[Git][reproducible-builds/reproducible-website][master] 2020-12: Misc changes prior to publication.

Chris Lamb gitlab at salsa.debian.org
Tue Jan 5 15:23:29 UTC 2021



Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
163220f6 by Chris Lamb at 2021-01-05T15:22:10+00:00
2020-12: Misc changes prior to publication.

- - - - -


4 changed files:

- _reports/2020-12.md
- + images/reports/2020-12/cctg.png
- − images/reports/2020-12/cwa.png
- images/reports/2020-12/kimzetter.jpg


Changes:

=====================================
_reports/2020-12.md
=====================================
@@ -22,17 +22,15 @@ This revelation is extremely relevant to Reproducible Builds project because, ac
 
 [![]({{ "/images/reports/2020-12/kimzetter.jpg#right" | relative_url }})](https://twitter.com/KimZetter/status/1338305089597964290)
 
-[Kim Setter](https://twitter.com/KimZetter), author of [*Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon*](https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/), [posted on Twitter](https://twitter.com/KimZetter/status/1338305089597964290) that:
+More information on the attack may be found on [CNN](https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html), [CSO](https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html) [ComputerWeekly](https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now), [BBC News](https://www.bbc.co.uk/news/technology-55368213), etc., and David A. Wheeler [started a discussion on our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2020-December/002109.html). [Kim Setter](https://twitter.com/KimZetter), author of [*Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon*](https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/), [posted on Twitter](https://twitter.com/KimZetter/status/1338305089597964290) that:
 
 <blockquote class="twitter-tweet"><p lang="en" dir="ltr">I have report from Microsoft about SolarWinds hack, including IoCs. Excerpts in this thread: "Microsoft security researchers recently discovered a sophisticated attack where an adversary inserted malicious code into a supply chain development process....</p>— Kim Zetter (@KimZetter) <a href="https://twitter.com/KimZetter/status/1338305089597964290?ref_src=twsrc%5Etfw">December 14, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
 
-However, more information on the attack may be found on [CNN](https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html), [CSO](https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html) [ComputerWeekly](https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now), [BBC News](https://www.bbc.co.uk/news/technology-55368213), etc., and David A. Wheeler [started a discussion on our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2020-December/002109.html).
+<hr>
 
-<br>
-
-[![]({{ "/images/reports/2020-12/cwa.png#right" | relative_url }})](https://github.com/corona-warn-app/cwa-app-android)
+[![]({{ "/images/reports/2020-12/cctg.png#right" | relative_url }})](https://codeberg.org/corona-contact-tracing-germany/cwa-android/)
 
-[Last month we reported]({{ "/reports/2020-11/" | relative_url }}) on a fork of the official German Corona App called [*Corona Warn App*](https://github.com/corona-warn-app/cwa-app-android). Since then, the application is now available on the [F-Droid free-software app store](https://f-droid.org/) (without integration with Google-operated services). However, the version on *F-Droid* also supports reproducible builds, and instructions on [how to rebuild the package](https://codeberg.org/corona-contact-tracing-germany/cwa-android/src/branch/main/docs/rebuilding.md) are available from the [upstream Git repository](https://codeberg.org/corona-contact-tracing-germany/cwa-android/src/branch/main). ([FSFE's announcement.](https://fsfe.org/news/2020/news-20201208-01.en.html))
+[Last month]({{ "/reports/2020-11/" | relative_url }}), we reported on a fork of the official German Corona App called '[*Corona Contact Tracing Germany*](https://codeberg.org/corona-contact-tracing-germany/cwa-android/)'. Since then, the application has been made available on the [F-Droid free-software application store](https://f-droid.org/packages/de.corona.tracing/). The app is not using the proprietary Google exposure notification framework, but a free software reimplementation by the [microG project](https://microg.org/), staying fully compatible with the official app. The version on *F-Droid* also supports reproducible builds, and instructions on [how to rebuild the package](https://codeberg.org/corona-contact-tracing-germany/cwa-android/src/branch/main/docs/rebuilding.md) are available from the [upstream Git repository](https://codeberg.org/corona-contact-tracing-germany/cwa-android/src/branch/main). ([FSFE's announcement.](https://fsfe.org/news/2020/news-20201208-01.en.html))
 
 [![]({{ "/images/reports/2020-12/maven.png#right" | relative_url }})](https://lists.reproducible-builds.org/pipermail/rb-general/2020-December/002094.html)
 
@@ -56,13 +54,17 @@ Chris Lamb recently took part in an interview with an intern at the [Software Fr
 
 The full interview can be found [on the Conservancy webpages](https://sfconservancy.org/blog/2020/dec/21/RB-CL-interview/).
 
-## Distribution work
+## Distributions
+
+### [openSUSE](https://www.opensuse.org)
 
 [![]({{ "/images/reports/2020-12/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
 
 [Adrian Schröter](https://www.storch-bleckmar.de/blog/index.php/de/) added an option to the scripts powering the [Open Build Service](https://github.com/openSUSE/obs-build) to enable deterministic filesystem ordering. Whilst this degrades performance slightly, it also enables dozens of packages in [openSUSE Tumbleweed](https://software.opensuse.org/distributions/tumbleweed) to become reproducible. [[...](https://github.com/openSUSE/obs-build/pull/634)]
 Also, Bernhard M. Wiedemann published his [monthly Reproducible Builds status update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/VC5SOBSPKCAF5SCI3AE3SD5FZTNTYYOT/) for openSUSE Tumbleweed.
 
+### [Debian](https://debian.org/)
+
 [![]({{ "/images/reports/2020-12/debian.png#right" | relative_url }})](https://debian.org/)
 
 In Debian, Holger Levsen uploaded 540 packages to the *unstable* distribution that were missing `.buildinfo` files for `Architecture: all` packages. Holger described his rationale and approach in a blog post titled [*On doing 540 no-source-change source-only uploads in two weeks*](http://layer-acht.org/thinking/blog/20201231-no-source-change-source-uploads/), and also he posted the [full list of packages he intends to upload during January 2021](https://lists.debian.org/debian-devel/2020/12/msg00419.html) to the [`debian-devel`](https://lists.debian.org/debian-devel/) mailing list:
@@ -73,29 +75,32 @@ In Debian, Holger Levsen uploaded 540 packages to the *unstable* distribution th
 
 In recent months, Debian Developer [Stuart Prescott](https://nanonanonano.net/) has been improving [`python-debian`](https://salsa.debian.org/python-debian-team/python-debian), a Python library that is used to parse Debian-specific files such as changelogs, `.dscs`, etc. In particular, Stuart has been working on [adding support for `.buildinfo` files](https://bugs.debian.org/875306) used for recording reproducibility-related build metadata. This month, however, Stuart uploaded *python-debian* version `0.1.39` with many changes, including adding a type for `.buildinfo` files ([#875306](https://bugs.debian.org/875306)).
 
-94 reviews of Debian packages were added, 84 were updated and 34 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). In addition, Chris Lamb identified two new issues ([`timestamps_in_3d_files_created_by_survex`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/e7d73123) & [`build_path_in_direct_url_json_file_generated_by_flit`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/86903835)) and Vagrant Cascadian discovered four [ecbuild](https://github.com/ecmwf/ecbuild)-related issues ([`records_build_flags_from_ecbuild`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/f8436336), [`captures_kernel_version_via_ecbuild`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/990c7af7), [`captures_build_arch_via_ecbuild`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/351273b8) & [`timestamps_in_h_generated_by_ecbuild`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/4c84467f))
+Chris Lamb identified two new issues ([`timestamps_in_3d_files_created_by_survex`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/e7d73123) & [`build_path_in_direct_url_json_file_generated_by_flit`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/86903835)), and Vagrant Cascadian discovered four [ecbuild](https://github.com/ecmwf/ecbuild)-related issues ([`records_build_flags_from_ecbuild`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/f8436336), [`captures_kernel_version_via_ecbuild`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/990c7af7), [`captures_build_arch_via_ecbuild`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/351273b8) & [`timestamps_in_h_generated_by_ecbuild`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/4c84467f)). 94 reviews of Debian packages were added, 84 were updated and 34 were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
 
-Vagrant Cascadian made a large number of uploads to Debian fix a number of reproducible issues in packages that do not have an owner: [`a2ps`](https://tracker.debian.org/pkg/a2ps) (`4.14-6`), [`autoconf`](https://tracker.debian.org/pkg/autoconf) (`2.69-13` & `2.69-14`), [`calife`](https://tracker.debian.org/pkg/calife) (`3.0.1-6`), [`coinor-symphony`](https://tracker.debian.org/pkg/coinor-symphony) (`5.6.16+repack1-3`), [`epm`](https://tracker.debian.org/pkg/epm) (`4.2-9` & `4.2-10`), [`grap`](https://tracker.debian.org/pkg/grap) (`1.45-4`), [`hpanel`](https://tracker.debian.org/pkg/hpanel) (`0.3.2-7`), [`libcommoncpp2`](https://tracker.debian.org/pkg/libcommoncpp2) (`1.8.1-9` & `1.8.1-10`), [`libdigidoc`](https://tracker.debian.org/pkg/libdigidoc) (`3.10.5-2`), [`libnss-ldap`](https://tracker.debian.org/pkg/libnss-ldap) (`265-6`), [`lprng`](https://tracker.debian.org/pkg/lprng) (`3.8.B-5`), [`magicfilter`](https://tracker.debian.org/pkg/magicfilter) (`1.2-66`), [`massif-visualizer`](https://tracker.debian.org/pkg/massif-visualizer) (`0.7.0-2`), [`milter-greylist`](https://tracker.debian.org/pkg/milter-greylist) (`4.6.2-2`), [`minlog`](https://tracker.debian.org/pkg/minlog) (`4.0.99.20100221-7`), [`mp3blaster`](https://tracker.debian.org/pkg/mp3blaster) (`3.2.6-2`), [`nis`](https://tracker.debian.org/pkg/nis) (`3.17.1-6` & `3.17.1-8`), [`spamassassin-heatu`](https://tracker.debian.org/pkg/spamassassin-heatu) (`3.02+20101108-4`), [`webauth`](https://tracker.debian.org/pkg/webauth) (`4.7.0-8`) & [`wily`](https://tracker.debian.org/pkg/wily) (`0.13.41-9` & `0.13.41-10`).
+Vagrant Cascadian made a large number of uploads to Debian fix a number of reproducible issues in packages that do not have an owner, including [`a2ps`](https://tracker.debian.org/pkg/a2ps) (`4.14-6`), [`autoconf`](https://tracker.debian.org/pkg/autoconf) (`2.69-13` & `2.69-14`), [`calife`](https://tracker.debian.org/pkg/calife) (`3.0.1-6`), [`coinor-symphony`](https://tracker.debian.org/pkg/coinor-symphony) (`5.6.16+repack1-3`), [`epm`](https://tracker.debian.org/pkg/epm) (`4.2-9` & `4.2-10`), [`grap`](https://tracker.debian.org/pkg/grap) (`1.45-4`), [`hpanel`](https://tracker.debian.org/pkg/hpanel) (`0.3.2-7`), [`libcommoncpp2`](https://tracker.debian.org/pkg/libcommoncpp2) (`1.8.1-9` & `1.8.1-10`), [`libdigidoc`](https://tracker.debian.org/pkg/libdigidoc) (`3.10.5-2`), [`libnss-ldap`](https://tracker.debian.org/pkg/libnss-ldap) (`265-6`), [`lprng`](https://tracker.debian.org/pkg/lprng) (`3.8.B-5`), [`magicfilter`](https://tracker.debian.org/pkg/magicfilter) (`1.2-66`), [`massif-visualizer`](https://tracker.debian.org/pkg/massif-visualizer) (`0.7.0-2`), [`milter-greylist`](https://tracker.debian.org/pkg/milter-greylist) (`4.6.2-2`), [`minlog`](https://tracker.debian.org/pkg/minlog) (`4.0.99.20100221-7`), [`mp3blaster`](https://tracker.debian.org/pkg/mp3blaster) (`3.2.6-2`), [`nis`](https://tracker.debian.org/pkg/nis) (`3.17.1-6` & `3.17.1-8`), [`spamassassin-heatu`](https://tracker.debian.org/pkg/spamassassin-heatu) (`3.02+20101108-4`), [`webauth`](https://tracker.debian.org/pkg/webauth) (`4.7.0-8`) & [`wily`](https://tracker.debian.org/pkg/wily) (`0.13.41-9` & `0.13.41-10`).
 
 Similarly, Chris Lamb made two uploads of the [`sendfile`](https://tracker.debian.org/pkg/sendfile) package.
 
+### [NixOS](https://nixos.org/)
+
 [![]({{ "/images/reports/2020-12/nixos.png#right" | relative_url }})](https://nixos.org/)
 
-In NixOS we have made good progress towards the milestone of having all packages required to build the minimal installation iso reproducible.
-Notable remaining work includes [python](https://github.com/NixOS/nixpkgs/issues/107951), [isl](https://github.com/NixOS/nixpkgs/issues/106587), [gcc9](https://github.com/NixOS/nixpkgs/issues/108475) and removing the use of Python 2 in [asciidoc](https://github.com/NixOS/nixpkgs/pull/102398).
+NixOS made good progress towards having all packages required to build the minimal installation ISO image reproducible. Remaining work includes the [`python`](https://github.com/NixOS/nixpkgs/issues/107951), [`isl`](https://github.com/NixOS/nixpkgs/issues/106587) and [`gcc9`](https://github.com/NixOS/nixpkgs/issues/108475) packages and removing the use of Python 2.x in [`asciidoc`](https://github.com/NixOS/nixpkgs/pull/102398).
+
+Elsewhere in NixOS, Adam Hoese of [tweag.io](https://www.tweag.io) also announced [*trustix*](https://www.tweag.io/blog/2020-12-16-trustix-announcement/), an [NGI Zero PET](https://nlnet.nl/PET)-funded initiative to provide infrastructure for sharing and enforcing reproducibility results for Nix-based systems.
 
-Adam Hoese of [tweag.io](https://www.tweag.io) announced [trustix](https://www.tweag.io/blog/2020-12-16-trustix-announcement/), an [NGI Zero PET](https://nlnet.nl/PET)-funded initiative to provide infrastructure for sharing and enforcing reproducibility results for Nix-based systems.
+Finally, the following NixOS-specific changes were made:
 
 * Arnout Engelen:
 
-    * [`pytest`](https://github.com/NixOS/nixpkgs/pull/107825) (removed unreproducible test artifacts from the pytest package)
-    * [`linux`](https://github.com/NixOS/nixpkgs/pull/106648) (omit build ID)
-    * [`talloc`](https://github.com/NixOS/nixpkgs/pull/106646) (avoid python 2 build dependency)
-    * [`libseccomp`](https://github.com/NixOS/nixpkgs/pull/106644) (filesystem dates and ordering)
-    * [`rustc`](https://github.com/NixOS/nixpkgs/pull/106284) (generate deterministic manifest)
     * [`compress-man-pages`](https://github.com/NixOS/nixpkgs/pull/105818) (create symlinks deterministically)
-    * [`setuptools`](https://github.com/NixOS/nixpkgs/pull/105680) (stable file ordering for sdist)
     * [`git`](https://github.com/NixOS/nixpkgs/pull/105498) (reproducible manual)
+    * [`libseccomp`](https://github.com/NixOS/nixpkgs/pull/106644) (filesystem dates and ordering)
+    * [`linux`](https://github.com/NixOS/nixpkgs/pull/106648) (omit build ID)
+    * [`pytest`](https://github.com/NixOS/nixpkgs/pull/107825) (removed unreproducible test artifacts from the `pytest` package)
+    * [`rustc`](https://github.com/NixOS/nixpkgs/pull/106284) (generate deterministic manifest)
+    * [`setuptools`](https://github.com/NixOS/nixpkgs/pull/105680) (stable file ordering for `sdist`)
+    * [`talloc`](https://github.com/NixOS/nixpkgs/pull/106646) (avoid Python 2.x build dependency)
 
 * Atemu:
 
@@ -124,7 +129,7 @@ Adam Hoese of [tweag.io](https://www.tweag.io) announced [trustix](https://www.t
 
 In addition, Jean-Romain Garnier added tests for OpenJDK 14. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/06cb774)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/77bc7d5)]
 
-In [disorderfs](https://tracker.debian.org/pkg/disorderfs) (our [FUSE](https://en.wikipedia.org/wiki/Filesystem_in_Userspace)-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues), Chris Lamb added support for testing on [Salsa](https://salsa.debian.org)'s CI system [[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/869ec00)][[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/1e29fbf)][[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/488ebb7)] and added a quick benchmark [[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/a4503fe)]. For the [GNU Guix](https://guix.gnu.org/) distribution Vagrant Cascadian *diffoscope* to version 162 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=c8ea8516d08d3defd694cd3991595e8a2747899a)].
+In [disorderfs](https://tracker.debian.org/pkg/disorderfs) (our [FUSE](https://en.wikipedia.org/wiki/Filesystem_in_Userspace)-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues), Chris Lamb added support for testing on [Salsa](https://salsa.debian.org)'s CI system [[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/869ec00)][[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/1e29fbf)][[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/488ebb7)] and added a quick benchmark [[...](https://salsa.debian.org/reproducible-builds/disorderfs/commit/a4503fe)]. For the [GNU Guix](https://guix.gnu.org/) distribution, Vagrant Cascadian *diffoscope* to version 162 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=c8ea8516d08d3defd694cd3991595e8a2747899a)].
 
 ## Homepage/documentation updates
 


=====================================
images/reports/2020-12/cctg.png
=====================================
Binary files /dev/null and b/images/reports/2020-12/cctg.png differ


=====================================
images/reports/2020-12/cwa.png deleted
=====================================
Binary files a/images/reports/2020-12/cwa.png and /dev/null differ


=====================================
images/reports/2020-12/kimzetter.jpg
=====================================
Binary files a/images/reports/2020-12/kimzetter.jpg and b/images/reports/2020-12/kimzetter.jpg differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/163220f652104229f5bdbf891ee248ee07c4b641

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/163220f652104229f5bdbf891ee248ee07c4b641
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20210105/68a1c611/attachment.htm>


More information about the rb-commits mailing list