[Git][reproducible-builds/reproducible-website][master] 2 commits: 2020-04: Final changs prior to publication.
Chris Lamb
gitlab at salsa.debian.org
Wed May 6 15:11:24 UTC 2020
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
40460aa0 by Chris Lamb at 2020-05-06T16:10:38+01:00
2020-04: Final changs prior to publication.
- - - - -
21080b9d by Chris Lamb at 2020-05-06T16:11:15+01:00
published as https://reproducible-builds.org/reports/2020-04/
- - - - -
2 changed files:
- _reports/2020-04.md
- + images/reports/2020-04/rubygems.png
Changes:
=====================================
_reports/2020-04.md
=====================================
@@ -3,7 +3,8 @@ layout: report
year: "2020"
month: "04"
title: "Reproducible Builds in April 2020"
-draft: true
+draft: false
+published: 2020-05-06 15:11:15
---
**Welcome to the April 2020 report from the [Reproducible Builds]({{ "/" | prepend: site.baseurl }}) project.** In our regular reports we outline the most important things that we and the rest of the community have been up to over the past month.
@@ -15,7 +16,11 @@ draft: true
## News
-It was discovered that more than 725 malicious packages were downloaded thousands of times from [RubyGems](https://rubygems.org/), the official channel for distributing code for the Ruby programming language. Attackers used a variation of "[typosquatting](https://en.wikipedia.org/wiki/Typosquatting)" and replaced hyphens and underscores (for example, uploading a malevolent `atlas-client` in place of `atlas_client`) that [executed a script that intercepted Bitcoin payments](https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems). ([Ars Technica report](https://arstechnica.com/information-technology/2020/04/725-bitcoin-stealing-apps-snuck-into-ruby-repository/).)
+[![]({{ "/images/reports/2020-04/rubygems.png#right" | prepend: site.baseurl }})](https://arstechnica.com/information-technology/2020/04/725-bitcoin-stealing-apps-snuck-into-ruby-repository/)
+
+It was discovered that more than 725 malicious packages were downloaded thousands of times from [RubyGems](https://rubygems.org/), the official channel for distributing code for the Ruby programming language. Attackers used a variation of "[typosquatting](https://en.wikipedia.org/wiki/Typosquatting)" and replaced hyphens and underscores (for example, uploading a malevolent `atlas-client` in place of `atlas_client`) that [executed a script that intercepted Bitcoin payments](https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems). ([Ars Technica report](https://arstechnica.com/information-technology/2020/04/725-bitcoin-stealing-apps-snuck-into-ruby-repository/))
+
+Bernhard M. Wiedemann launched [`ismypackagereproducibleyet.org`](https://ismypackagereproducibleyet.org/), a service that takes a package name as input and displays whether the package is reproducible in a number of distributions. For example, it can quickly [show the status of Perl](https://ismypackagereproducibleyet.org/?pkg=perl) as being reproducible on [openSUSE](https://www.opensuse.org/) but not in [Debian](https://debian.org/). Bernhard also improved the documentation of his ["unreproducible package"](https://github.com/bmwiedemann/theunreproduciblepackage) to add some example patches for hash issues. [[...](https://github.com/bmwiedemann/theunreproduciblepackage/commit/53d4263b461b7b7f1239e34536eaf77e5c61b174)].
[![]({{ "/images/reports/2020-04/ccc-post.png#right" | prepend: site.baseurl }})](https://www.ccc.de/en/updates/2020/contact-tracing-requirements)
@@ -27,17 +32,15 @@ Elsewhere, Nicolas Boulenguez [wrote a patch](https://gcc.gnu.org/bugzilla/show_
[![]({{ "/images/reports/2020-04/archlinux.png#right" | prepend: site.baseurl }})](https://archlinux.org)
-In the [Arch Linux](https://archlinux.org/) project, *kpcyrd* reported that [they held their first "rebuilder workshop"](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001892.html). The session was held on IRC and participants were provided a document with instructions on how to install and use Arch's [`repro`](https://github.com/archlinux/archlinux-repro/) tool. The meeting resulted in multiple people with no prior experience of Reproducible Builds validate their first package. Later in the month *kpcyrd* also announced that it was [now possible to run independent rebuilders](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001905.html) in Arch, a "hands-off, everything just works™" solution to distributed package verification.
+In the [Arch Linux](https://archlinux.org/) project, *kpcyrd* reported that [they held their first "rebuilder workshop"](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001892.html). The session was held on IRC and participants were provided a document with instructions on how to install and use Arch's [`repro`](https://github.com/archlinux/archlinux-repro/) tool. The meeting resulted in multiple people with no prior experience of Reproducible Builds validate their first package. Later in the month he also announced that it was [now possible to run independent rebuilders](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001905.html) under Arch in a "hands-off, everything just works™" solution to distributed package verification.
-Bernhard M. Wiedemann set up a new [`ismypackagereproducibleyet.org`](https://ismypackagereproducibleyet.org/) service that takes a package name as input and concisely displays whether the package is reproducible in a number of distributions. For example, it can quickly [show the status of Perl](https://ismypackagereproducibleyet.org/?pkg=perl) as being reproducible on [openSUSE](https://www.opensuse.org/) but not in [Debian](https://debian.org/). In addition, Bernhard improved the documentation of his deliberately ["unreproducible package"](https://github.com/bmwiedemann/theunreproduciblepackage) to add some example patches for hash issues. [[...](https://github.com/bmwiedemann/theunreproduciblepackage/commit/53d4263b461b7b7f1239e34536eaf77e5c61b174)].
-
-[Mathias Lang](https://twitter.com/Geod241) submitted a pull request against the canonical compiler for the ['D' programming language](https://dlang.org/), [`dmd`](https://dlang.org/dmd-linux.html), to add support for our [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/specs/source-date-epoch/) environment variable as well the other C preprocessor tokens such `__DATE__`, `__TIME__` and `__TIMESTAMP__` which was subsequently merged. `SOURCE_DATE_EPOCH` defines a distribution-agnostic standard for build toolchains to consume and emit timestamps in situations where they are deemed to be necessary. [[...](https://github.com/dlang/dmd/pull/11035)]
+[Mathias Lang](https://twitter.com/Geod241) submitted a pull request against [`dmd`](https://dlang.org/dmd-linux.html), the canonical compiler for the ['D' programming language](https://dlang.org/)to add support for our [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/specs/source-date-epoch/) environment variable as well the other C preprocessor tokens such `__DATE__`, `__TIME__` and `__TIMESTAMP__` which was subsequently merged. `SOURCE_DATE_EPOCH` defines a distribution-agnostic standard for build toolchains to consume and emit timestamps in situations where they are deemed to be necessary. [[...](https://github.com/dlang/dmd/pull/11035)]
[![]({{ "/images/reports/2020-04/telegram.png#right" | prepend: site.baseurl }})](https://telegram.org)
The [Telegram](https://telegram.org/) instant-messaging platform [announced that they had updated to version 5.1.1](https://twitter.com/TelegramBeta/status/1256210359570046976) continuing their claim that they are reproducible according to [their full instructions](https://core.telegram.org/reproducible-builds) and therefore verifying that its original source code is exactly the same code that is used to build the versions available on the Apple App Store and Google Play distribution platforms respectfully.
-Lastly, Hervé Boutemy reported that 97% of the current [development versions of various Maven packages](https://github.com/jvm-repo-rebuild/reproducible-maven-HEAD) demonstrate that they have a reproducible build. [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001882.html)]
+Lastly, Hervé Boutemy reported that 97% of the [current development versions of various Maven packages](https://github.com/jvm-repo-rebuild/reproducible-maven-HEAD) appear to have a reproducible build. [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001882.html)]
<br>
@@ -45,15 +48,18 @@ Lastly, Hervé Boutemy reported that 97% of the current [development versions of
[![]({{ "/images/reports/2020-04/debian.png#right" | prepend: site.baseurl }})](https://debian.org/)
-In [Debian](https://debian.org/), this month Holger Levsen filed a feature request against [`debrebuild`](https://salsa.debian.org/debian/devscripts/-/blob/master/scripts/debrebuild.pl), a tool for rebuilding a Debian package given a `.buildinfo` file, proposing to [add a `--standalone` or `--one-shot-mode`](https://bugs.debian.org/958750) functionality.
-In addition, 89 reviews of Debian packages were added, 21 were updated and 33 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Many issue types were noticed, categorised and updated by Chris Lamb, including:
+In [Debian](https://debian.org/) this month, 89 reviews of Debian packages were added, 21 were updated and 33 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Many issue types were noticed, categorised and updated by Chris Lamb, including:
* [`captures_build_path_in_hd5_database_files`](https://tests.reproducible-builds.org/debian/issues/unstable/captures_build_path_in_hd5_database_files.html)
* [`cargo_installs_crates2_json`](https://tests.reproducible-builds.org/debian/issues/unstable/cargo_installs_crates2_json.html)
* [`nondeterministic_devhelp_documentation_generated_by_gtk_doc`](https://tests.reproducible-builds.org/debian/issues/unstable/nondeterministic_devhelp_documentation_generated_by_gtk_doc.html)
* [`ros_dynamic_reconfigure_captures_build_path`](https://tests.reproducible-builds.org/debian/issues/unstable/ros_dynamic_reconfigure_captures_build_path.html)
+In addition, Holger Levsen filed a feature request against [`debrebuild`](https://salsa.debian.org/debian/devscripts/-/blob/master/scripts/debrebuild.pl), a tool for rebuilding a Debian package given a `.buildinfo` file, proposing to [add `--standalone` or `--one-shot-mode`](https://bugs.debian.org/958750) functionality.
+
+<br>
+
[![]({{ "/images/reports/2020-04/opensuse.png#right" | prepend: site.baseurl }})](https://www.opensuse.org/)
In [openSUSE](https://www.opensuse.org/), Bernhard M. Wiedemann made the following changes:
@@ -80,7 +86,7 @@ In [Arch Linux](https://archlinux.org), a rebuilder instance has been setup at [
[![]({{ "/images/reports/2020-04/diffoscope.png#right" | prepend: site.baseurl }})](https://diffoscope.org)
-Chris Lamb made the following changes to [diffoscope](https://diffoscope.org), the Reproducible Builds project's in-depth and content-aware diff utility that can locate and diagnose reproducibility issues (including preparing and uploading versions `139`, `140`, `141`, `142` and `143` to Debian):
+Chris Lamb made the following changes to [diffoscope](https://diffoscope.org), the Reproducible Builds project's in-depth and content-aware diff utility that can locate and diagnose reproducibility issues (including preparing and uploading versions `139`, `140`, `141`, `142` and `143` to Debian which were subsequently uploaded to the [*backports*](https://backports.debian.org/) repository):
* Comparison improvements:
@@ -103,11 +109,7 @@ Chris Lamb made the following changes to [diffoscope](https://diffoscope.org), t
* Capitalise "Ordering differences only" in text comparison comments. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/30be510)]
* Improve documentation of `FILE_TYPE_HEADER_PREFIX` and `FALLBACK_FILE_TYPE_HEADER_PREFIX` to highlight that only the first 16 bytes are used. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/5a8d64f)]
-Michael Osipov created a well-researched merge request to return *diffoscope* to using `zipinfo` directly instead of piping input via `/dev/stdin` in order to ensure portability to the [BSD operating system](https://en.wikipedia.org/wiki/Berkeley_Software_Distribution). [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/125b140)]
-
-In addition, [Ben Hutchings](https://www.decadent.org.uk/ben/) documented how `--exclude` arguments are matched against filenames [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/137111b)] and Jelle van der Waa updated the [LLVM](https://llvm.org/) test fixture difference for LLVM version 10 [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c645b97)] as well as adding a reference to the name of the `h5dump` tool in [Arch Linux](https://archlinux.org/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/86bbbec)].
-
-After the above several releases, Mattia Rizzolo also uploaded them to the [*backports*](https://backports.debian.org/) suite of Debian for easy access to stable users.
+Michael Osipov created a well-researched merge request to return *diffoscope* to using `zipinfo` directly instead of piping input via `/dev/stdin` in order to ensure portability to the [BSD operating system](https://en.wikipedia.org/wiki/Berkeley_Software_Distribution) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/125b140)]. In addition, [Ben Hutchings](https://www.decadent.org.uk/ben/) documented how `--exclude` arguments are matched against filenames [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/137111b)] and Jelle van der Waa updated the [LLVM](https://llvm.org/) test fixture difference for LLVM version 10 [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c645b97)] as well as adding a reference to the name of the `h5dump` tool in [Arch Linux](https://archlinux.org/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/86bbbec)].
Lastly, Mattia Rizzolo also fixed in incorrect build dependency [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/beb845d)] and Vagrant Cascadian enabled *diffoscope* to locate the `openssl` and `h5dump` packages on [GNU Guix](https://guix.gnu.org/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/108bcb7)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e80650b)], and updated diffoscope in [GNU Guix](https://guix.gnu.org/) to version 141 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2d9886f7e8838d6aeb0cfb20a2a49fc7d8fb233c)] and 143 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ac4fefb2983aff5e5972b4279aee5296a08aab6a)].
@@ -121,11 +123,9 @@ Lastly, Mattia Rizzolo also fixed in incorrect build dependency [[...](http
#### [disorderfs](https://tracker.debian.org/pkg/disorderfs)
-[disorderfs](https://tracker.debian.org/pkg/disorderfs) is our [FUSE](https://en.wikipedia.org/wiki/Filesystem_in_Userspace)-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.
-
-This month, Chris Lamb fixed a long-standing issue by not drop UNIX groups in FUSE multi-user mode when we are not root ([#1](https://salsa.debian.org/reproducible-builds/disorderfs/issues/1)) and uploaded version `0.5.9-1` to Debian *unstable*.
+[disorderfs](https://tracker.debian.org/pkg/disorderfs) is our [FUSE](https://en.wikipedia.org/wiki/Filesystem_in_Userspace)-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.
-Vagrant Cascadian subsequently updated disorderfs in [GNU Guix](https://guix.gnu.org/) to version 0.5.9 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=cdac010c1936f5d909d4b7f74961fa41ad754f3e)].
+This month, Chris Lamb fixed a long-standing issue by not drop UNIX groups in FUSE multi-user mode when we are not root ([#1](https://salsa.debian.org/reproducible-builds/disorderfs/issues/1)) and uploaded version `0.5.9-1` to Debian *unstable*. Vagrant Cascadian subsequently refreshed disorderfs in [GNU Guix](https://guix.gnu.org/) to version 0.5.9 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=cdac010c1936f5d909d4b7f74961fa41ad754f3e)].
#### Upstream patches
@@ -141,30 +141,29 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
* Chris Lamb:
- * [#955501](https://bugs.debian.org/955501) filed against [`yaz`](https://tracker.debian.org/pkg/yaz).
- * [#955783](https://bugs.debian.org/955783) filed against [`netgen-lvs`](https://tracker.debian.org/pkg/netgen-lvs).
- * [#956304](https://bugs.debian.org/956304) filed against [`libcamera`](https://tracker.debian.org/pkg/libcamera).
- * [#956408](https://bugs.debian.org/956408) filed against [`minetest-mod-xdecor`](https://tracker.debian.org/pkg/minetest-mod-xdecor).
- * [#956473](https://bugs.debian.org/956473) filed against [`sprai`](https://tracker.debian.org/pkg/sprai).
- * [#956477](https://bugs.debian.org/956477) filed against [`herbstluftwm`](https://tracker.debian.org/pkg/herbstluftwm).
+ * [#958301](https://bugs.debian.org/958301) filed against [`dh-cargo`](https://tracker.debian.org/pkg/dh-cargo).
* [#956549](https://bugs.debian.org/956549) filed against [`gmap`](https://tracker.debian.org/pkg/gmap).
- * [#956583](https://bugs.debian.org/956583) filed against [`xxhash`](https://tracker.debian.org/pkg/xxhash).
- * [#956588](https://bugs.debian.org/956588) filed against [`libctl`](https://tracker.debian.org/pkg/libctl).
- * [#956589](https://bugs.debian.org/956589) filed against [`libctl`](https://tracker.debian.org/pkg/libctl).
* [#956591](https://bugs.debian.org/956591) filed against [`gpick`](https://tracker.debian.org/pkg/gpick).
+ * [#956477](https://bugs.debian.org/956477) filed against [`herbstluftwm`](https://tracker.debian.org/pkg/herbstluftwm).
+ * [#956304](https://bugs.debian.org/956304) filed against [`libcamera`](https://tracker.debian.org/pkg/libcamera).
+ * [#956589](https://bugs.debian.org/956589) filed against [`libctl`](https://tracker.debian.org/pkg/libctl).
+ * [#956408](https://bugs.debian.org/956408) filed against [`minetest-mod-xdecor`](https://tracker.debian.org/pkg/minetest-mod-xdecor).
+ * [#955783](https://bugs.debian.org/955783) filed against [`netgen-lvs`](https://tracker.debian.org/pkg/netgen-lvs).
* [#958110](https://bugs.debian.org/958110) filed against [`nickle`](https://tracker.debian.org/pkg/nickle).
- * [#958301](https://bugs.debian.org/958301) filed against [`dh-cargo`](https://tracker.debian.org/pkg/dh-cargo).
* [#958381](https://bugs.debian.org/958381) filed against [`nmrpflash`](https://tracker.debian.org/pkg/nmrpflash).
* [#958382](https://bugs.debian.org/958382) filed against [`node-mqtt`](https://tracker.debian.org/pkg/node-mqtt).
+ * [#956473](https://bugs.debian.org/956473) filed against [`sprai`](https://tracker.debian.org/pkg/sprai).
+ * [#955501](https://bugs.debian.org/955501) filed against [`yaz`](https://tracker.debian.org/pkg/yaz).
+ * [#956583](https://bugs.debian.org/956583) filed against [`xxhash`](https://tracker.debian.org/pkg/xxhash).
In addition, Bernhard informed the following projects that their packages are not reproducible:
-* [`acoular`](https://github.com/acoular/acoular/issues/36) (report nondeterminism)
-* [`cri-o`](https://github.com/cri-o/cri-o/issues/3702) (report a date)
+* [`acoular`](https://github.com/acoular/acoular/issues/36) (report unknown non-determinism)
+* [`cri-o`](https://github.com/cri-o/cri-o/issues/3702) (report a date issue)
* [`gnutls`](https://gitlab.com/gnutls/gnutls/-/issues/971) (report `certtool` being unable to extend certificates beyond 2049)
* [`gnutls`](https://gitlab.com/gnutls/gnutls/-/issues/980) (report copyright year variation)
-* [`libxslt`](https://gitlab.gnome.org/GNOME/libxslt/-/issues/37) (report bug about nondeterministic output from data corruption)
-* [`python-astropy`](https://github.com/astropy/astropy/issues/10228) (report a build failure in 2021)
+* [`libxslt`](https://gitlab.gnome.org/GNOME/libxslt/-/issues/37) (report a bug about non-deterministic output from data corruption)
+* [`python-astropy`](https://github.com/astropy/astropy/issues/10228) (report a future build failure in 2021)
#### Project documentation
@@ -261,5 +260,5 @@ If you are interested in contributing to the Reproducible Builds project, please
<br>
-This month's report was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa and *kpcyrd*. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
+This month's report was written by Bernhard M. Wiedemann, Chris Lamb, Daniel Shahaf, Holger Levsen, Jelle van der Waa, *kpcyrd*, Mattia Rizzolo and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
{: .small}
=====================================
images/reports/2020-04/rubygems.png
=====================================
Binary files /dev/null and b/images/reports/2020-04/rubygems.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/496ead53b7266900efcf3f93f9d7a1d3838f6075...21080b9d534dff3e7c6eca24cc52b8e2f661a414
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/496ead53b7266900efcf3f93f9d7a1d3838f6075...21080b9d534dff3e7c6eca24cc52b8e2f661a414
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20200506/a6fe65ff/attachment.htm>
More information about the rb-commits
mailing list