead to ~75% being reproducible against the 94% on [tests.reproducible-builds.org](https://tests.reproducible-builds.org/archlinux/state_core_reproducible.html), the difference is most likely caused one rebuilder having not been set up correctly and bad packages are being rebuild.
-Rebuilders are listed on the Arch wiki https://wiki.archlinux.org/index.php/Package_rebuilders and the [design decisions were explained by kpcyrd on the rb-general mailinglist](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001892.html).
+## Misc news
-#### FIXME
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Santiago Torres asked [whether we were still publishing releases of our tools](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001886.html) to our website and Chris Lamb replied that [this was not the case and fixed the issue](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001887.html). Later in the month Santiago also reported that [the signature for the `disorderfs` package did not pass its GPG verification](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001901.html) which was also fixed by Chris Lamb.
-* A number of issues have been identified and fixed in [archlinux-repro](https://github.com/archlinux/archlinux-repro/).
- * kpcyrd has successfully rebuilt 31/33 of their packages with repro..
+Hans-Christoph Steiner of the [Guardian Project](https://guardianproject.info/) asked whether there would be interest in [making our website translatable](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001893.html) which resulted in [a WIP merge request](https://salsa.debian.org/reproducible-builds/reproducible-website/-/merge_requests/56) being filed against the website and a discussion on [how to track translation updates](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001897.html).
-* A pull request has been made to make the D compiler [reproducible](https://github.com/dlang/dmd/pull/11035)
+<br>
-* kpcyrd hosted a hands-on Arch Linux rebuilder workshop on the [DiVOC](https://di.c3voc.de/), introducing people to [repro](https://github.com/archlinux/archlinux-repro/). Multiple people with no prior reproducible builds experience were able to rebuild their first package.
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | prepend: site.baseurl }}) page on our website. However, you can get in touch with us via:
-* [FIXME](https://github.com/bmwiedemann/theunreproduciblepackage/commit/53d4263b461b7b7f1239e34536eaf77e5c61b174) document hash sorting patches
+[![]({{ "/images/reports/2020-04/reproducible-builds.png#right" | prepend: site.baseurl }})]({{ "/" | prepend: site.baseurl }})
-* [FIXME](https://www.ccc.de/en/updates/2020/contact-tracing-requirements) among other things, CCC recommends reproducible-builds for coronavirus-tracing apps
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
-* Arnout Engelen created [https://fosstodon.org/@reproducible_builds](https://fosstodon.org/@reproducible_builds) mapping our tweets from twitter..
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds) • [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
-* Hervé Boutemy reported about [reproducible-maven-HEAD, the Reproducibility Check for Apache Maven master HEADs](https://github.com/jvm-repo-rebuild/reproducible-maven-HEAD) reaching 97% reproducible builds (85 out of 87). https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001882.html
+ * Reddit: [/r/ReproducibleBuilds](https://reddit.com/r/reproduciblebuilds)
-* [FIXME](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87972)
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
-* Bernhard set up https://ismypackagereproducibleyet.org/
- * interesting output examples:
- * https://ismypackagereproducibleyet.org/?pkg=perl
- * https://ismypackagereproducibleyet.org/?pkg=glibc
- * PRs welcome at https://github.com/bmwiedemann/ismypackagereproducibleyet
+<br>
+This month's report was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa and *kpcyrd*. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
+{: .small}
=====================================
images/reports/2020-04/archlinux.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/archlinux.png differ
=====================================
images/reports/2020-04/ccc-post.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/ccc-post.png differ
=====================================
images/reports/2020-04/debian.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/debian.png differ
=====================================
images/reports/2020-04/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/diffoscope.png differ
=====================================
images/reports/2020-04/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/opensuse.png differ
=====================================
images/reports/2020-04/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/reproducible-builds.png differ
=====================================
images/reports/2020-04/telegram.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/telegram.png differ
=====================================
images/reports/2020-04/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/testframework.png differ
=====================================
images/reports/2020-04/website.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/5d553033ceba8eba903678806b39d975d4faab30...9f202d459c281c8e7ab6b195b8a9e927008e9039
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/5d553033ceba8eba903678806b39d975d4faab30...9f202d459c281c8e7ab6b195b8a9e927008e9039
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20200504/56a8c9f8/attachment.htm>
More information about the rb-commits
mailing list