[Git][reproducible-builds/reproducible-website][master] 2 commits: 2020-08: Misc changes prior to publication.
Chris Lamb
gitlab at salsa.debian.org
Wed Sep 9 18:00:52 UTC 2020
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
2fbf3db7 by Chris Lamb at 2020-09-09T17:57:37+01:00
2020-08: Misc changes prior to publication.
- - - - -
32224cec by Chris Lamb at 2020-09-09T19:00:39+01:00
published as https://reproducible-builds.org/reports/2020-08/
- - - - -
3 changed files:
- _reports/2020-08.md
- images/reports/2020-08/intoto.png
- images/reports/2020-08/tails.png
Changes:
=====================================
_reports/2020-08.md
=====================================
@@ -3,7 +3,8 @@ layout: report
year: "2020"
month: "08"
title: "Reproducible Builds in August 2020"
-draft: true
+draft: false
+published: 2020-09-09 18:00:39
---
**Welcome to the August 2020 report from the [Reproducible Builds](https://reproducible-builds.org) project.**
@@ -14,7 +15,13 @@ In our monthly reports, we summarise the things that we have been up to over the
<br>
-This month, [Jennifer Helsby](https://redshiftzero.github.io/) launched a new [*reproduciblewheels.com*](https://reproduciblewheels.com/) website to address the lack of reproducibility of [Python wheels](https://pythonwheels.com/). To quote her [accompanying explanatory blog post](https://redshiftzero.github.io/reproducible-wheels/):
+----
+
+<br>
+
+This month, [Jennifer Helsby](https://redshiftzero.github.io/) launched a new [*reproduciblewheels.com*](https://reproduciblewheels.com/) website to address the lack of reproducibility of [Python wheels](https://pythonwheels.com/).
+
+To quote Jennifer's [accompanying explanatory blog post](https://redshiftzero.github.io/reproducible-wheels/):
> One hiccup we've encountered in [SecureDrop](https://securedrop.org/) development is that not all Python wheels can be built reproducibly. We ship multiple (Python) projects in Debian packages, with Python dependencies included in those packages as wheels. In order for our Debian packages to be reproducible, we need that wheel build process to also be reproducible
@@ -32,7 +39,7 @@ There were a number of talks at the recent online-only [DebConf20](https://debco
[![]({{ "/images/reports/2020-08/debconf20-holger.jpg#center" | relative_url }})](https://debconf20.debconf.org/talks/49-reproducing-bullseye-in-practice/)
-Firstly, Holger gave a talk titled "[*Reproducing Bullseye in practice*](https://debconf20.debconf.org/talks/49-reproducing-bullseye-in-practice/)", focusing on independently verifying that the binaries distributed from `ftp.debian.org` are made from their claimed sources. It also served as a general update on the status of reproducible builds within Debian. The [video](https://meetings-archive.debian.net/pub/debian-meetings/2020/DebConf20/49-reproducing-bullseye-in-practice.webm) (145 MB) and [slides](https://reproducible-builds.org/_lfs/presentations/2020-08-27-Reproducing-bullseye-in-practice/) are available.
+Holger gave a talk titled "[*Reproducing Bullseye in practice*](https://debconf20.debconf.org/talks/49-reproducing-bullseye-in-practice/)", focusing on independently verifying that the binaries distributed from `ftp.debian.org` are made from their claimed sources. It also served as a general update on the status of reproducible builds within Debian. The [video](https://meetings-archive.debian.net/pub/debian-meetings/2020/DebConf20/49-reproducing-bullseye-in-practice.webm) (145 MB) and [slides](https://reproducible-builds.org/_lfs/presentations/2020-08-27-Reproducing-bullseye-in-practice/) are available.
[![]({{ "/images/reports/2020-08/debconf20.png#right" | relative_url }})](https://debconf20.debconf.org/)
@@ -58,11 +65,13 @@ Chris Lamb provided some comments and pointers on an upstream issue regarding th
#### [Debian](https://debian.org/)
-Holger Levsen identified that a large number of `.buildinfo` post-build certificates have been "tainted" on the official Debian build servers as these servers have files underneath the `/usr/local/sbin` directory [[...](https://bugs.debian.org/969084)]. He also filed against bug for `debrebuild` after spotting that it can fail to download packages from [`snapshot.debian.org`](http://snapshot.debian.org/) [[...](https://bugs.debian.org/969098)].
+Holger Levsen identified that a large number of Debian `.buildinfo` build certificates have been "tainted" on the official Debian build servers, as these environments have files underneath the `/usr/local/sbin` directory [[...](https://bugs.debian.org/969084)]. He also filed against bug for `debrebuild` after spotting that it can fail to download packages from [`snapshot.debian.org`](http://snapshot.debian.org/) [[...](https://bugs.debian.org/969098)].
[![]({{ "/images/reports/2020-08/debian.png#right" | relative_url }})](https://debian.org/)
-This month, a handful of issues were uncovered (or assisted) due to the efforts of reproducible builds. For instance, Debian bug [#968710](https://bugs.debian.org/968710) was filed by Simon McVittie, which describes a problem with [detached debug symbol files](https://wiki.debian.org/DebugPackage) (required to [generate a traceback](https://wiki.debian.org/HowToGetABacktrace) that is unlikely to have been discovered without reproducible builds. In addition, [Jelmer Vernooij](https://www.jelmer.uk/) called attention that the [Debian Janitor](https://janitor.debian.net/) is using the property of reproducibility (as well as [diffoscope](https://diffoscope.org/) when applying archive-wide changes to Debian:
+This month, several issues were uncovered (or assisted) due to the efforts of reproducible builds.
+
+For instance, Debian bug [#968710](https://bugs.debian.org/968710) was filed by Simon McVittie, which describes a problem with [detached debug symbol files](https://wiki.debian.org/DebugPackage) (required to [generate a traceback](https://wiki.debian.org/HowToGetABacktrace)) that is unlikely to have been discovered without reproducible builds. In addition, [Jelmer Vernooij](https://www.jelmer.uk/) called attention that the new [Debian Janitor](https://janitor.debian.net/) tool is using the property of reproducibility (as well as [diffoscope](https://diffoscope.org/) when applying archive-wide changes to Debian:
> New merge proposals also include a link to the diffoscope diff between a vanilla build and the build with changes. Unfortunately these can be a bit noisy for packages that are not reproducible yet, due to the difference in build environment between the two builds. [[...](https://www.jelmer.uk/janitor-update-1.html)]
@@ -70,7 +79,7 @@ This month, a handful of issues were uncovered (or assisted) due to the efforts
[![]({{ "/images/reports/2020-08/intoto.png#right" | relative_url }})](https://in-toto.io/)
-Holger Levsen sponsored Lukas Puehringer's upload of the [python-securesystemslib](https://tracker.debian.org/pkg/python-securesystemslib), which is a dependency of [in-toto](https://in-toto.io/), a framework to secure the integrity of software supply chains. [[...](https://tracker.debian.org/news/1173060/accepted-python-securesystemslib-0160-1-source-into-unstable/)]
+Holger Levsen sponsored Lukas Puehringer's upload of the [python-securesystemslib](https://tracker.debian.org/pkg/python-securesystemslib) pacage, which is a dependency of [in-toto](https://in-toto.io/), a framework to secure the integrity of software supply chains. [[...](https://tracker.debian.org/news/1173060/accepted-python-securesystemslib-0160-1-source-into-unstable/)]
Lastly, Chris Lamb further refined his merge request against the `debian-installer` component to allow all arguments from `sources.list` files (such as `[check-valid-until=no]`) in order that we can test the reproducibility of the installer images on the [Reproducible Builds own testing infrastructure](https://tests.reproducible-builds.org/debian/reproducible.html) and [sent a ping to the team that maintains that code](https://lists.reproducible-builds.org/pipermail/rb-general/2020-August/002027.html).
=====================================
images/reports/2020-08/intoto.png
=====================================
Binary files a/images/reports/2020-08/intoto.png and b/images/reports/2020-08/intoto.png differ
=====================================
images/reports/2020-08/tails.png
=====================================
Binary files a/images/reports/2020-08/tails.png and b/images/reports/2020-08/tails.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/9b04eb381166a5cb22cf46f38c3189692519883a...32224cec795379a8be913c0c3eed7e22b9eb2921
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/9b04eb381166a5cb22cf46f38c3189692519883a...32224cec795379a8be913c0c3eed7e22b9eb2921
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20200909/fd0397cc/attachment.htm>
More information about the rb-commits
mailing list