[Git][reproducible-builds/reproducible-website][master] 2 commits: 2021-07: Cosmetic changes.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Thu Aug 5 15:11:36 UTC 2021
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
553e9359 by Chris Lamb at 2021-08-05T16:10:55+01:00
2021-07: Cosmetic changes.
- - - - -
7ac6ba46 by Chris Lamb at 2021-08-05T16:11:12+01:00
published as https://reproducible-builds.org/reports/2021-07/
- - - - -
1 changed file:
- _reports/2021-07.md
Changes:
=====================================
_reports/2021-07.md
=====================================
@@ -3,26 +3,25 @@ layout: report
year: "2021"
month: "07"
title: "Reproducible Builds in July 2021"
-draft: true
+draft: false
+date: 2021-08-05 15:11:12
---
[![]({{ "/images/reports/2021-07/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-**Welcome to latest report from the [Reproducible Builds](https://reproducible-builds.org) project!** Today, we round up the important things that happened in the world of reproducible builds in July 2021. As always, if you are interested in contributing to the project, please visit the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-
-<br>
+**Welcome to latest report from the [Reproducible Builds](https://reproducible-builds.org) project.** In this post, we round up the important things that happened in the world of reproducible builds in July 2021. As always, if you are interested in contributing to the project, please visit the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
[![]({{ "/images/reports/2021-07/lastmilepy.png#right" | relative_url }})](https://2021.esec-fse.org/details/fse-2021-papers/61/LastPyMile-Identifying-the-Discrepancy-between-Sources-and-Packages)
-On Friday 27th August, Duc Ly Vu, Fabio Massacci, Ivan Pashchenko, Henrik Plate and Antonino Sabetta will present their recent paper at the [ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering](https://2021.esec-fse.org/) (ESEC/FSE) conference. Titled [**LastPyMile: Identifying the Discrepancy between Sources and Packages**](https://2021.esec-fse.org/details/fse-2021-papers/61/LastPyMile-Identifying-the-Discrepancy-between-Sources-and-Packages), its abstract mentions that:
+On Friday 27th August, Duc Ly Vu, Fabio Massacci, Ivan Pashchenko, Henrik Plate and Antonino Sabetta will present a paper at the [ACM Foundations of Software Engineering](https://2021.esec-fse.org/) (ESEC/FSE) conference. Titled [**LastPyMile: Identifying the Discrepancy between Sources and Packages**](https://2021.esec-fse.org/details/fse-2021-papers/61/LastPyMile-Identifying-the-Discrepancy-between-Sources-and-Packages), the abstract of the talk mentions that:
-> Our empirical assessment of 2,438 popular packages in [PyPI](https://pypi.org/) with an analysis of around 10M lines of code shows several differences in the wild: modifications cannot be just attributed to malicious injections. Yet, scanning again all and whole ‘most likely good but modified' packages is hard to manage for FOSS downstream users. We propose a methodology, LastPyMile, for identifying the differences between build artifacts of software packages and the respective source code repository. We show how it can be used to extend current package scanning practices for malware injection (which only covers less than 1% of the code of deployed packages). ([more](https://2021.esec-fse.org/details/fse-2021-papers/61/LastPyMile-identifying-the-discrepancy-between-sources-and-packages))
+> Our empirical assessment of 2,438 popular packages in [PyPI](https://pypi.org/) with an analysis of around 10M lines of code shows several differences in the wild: modifications cannot be just attributed to malicious injections. Yet, scanning again all and whole ‘most likely good but modified' packages is hard to manage for FOSS downstream users. We propose a methodology, LastPyMile, for identifying the differences between build artifacts of software packages and the respective source code repository. [[...](https://2021.esec-fse.org/details/fse-2021-papers/61/LastPyMile-identifying-the-discrepancy-between-sources-and-packages)]
<br>
[![]({{ "/images/reports/2021-07/arstechnica.jpg#right" | relative_url }})](https://arstechnica.com/gadgets/2021/07/malicious-pypi-packages-caught-stealing-developer-data-and-injecting-code/)
-Last month, we linked to [Ars Technica](https://arstechnica.com/)'s report that 'counterfeit' packages on [PyPI](https://pypi.org/), the official Python package repository, [contained secret code that installed cryptomining software on infected machines](https://arstechnica.com/gadgets/2021/06/counterfeit-pypi-packages-with-5000-downloads-installed-cryptominers/). This month, however, Dan Goodin reported on another PyPI malware issue: in [**Software downloaded 30,000 times from PyPI ransacked developers' machines**](https://arstechnica.com/gadgets/2021/07/malicious-pypi-packages-caught-stealing-developer-data-and-injecting-code/), Dan writes about a number of malicious payloads (such as [Discord](https://discord.com/) token and credit card 'stealers') that appear to have targeted programmers' computers. ([Another source](https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/).)
+Last month, we linked to [Ars Technica](https://arstechnica.com/)'s report that counterfeit packages on [PyPI](https://pypi.org/), the official Python package repository, [contained secret code that installed cryptomining software on infected machines](https://arstechnica.com/gadgets/2021/06/counterfeit-pypi-packages-with-5000-downloads-installed-cryptominers/). This month, however, Dan Goodin reported on another PyPI malware issue: in [**Software downloaded 30,000 times from PyPI ransacked developers' machines**](https://arstechnica.com/gadgets/2021/07/malicious-pypi-packages-caught-stealing-developer-data-and-injecting-code/), Dan writes about a number of malicious payloads (such as [Discord](https://discord.com/) token and credit card 'stealers') that appear to have targeted programmers' computers. ([Another source](https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/).)
<br>
@@ -36,13 +35,13 @@ Joshua also mentions our sister [Bootstrappable Builds](https://bootstrappable.o
[![]({{ "/images/reports/2021-07/vrojmYRHxwY.jpg#right" | relative_url }})](https://www.youtube.com/watch?v=vrojmYRHxwY)
-Speaking of Bazel, Gaspare Vitta recently presented at the [Conf42 Python](https://www.conf42.com) 2021 on [**Reproducible Builds with Bazel**](https://www.youtube.com/watch?v=vrojmYRHxwY). In the abstract for his talk, Gaspare writes:
+Touching on Bazel, Gaspare Vitta recently presented at the [Conf42 Python](https://www.conf42.com) 2021 on [**Reproducible Builds with Bazel**](https://www.youtube.com/watch?v=vrojmYRHxwY). In the abstract for his talk, Gaspare writes:
> If you run two builds with the same source code and the same commit but on two different machines, do you expect to get the same result? Well, in most cases you will not! In this talk, we'll identify sources of non-determinism in most build processes and look at how Bazel can be used to create reproducible, hermetic builds. We'll then create a reproducible Flask application that can be built with Bazel so that the Python interpreter and all dependencies are hermetical.
<br>
-Lastly, it was noticed that Manuel Pöll's thesis at the [Johannes Kepler University](https://www.jku.at/) in Linz, Austria is now available online. Titled [**An Investigation Into Reproducible Builds for AOSP**](https://www.digidow.eu/publications/2020-poell-bachelorthesis/Poell_2020_BachelorThesis_SOAP.pdf) (PDF), Manuel's thesis touches on techniques to achieve deterministic builds in AOSP, more commonly known as Google's [Android](https://source.android.com/).
+Lastly, it was noticed that Manuel Pöll's thesis at the [Johannes Kepler University](https://www.jku.at/) in Linz, Austria is now available online. Called an [**An Investigation Into Reproducible Builds for AOSP**](https://www.digidow.eu/publications/2020-poell-bachelorthesis/Poell_2020_BachelorThesis_SOAP.pdf) (PDF), Manuel's thesis touches on techniques to achieve deterministic builds in AOSP, more usually known as Google's [Android](https://source.android.com/).
<br>
@@ -52,7 +51,7 @@ Lastly, it was noticed that Manuel Pöll's thesis at the [Johannes Kepler Univer
We ran a productive meeting on IRC this month ([original announcement](https://lists.reproducible-builds.org/pipermail/rb-general/2021-July/002300.html)) which ran for just short of two hours. A [full set of notes](http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-07-27-15.00.html) from the meeting is available.
-Chris Lamb updated the [main Reproducible Builds website and documentation](https://reproducible-builds.org/) this month, including migrating the old 'history' page from the Debian wiki [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1b5838f)], made the emphasis on 2020 less prominent on the events page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a66019)] as well as many other changes. In addition, Holger Levsen added [MirageOS](https://mirage.io/) to our [projects page]({{ "/who/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2d8d0f0)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e7cb0dc)] and Tobias Stoeckmann noted that the `#archlinux-reproducible` IRC channel has moved to the [libera.chat](https://libera.chat) network [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/199dc01)].
+Chris Lamb updated the [main Reproducible Builds website and documentation](https://reproducible-builds.org/) this month, including migrating the old 'history' page from the Debian wiki [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1b5838f)], made the emphasis on 2020 less prominent on the events page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a66019)] in addition to many other changes. Also, Holger Levsen added [MirageOS](https://mirage.io/) to our [projects page]({{ "/who/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2d8d0f0)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e7cb0dc)] and Tobias Stoeckmann noted that the `#archlinux-reproducible` IRC channel has moved to the [libera.chat](https://libera.chat) network [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/199dc01)].
A number of the Reproducible Builds team are in the process of building an 'ecosystem map' in order to better understand the relationships between projects in and around reproducible builds. This month, Chris Lamb [posted a request to our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2021-July/002302.html) to solicit input from the wider community.
@@ -67,37 +66,33 @@ A number of the Reproducible Builds team are in the process of building an 'ecos
[*diffoscope*](https://diffoscope.org) is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, [Chris Lamb](https://chris-lamb.co.uk) made a number of changes, including releasing [version 178](https://diffoscope.org/news/diffoscope-178-released/)) and [version 179](https://diffoscope.org/news/diffoscope-179-released/)) as well as the following changes:
* Ensure that various [LLVM](https://llvm.org/) tools are installed, even when testing whether a MacOS binary has no differences compared to *itself*. ([#270](https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/270))
-* Rewrite how we calculate the 'fuzzy hash' of a file to make the control flow cleaner. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/15590583)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2201a325)]
+* Rewrite how we calculate the 'fuzzy hash' of a file to make the control flow cleaner. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/15590583)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2201a325)]
* Don't traceback when encountering a broken symlink within a directory. ([#269](https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/269))
-* Update some copyright years. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1f480e07)]
+* Update some copyright years. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1f480e07)]
In addition, Edward Betts updated the [*try.diffoscope.org*](https://try.diffoscope.org/) service to add a HTML `alt` attribute to an image. [[...](https://salsa.debian.org/reproducible-builds/try.diffoscope.org/commit/2348d26)]
<br>
-[![]({{ "/images/reports/2021-07/debian.png#right" | relative_url }})](https://debian.org/)
-
#### Debian
+[![]({{ "/images/reports/2021-07/debian.png#right" | relative_url }})](https://debian.org/)
+
Roland Clobus sent a second status update on his [progress towards fully-reproducible 'Live' ISO images](https://lists.debian.org/debian-live/2021/07/msg00009.html). Amongst many other things, Roland mentions that all major configurations are now built on a daily basis and only the [Cinnamon](https://en.wikipedia.org/wiki/Cinnamon_(desktop_environment)) image is not reproducible. However, [*diffoscope*](https://diffoscope.org/) has issues when comparing the results — work is in progress to address this [#991059](https://bugs.debian.org/991059).
2 reviews of Debian packages were added, 50 were updated and 33 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Three issue types were updated, however: `nondeterminism_in_autolex_bin` is now fixed in Debian *bullseye* [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/441492f5)], a new `test_suite_logs` issue was added [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/46454347)] and the description for the `records_build_flags` issue was updated [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/08b8e365)].
-Helmut Grohne and Johannes Schauer Marin Rodrigues reported Debian bug [#990712](https://bugs.debian.org/990712): "While working on DPKG_ROOT reproducibility, we observed that the [dpkg] trigger database differs for the foreign and native case". [[...](https://bugs.debian.org/990712)]
+Helmut Grohne and Johannes Schauer Marin Rodrigues reported Debian bug [#990712](https://bugs.debian.org/990712): "While working on `DPKG_ROOT` reproducibility, we observed that the [`dpkg`] trigger database differs for the foreign and native case". [[...](https://bugs.debian.org/990712)]
-Chris Lamb modified the [Lintian](https://lintian.debian.org/) static analyser for Debian packages to check for Python tracebacks in manual pages. These are usually caused by failing `help2man` calls, and, crucially, cause reproducibility issues as the traceback includes absolute path names. [[...](https://salsa.debian.org/lintian/lintian/commit/86da641bbb0945746ae14f3078b8d1824d46ea03)]
-
-Lastly, Holger filed Debian bug [#991285](https://bugs.debian.org/991285) to 'unblock' version `1.12-0.1` of *strip-nondeterminism* in order to ensure that this version ended up in the upcoming release of Debian *bullseye*.
+Chris Lamb modified the [Lintian](https://lintian.debian.org/) static analyser for Debian packages to check for Python tracebacks in manual pages. These are usually caused by failing `help2man` calls and, crucially, cause reproducibility issues as the traceback includes absolute path names [[...](https://salsa.debian.org/lintian/lintian/commit/86da641bbb0945746ae14f3078b8d1824d46ea03)]. Lastly, Holger filed Debian bug [#991285](https://bugs.debian.org/991285) to 'unblock' version `1.12-0.1` of *strip-nondeterminism* in order to ensure that this version ended up in the upcoming release of Debian *bullseye*.
<br>
#### Mobile development
-It was noticed that from August 2021, [Android 'app bundles'](https://developer.android.com/guide/app-bundle) will become mandatory for the Google Play Store. This will result in smaller file sizes and other advantages for the end-user, yet it will also require app developers to push equivalent 'APK' versions of their apps to other non-Play Store channels as well. But this will also mean that developers will need to supply Google with their app signing keys. The introduction of [code transparency for app bundles](https://developer.android.com/guide/app-bundle/code-transparency) does add an *optional* code signing and verification mechanism (using a separate signing key held solely by the app developer). Unfortunately, code transparency files are not verified at install time — only manual verification is currently possible — and only guarantee the integrity of DEX and native code files (meaning interpreted code and assets could still have been modified). Further information can be found on the announcements on the [Android Authority](https://www.androidauthority.com/android-apks-sunset-1636829/) and [XDA Developers](https://www.xda-developers.com/google-play-billing-v3-app-bundle-requirement-2021/) sites.
-
-The [Jiten Japanese Dictionary](https://f-droid.org/packages/dev.obfusk.jiten/) and [Bitcoin Wallet](https://f-droid.org/en/packages/de.schildbach.wallet/) applications on the [F-Droid](https://f-droid.org) application store are now reproducible using [signatures in metadata](https://f-droid.org/docs/Reproducible_Builds/).
+It was noticed that from August 2021, Android ['app bundles'](https://developer.android.com/guide/app-bundle) will become mandatory for the Google Play Store. This will result in smaller file sizes and other advantages for the end-user, yet it will also require app developers to push equivalent 'APK' versions of their apps to other non-Play Store channels as well. But this will also mean that developers will need to supply Google with their app signing keys. The introduction of [code transparency for app bundles](https://developer.android.com/guide/app-bundle/code-transparency) does add an *optional* code signing and verification mechanism (using a separate signing key held solely by the app developer). Unfortunately, code transparency files are not verified at install time — only manual verification is currently possible — and only guarantee the integrity of DEX and native code files (meaning interpreted code and assets could still have been modified). Further information can be found on the announcements on the [Android Authority](https://www.androidauthority.com/android-apks-sunset-1636829/) and [XDA Developers](https://www.xda-developers.com/google-play-billing-v3-app-bundle-requirement-2021/) sites.
-Lastly, it was noticed that the [Android library bug affecting *NewPipe*](https://github.com/TeamNewPipe/NewPipe/issues/6486) also affects the [Swiss Covid Certificate](https://github.com/admin-ch/CovidCertificate-App-Android/issues/206#issuecomment-887616373) app.
+In addition, The [Jiten Japanese Dictionary](https://f-droid.org/packages/dev.obfusk.jiten/) and [Bitcoin Wallet](https://f-droid.org/en/packages/de.schildbach.wallet/) applications on the [F-Droid](https://f-droid.org) application store are now reproducible using [signatures in metadata](https://f-droid.org/docs/Reproducible_Builds/). Lastly, it was noticed that the [Android library bug affecting *NewPipe*](https://github.com/TeamNewPipe/NewPipe/issues/6486) also affects the [Swiss Covid Certificate](https://github.com/admin-ch/CovidCertificate-App-Android/issues/206#issuecomment-887616373) app.
<br>
@@ -105,7 +100,7 @@ Lastly, it was noticed that the [Android library bug affecting *NewPipe*](https:
[![]({{ "/images/reports/2021-07/archlinux.png#right" | relative_url }})](https://archlinux.org/)
-Jelle van der Waa posted a blog post detailing the [progress reproducibility-related issues in Arch Linux during July 2021](https://vdwaa.nl/arch-repro-july-2021.html), including issues with compressed manual pages as well as embedded build dates and hostnames. *kpcyrd* also [posted a monthly report](https://vulns.xyz/2021/07/monthly-report/) this month mentioning, reproducibility-related issues in Arch Linux in addition to documenting his progress towards reproducible [Alpine](https://alpinelinux.org/) Linux on the [Raspberry Pi](https://www.raspberrypi.org/)
+Jelle van der Waa posted a blog post detailing the [recent progress of reproducibility-related issues in Arch Linux ](https://vdwaa.nl/arch-repro-july-2021.html), including issues with compressed manual pages as well as embedded build dates and hostnames. *kpcyrd* also [posted a monthly report](https://vulns.xyz/2021/07/monthly-report/) mentioning, reproducibility-related issues in Arch, in addition to documenting his progress towards reproducible [Alpine](https://alpinelinux.org/) Linux on the [Raspberry Pi](https://www.raspberrypi.org/).
Finally, Bernhard M. Wiedemann posted his [monthly reproducible builds status report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/RTRKIE6QJ7YSV7JCLB7DIGWBCXCGHVHB/) for openSUSE.
@@ -206,8 +201,7 @@ Reproducible Builds runs a [Jenkins](https://jenkins.io/)-based testing framewor
* Update number of `armhf` boards used for reproducible builds in the documentation. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8c21bd61)]
<br>
-
----
+<br>
If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/58a8bec60608ba1ef20cddd95fe5214add419559...7ac6ba46710d351646e22d926c16ea0c925d96ff
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/58a8bec60608ba1ef20cddd95fe5214add419559...7ac6ba46710d351646e22d926c16ea0c925d96ff
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20210805/9c35af9d/attachment.htm>
More information about the rb-commits
mailing list