[Git][reproducible-builds/reproducible-website][master] 3 commits: 2021-05: Minor, non-visible changes.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Fri Jul 2 16:34:00 UTC 2021
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
2ba66812 by Chris Lamb at 2021-07-02T15:09:01+01:00
2021-05: Minor, non-visible changes.
- - - - -
83a90cc9 by Chris Lamb at 2021-07-02T15:11:12+01:00
Generate newlines in a nicer place.
- - - - -
094d1440 by Chris Lamb at 2021-07-02T17:32:50+01:00
2021-06: Initial draft
- - - - -
16 changed files:
- _reports/2021-05.md
- _reports/2021-06.md
- bin/generate-draft.template
- + images/reports/2021-06/alpine.png
- + images/reports/2021-06/anom.jpg
- + images/reports/2021-06/archlinux.png
- + images/reports/2021-06/debian.png
- + images/reports/2021-06/diffoscope.svg
- + images/reports/2021-06/fdroid.png
- + images/reports/2021-06/google-open-source.png
- + images/reports/2021-06/lwn.png
- + images/reports/2021-06/mirageos.png
- + images/reports/2021-06/nixos.png
- + images/reports/2021-06/reproducible-builds.png
- + images/reports/2021-06/testframework.png
- + images/reports/2021-06/website.png
Changes:
=====================================
_reports/2021-05.md
=====================================
@@ -120,10 +120,9 @@ Chris Lamb made the following changes to [*strip-nondeterminism*](https://tracke
* Version `1.12.0-1` was [uploaded to Debian unstable](https://tracker.debian.org/news/1240523/accepted-strip-nondeterminism-1120-1-source-into-unstable/) by Chris Lamb.
-
### Website and documentation
-[![]({{ "/images/reports/2021-04/website.png#right" | relative_url }})](https://reproducible-builds.org/)
+[![]({{ "/images/reports/2021-05/website.png#right" | relative_url }})](https://reproducible-builds.org/)
Quite a few changes were made to the [main Reproducible Builds website and documentation](https://reproducible-builds.org/) this month, including:
=====================================
_reports/2021-06.md
=====================================
@@ -6,68 +6,283 @@ title: "Reproducible Builds in June 2021"
draft: true
---
-* FIXME: https://ariadne.space/2021/06/04/a-slightly-delayed-monthly-status-update/ has this
- Another project of mine personally is working to prove the reproducibility of Alpine package builds, as part of the Reproducible Builds project. To this end, I hope to have the Alpine 3.15 build fully reproducible. This will require some changes to abuild so that it produces buildinfo files, as well as a rebuilder backend. We plan to use the same buildinfo format as Arch, and will likely adapt some of the other reproducible builds work Arch has done to Alpine.
- I plan to have a meeting within the next week or two to formulate an official reproducible builds team inside Alpine and lay out the next steps for what we need to do in order to get things going. In the meantime, join #alpine-reproducible on irc.oftc.net if you wish to follow along.
- I plan for reproducible builds (perhaps getting all of main reproducible) to be a sprint in July, once the prerequisite infrastructure is in place to support it, so stay tuned on that.
+[![]({{ "/images/reports/2021-06/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* Last months we wrote that Paul Spooren [proposed a patch](http://lists.busybox.net/pipermail/busybox/2021-May/088842.html) for the [BusyBox](https://www.busybox.net/) suite of UNIX utilities popular on embedded systems so that it uses [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/specs/source-date-epoch/) for build timestamps if available. [FIXME: this was [merged in June by Denys Vlasenko](http://lists.busybox.net/pipermail/busybox/2021-June/088880.html).
+**Welcome to latest report from the [Reproducible Builds](https://reproducible-builds.org) project for June 2021.** In these reports, we try outline the most important things that we have been happening in the world of reproducible builds and related areas during the past month. As ever, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [LWN Fedora and supply-chain attacks](https://lwn.net/Articles/859965/)
+<br>
-* FIXME: https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html
- h01ger giggles at "O = required unless justification in the requirements table, it's the only "O" in that table and it refers to reproducible builds :))
+## Community news
+[![]({{ "/images/reports/2021-06/lwn.png#right" | relative_url }})](https://lwn.net/Articles/859965/)
-* [FIXME](https://www.ft.com/content/65ed6eb5-4968-4636-99bc-27a516d089dd)
+Jake Edge of [Linux Weekly News](https://lwn.net/) (LWN) published a [lengthy article on June 16th](https://lwn.net/Articles/859965/) describing various steps taken by the [Fedora](https://getfedora.org/) Linux distribution with respect to preventing supply-chain attacks:
-* [FIXME](https://discourse.nixos.org/t/nixos-unstable-s-iso-minimal-x86-64-linux-is-100-reproducible/13723)
+> The specter of more events like the [SolarWinds supply-chain attacks](https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach) is something that concerns many in our communities—and beyond. Linux distributions provide a supply chain that obviously needs to be protected against attackers injecting malicious code into the update stream. This problem recently came up on the Fedora devel mailing list, which led to a discussion covering a few different topics. For the most part, Fedora users are protected against such attacks, which is not to say there is nothing more to be done, of course.
+
+<br>
+
+[![]({{ "/images/reports/2021-06/google-open-source.png#right" | relative_url }})](https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html)
+
+Last month, the [Google Security Blog](https://security.googleblog.com/) introduced a new framework called "[*Supply chain Levels for Software Artifacts*](https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html)", or SLSA (to be pronounced as 'salsa'). In particular, SLSA level 4 ("currently the highest level") not only requires a two-person review of all changes but also "a hermetic, reproducible build process" due to its "many auditability and reliability benefits". Whilst a highly welcome inclusion in Google's requirements, by equating reproducible builds with only the highest level of supply-chain security in their list, it might lead others to conclude that only the most secure systems can benefit from the benefits of reproducible builds, whilst it is a belief of the Reproducible Builds project that many more users, if not all, can do so.
+
+<br>
+
+Many media outlets ([including The Verge](https://www.theverge.com/2021/6/8/22524307/anom-encrypted-messaging-fbi-europol-afp-sting-operation-trojan-shield-greenlight), etc.) reported on how the United States' FBI operated a messaging app as a 'honeypot trap' for a long period of time, leading to hundreds of arrests. [According to the UK's Financial Times](https://www.ft.com/content/65ed6eb5-4968-4636-99bc-27a516d089dd), court documents describe how the FBI persuaded a software developer facing prison to allow the FBI to commandeer the app and to introduce it to suspected criminals:
+
+[![]({{ "/images/reports/2021-06/anom.jpg#right" | relative_url }})](https://www.ft.com/content/65ed6eb5-4968-4636-99bc-27a516d089dd)
+
+> Over the course of the next three years, the operation was able to inspect about 27m messages over 11,800 devices as ANOM gained popularity in criminal circles globally, pushed by the developer but also a network of crime "influencers" — experts in encrypted phones who encourage others to use such devices.
+
+As the Financial Times reports, "it is unclear what exactly prompted the FBI and others to reveal the operation", although others have suggested it may result from legal limits in timeframes for intercepting communications. The FBI's operation raises ethical concerns which overlap with beliefs held by proponents of Reproducible Builds, not least of all because even the most unimpeachable actions by actors may result in the incidental surveillance of innocent people.
+
+In similar legal news, Susan Landau posted to the [Lawfare](https://www.lawfareblog.com/) blog about the [potential dangers posted by evidentiary software](https://www.lawfareblog.com/dangers-posed-evidentiary-softwareand-what-do-about-it). In particular, she discusses concerns that proprietary software may be fundamentally incompatible with the ability of defendants have the right to know the nature of the evidence against them — this is a right that is explicitly enshrined, for instance, in the [Sixth Amendment](https://en.wikipedia.org/wiki/Sixth_Amendment_to_the_United_States_Constitution) of United States Constitution. It is relevant here because if the inability to consult the relevant source code of does violate such rights, it may follow that a secure and reproducible build process will also be required — after all, it would be the output of the *binary* versions of the source code that is used to convict suspects, not the source code itself.
+
+<br>
+
+![]({{ "/images/reports/2021-06/reproducible-builds.png#right" | relative_url }})
+
+The Reproducible Builds project restarted their IRC meetings this month. Taking place on the `#reproducible-builds` channel on the [OFTC IRC network](https://www.oftc.net/), the [log of the meeting on 29th June is now available](http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-06-29-15.00.html) online, and the next meeting is due to take place on [**July 27th at 15:00 UTC**](https://time.is/compare/1500_27_Jul_2021_in_UTC) ([agenda](https://pad.riseup.net/p/rb-irc-meetings-keep)).
+
+<br>
+
+[Ars Technica](https://arstechnica.com/) are reporting that "counterfeit" packages in [PyPI](https://pypi.org/), the official Python package repository, [contained secret code that installed cryptomining software on infected machines](https://arstechnica.com/gadgets/2021/06/counterfeit-pypi-packages-with-5000-downloads-installed-cryptominers/): "So-called typosquatting attacks succeed when targets accidentally mistype a name such as typing *mplatlib* or *maratlib* instead of the legitimate and popular package, *matplotlib*. The article is at pains to points out that PyPI is not not abused any more than other repositories are:
+
+> Last year, packages downloaded thousands of times from [RubyGems](https://arstechnica.com/information-technology/2020/04/725-bitcoin-stealing-apps-snuck-into-ruby-repository/) installed malware that attempted to intercept bitcoin payments. Two years before that, someone backdoored a 2-million-user code library hosted in NPM. [Sonatype](https://sonatype.com/) has [tracked more than 12,000 malicious NPM packages](https://blog.sonatype.com/open-source-attacks-on-the-rise-top-8-malicious-packages-found-in-npm) since 2019.
+
+### Development news
+
+Dan Shearer from the [LumoSQL](https://lumosql.org/src/lumosql/doc/trunk/lumosql.org) database project [posted to our *rb-general* mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2021-June/002282.html) about reproducibility and microcode updates, emphasis ours:
+
+> Here at LumoSQL we do repeated runs testing SQLite of various versions and configurations, storing the results in an SQLite database. Here is an example of the kind of variation that justifies what some have called our 'too-fussy' test suite, a [*microcode update that changes behaviour from one day to another*](https://travisdowns.github.io/blog/2021/06/17/rip-zero-opt.html).
+
+<br>
+
+In [last month's report]({{ "/reports/2021-05" | relative_url }}) we wrote about Paul Spooren [proposing a patch](http://lists.busybox.net/pipermail/busybox/2021-May/088842.html) for the [BusyBox](https://www.busybox.net/) suite of UNIX utilities so that it uses [`SOURCE_DATE_EPOCH`]({{ "/specs/source-date-epoch/" | relative_url }}) for build timestamps if available. This was [merged during June](http://lists.busybox.net/pipermail/busybox/2021-June/088880.html) by Denys Vlasenko.
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2021-06/alpine.png#right" | relative_url }})](https://ariadne.space/2021/06/04/a-slightly-delayed-monthly-status-update/)
+
+[Ariadne Conill](https://ariadne.space/) published a [detailed blog post](https://ariadne.space/2021/06/04/a-slightly-delayed-monthly-status-update/) this month detailing their work on security issues and concerns in the [Alpine](https://alpinelinux.org/) Linux distribution. In particular, Ariadne included an interesting section on an effort "to prove the reproducibility of Alpine package builds":
+
+> To this end, I hope to have the Alpine 3.15 build fully reproducible. This will require some changes to [`abuild`](https://wiki.alpinelinux.org/wiki/Abuild_and_Helpers) so that it produces `buildinfo files`, as well as a rebuilder backend. We plan to use the same buildinfo format as [Arch [Linux]](https://archlinux.org/), and will likely adapt some of the other reproducible builds work Arch has done to Alpine.
+
+Ariadne mentions plans to have a meeting and a sprint during July, to be organised in and around the `#alpine-reproducible` channel on the [OFTC IRC network](https://www.oftc.net/).
+
+Elsewhere in Alpine news, [*kpcyrd*](https://twitter.com/sn0int) posted a series of Tweets explaining the steps he made for an reproducible Alpine image. [[1](https://twitter.com/sn0int/status/1408853977106718724)] [[2](https://twitter.com/sn0int/status/1410280372051582978)]
+
+<br>
+
+[![]({{ "/images/reports/2021-06/nixos.png#right" | relative_url }})](https://discourse.nixos.org/t/nixos-unstable-s-iso-minimal-x86-64-linux-is-100-reproducible/13723)
+
+The [NixOS](https://nixos.org/) Linux distribution pulled off a technical and publicity coup this month by announcing that [*the `ISO_minimal.x86_64-Linux` image is 100% reproducible*](https://discourse.nixos.org/t/nixos-unstable-s-iso-minimal-x86-64-linux-is-100-reproducible/13723). The announcement was widely discussed on [Hacker News](https://news.ycombinator.com), where [the article has received in excess of 200 comments](https://news.ycombinator.com/item?id=27573393).
+
+<br>
+
+[![]({{ "/images/reports/2021-06/debian.png#right" | relative_url }})](https://debian.org)
+
+In early June, Nilesh Patra [asked for help making Debian's `brian` package build reproducibly](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20210607/013052.html). Felix C. Stegerman proposed two patches which seem to have fixed the remaining issues ([#989693](https://bugs.debian.org/989693)). These were submitted upstream, where they were shortly merged.
+
+<br>
+
+[![]({{ "/images/reports/2021-06/fdroid.png#right" | relative_url }})](https://www.f-droid.org/)
+
+Felix C. Stegerman announced the release of 1.0.0 release of [*apksigcopier*](https://github.com/obfusk/apksigcopier), a tool to copy, extract and patch `.apk` signatures needed to facilitate reproducible builds on the [F-Droid](https://f-droid.org) Android application store. Holger Levsen subsequently sponsored an upload to Debian.
+
+Elsewhere in F-Droid, the Swiss COVID Certificate mobile app (which uses reproducible builds) is [pending being added to F-Droid](https://gitlab.com/fdroid/fdroiddata/-/merge_requests/9099) — the F-Droid developers have mentioned that the upstream developers have been very helpful in making this happen. Relatedly, the Android version of the [Electrum Bitcoin Wallet](https://electrum.org/#home) [has been made reproducible](https://github.com/spesmilo/electrum/pull/7263).
+
+<br>
+
+[![]({{ "/images/reports/2021-06/mirageos.png#right" | relative_url }})](https://mirage.io)
+
+[Hannes Mehnert](https://hannes.robur.coop/) announced the launch of the [reproducible MirageOS build infrastructure](https://hannes.robur.coop/Posts/Deploy), together with where to [obtain 'unikernels'](https://builds.robur.coop): "To provide a high level of assurance and trust, if you distribute binaries in 2021, you should have a recipe how they can be reproduced in a bit-by-bit identical way."
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
- * [`openvas-smb`](https://github.com/greenbone/openvas-smb/pull/40) (merged, date/PE timestamp)
- * [`ipxe`](https://github.com/ipxe/ipxe/pull/388) (merged, make ar deterministic)
- * [`kernel-default`](https://bugzilla.suse.com/show_bug.cgi?id=1187167) (merged, kernel sort + drop unused random sign key)
- * [`python-MapProxy`](https://github.com/mapproxy/mapproxy/issues/522) (report FTBFS-j1)
- * [`python-gcsfs`](https://bugzilla.opensuse.org/show_bug.cgi?id=1187516) (report FTBFS-j1/stuck)
- * [`lighttpd1`](https://github.com/lighttpd/lighttpd1.4/pull/106) (FTBFS-2036)
- * [`dulwich`](https://github.com/dulwich/dulwich/pull/885) (FTBFS-2023 gpg key expired)
- * [`lepton`](https://build.opensuse.org/request/show/903137) (Drop march=native)
- * [`gtksourceview4`](https://bugzilla.opensuse.org/show_bug.cgi?id=1187842) (report FTBFS-j1)
- * [`json-lib`](https://bugzilla.opensuse.org/show_bug.cgi?id=1187652) (report date / epoch(java))
- * [`deepdiff`](https://github.com/seperman/deepdiff/issues/255) (report FTBFS-2022)
-* [FIXME](https://news.ycombinator.com/item?id=27573393)
+ * [`deepdiff`](https://github.com/seperman/deepdiff/issues/255) (report a 'build failure in 2022' issue)
+ * [`dulwich`](https://github.com/dulwich/dulwich/pull/885) (build fails in the future due to expired GPG key)
+ * [`gtksourceview4`](https://bugzilla.opensuse.org/show_bug.cgi?id=1187842) (report that build fails in uniprocessor machine
+ * [`ipxe`](https://github.com/ipxe/ipxe/pull/388) (`ar(1)` call needs to be deterministic)
+ * [`json-lib`](https://bugzilla.opensuse.org/show_bug.cgi?id=1187652) (report a date / epoch issue)
+ * [`kernel-default`](https://bugzilla.suse.com/show_bug.cgi?id=1187167) (two sorting and random-related issues)
+ * [`lepton`](https://build.opensuse.org/request/show/903137) (drop call to `-march=native`)
+ * [`lighttpd1`](https://github.com/lighttpd/lighttpd1.4/pull/106) (build fails in 2036)
+ * [`openvas-smb`](https://github.com/greenbone/openvas-smb/pull/40) (date and [Portable Executable](https://en.wikipedia.org/wiki/Portable_Executable) timestamp issue)
+ * [`python-MapProxy`](https://github.com/mapproxy/mapproxy/issues/522) (report a 'build fails on uniprocessor machine' issue)
+ * [`python-gcsfs`](https://bugzilla.opensuse.org/show_bug.cgi?id=1187516) (report a 'build fails on uniprocessor machine' issue)
+
+* Nilesh Patra:
+
+ * [#989572](https://bugs.debian.org/989572) filed against [`gl2ps`](https://tracker.debian.org/pkg/gl2ps).
+ * [#989583](https://bugs.debian.org/989583) filed against [`liblip`](https://tracker.debian.org/pkg/liblip).
+ * [#989693](https://bugs.debian.org/989693) filed against [`brian`](https://tracker.debian.org/pkg/brian).
+
+* Vagrant Cascadian:
+
+ * [#989963](https://bugs.debian.org/989963) filed against [`tclap`](https://tracker.debian.org/pkg/tclap).
+ * [#989965](https://bugs.debian.org/989965) filed against [`gtk-sharp3`](https://tracker.debian.org/pkg/gtk-sharp3).
+ * [#989966](https://bugs.debian.org/989966) filed against [`gtk-sharp3`](https://tracker.debian.org/pkg/gtk-sharp3).
+ * [#990084](https://bugs.debian.org/990084) filed against [`graphicsmagick`](https://tracker.debian.org/pkg/graphicsmagick).
+ * [#990246](https://bugs.debian.org/990246), [#990247](https://bugs.debian.org/990247) and [#990248](https://bugs.debian.org/990248) filed against [`vlc`](https://tracker.debian.org/pkg/vlc).
+ * [#990253](https://bugs.debian.org/990253) filed against [`pmix`](https://tracker.debian.org/pkg/pmix).
+ * [#990254](https://bugs.debian.org/990254) filed against [`openmpi`](https://tracker.debian.org/pkg/openmpi).
+ * [#990300](https://bugs.debian.org/990300) filed against [`auctex`](https://tracker.debian.org/pkg/auctex).
+ * [#990323](https://bugs.debian.org/990323) filed against [`volume-key`](https://tracker.debian.org/pkg/volume-key).
+ * [#990327](https://bugs.debian.org/990327) filed against [`cppunit`](https://tracker.debian.org/pkg/cppunit).
+ * [#990329](https://bugs.debian.org/990329) filed against [`rpm`](https://tracker.debian.org/pkg/rpm).
+ * [#990332](https://bugs.debian.org/990332) filed against [`libcddb`](https://tracker.debian.org/pkg/libcddb).
+ * [#990338](https://bugs.debian.org/990338) filed against [`autogen`](https://tracker.debian.org/pkg/autogen).
+ * [#990339](https://bugs.debian.org/990339) filed against [`matplotlib`](https://tracker.debian.org/pkg/matplotlib).
+
+Separate to this, Hans-Christoph Steiner noted there is a [reproducibility-related bug in Python's standard `zipfile` library](https://bugs.python.org/issue43547). This problem makes it hard to create reproducible `.zip` files. In particular, Hans would like to have more input from Python people, since it is not clear how best to resolve the problem.
+
+<br>
+
+### [diffoscope](https://diffoscope.org)
+
+[![]({{ "/images/reports/2021-06/diffoscope.svg#right" | relative_url }})](https://diffoscope.org)
+
+[*diffoscope*](https://diffoscope.org) is the Reproducible Builds project in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it provides human-readable diffs from many kinds of binary formats.
+
+This month, [Chris Lamb](https://chris-lamb.co.uk) made a number of changes including releasing [version 177](https://diffoscope.org/news/diffoscope-177-released/)). In addition, Chris updated the [*try.diffoscope.org*](https://try.diffoscope.org) service to reflect that they were [acquired by the Iomart Group](https://blog.bytemark.co.uk/2018/09/04/moving-up-the-stack) [[...](https://salsa.debian.org/reproducible-builds/try.diffoscope.org/commit/3e5c73a)].
+
+* Balint Reczey:
+
+ * Support `.deb` package members that are compressed with the [Zstandard](https://facebook.github.io/zstd/) compression algorithm. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7576e86d)]
+
+* Jean-Romain Garnier:
+
+ * Overhaul the [Mach-O](https://en.wikipedia.org/wiki/Mach-O) executable file comparator. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/39add067)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6a856a93)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/877fa55d)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c5f54f89)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/07123d53)]
+ * Implement tests for the Mach-O comparator. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/521c85d8)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/459def43)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/cccebb94)]
+ * Switch to new argument format for the [LLVM compiler](https://llvm.org/). [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a23c973f)]
+ * Fix `test_libmix_differences` in testsuite for the [ELF format](https://en.wikipedia.org/wiki/Executable_and_Linkable_Format). [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/88041849)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/fe81f577)]
+ * Improve macOS compatibility for the Mach-O comparator. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f8900da8)]
+ * Add `llvm-readobj` and `llvm-objdump` to the internal `EXTERNAL_TOOLS` data structure. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2853bd7d)]
+
+* Mattia Rizzolo:
+
+ * Invoke `gzip(1)` with its 'short' option names in order to support [Busybox](https://busybox.net/)'s version of the utility. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/9aefdb65)]
+
+<br>
+
+### Website and documentation
+
+[![]({{ "/images/reports/2021-06/website.png#right" | relative_url }})](https://reproducible-builds.org/)
+
+A number of few changes were made to the [main Reproducible Builds website and documentation](https://reproducible-builds.org/) this month, including:
+
+* Arnout Engelen:
+
+ * Credit Ludovic Courtès for the Guix page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ed7e5c6)]
+ * Fix link to NixOS. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/380be47)]
+
+* Chris Lamb:
+
+ * Use an ellipsis [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/326bacd)] and drop a full stop [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/60347ac)] to clarify 'more items' links.
+ * Update the link and logo to [Google Open Source Security Team](https://security.googleblog.com/). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a1b9aed)]
+ * Reduce the amount of bold text on [the homepage]({{ "/" | relative_url }}). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e9f44ea)]
+ * Document the non-reproducibility arising from abbreviated Git hashes [depending on the number of total objects in a Git repository]({{ "/docs/version-information/" | relative_url }}#git-checksums). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/31)]
+
+* Hervé Boutemy:
+
+ * Add a [Reproducible Central section]({{ "/docs/jvm/" | relative_url }}#reproducible-central) section to the JVM page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/300587e)]
+
+* Holger Levsen:
+
+ * Add [*busybox*](https://busybox.net/) to the list of software respecting the [`SOURCE_DATE_EPOCH`]({{ "/specs/source-date-epoch/" | relative_url }}) environment variable for build timestamps if available. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e64f7d0)]
+
+* Mattia Rizzolo:
+
+ * Fix a typo in a CSS class name. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e2c8ee1)]
+ * Add the (now-superseded) [Core Infrastructure Initiative](https://www.coreinfrastructure.org/) to the list of historical sponsors. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6d042f3)]
+
+<br>
+
+### Testing framework
+
+[![]({{ "/images/reports/2021-06/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a [Jenkins](https://jenkins.io/)-based testing framework that powers [`tests.reproducible-builds.org`](https://tests.reproducible-builds.org). This month, the following changes were made:
+
+* Holger Levsen:
+
+ * Automatic node health check improvements:
+
+ * Tune regular expression to detect proxy failures. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/bbaad8a1)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a7feb4a6)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d70fca31)]
+ * Detect non-fatal failures using a [HTTP(S) proxy](https://en.wikipedia.org/wiki/Proxy_server#Web_proxy_servers). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4edbe7ca)]
+ * Also detect "no route to host" issues. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/aef1c204)]
+ * Misc aesthetic changes to the status page. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/99228d13)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a77f4de9)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/457c6f30)]
+ * Detect failure to "make tools". [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/75389717)]
+
+ * Debian-related changes:
+
+ * Initial stab at building and comparing [Debian Live](https://www.debian.org/CD/live/) images. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cc531053)]
+ * Run the `lb build` Debian Live command with `sudo(8)`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b777f20e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/250526ff)]
+ * Use safer and more common `rm -rf` syntax in/around Debian Live images. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/02402977)]
+ * Sync build results of Live images to our Jenkins instance. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/811b5ab7)]
+ * Cope with the [Tails](https://tails.boum.org/) build manifests now only containing binary package names. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f7660c42)]
+ * Do not incorrectly detect diskspace issues on [OpenSSL](https://www.openssl.org/) builds. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/51a40c40)]
+ * Create a Debian *unstable* schroot for running diffoscope on the `osuosl173` node so it can be used to test Debian Live images. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b4080adf)]
+ * Delete the `reproducible_compare_Debian_sha1sums` jobs. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e8fc4f71)]
+
+ * Misc:
-* FIXME: Hans-Christoph Steiner noted there is a RB bug in Python's standard zipfile library. It needlessly makes it hard to create reproducible ZIPs with it https://bugs.python.org/issue43547 and Hans would like to have more input from Python people there, since it is not clear how best to handle it.
+ * Be more verbose when cloning [Coreboot](https://www.coreboot.org/) Git repository. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/558c36b6)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ee9eeb4b)]
+ * Configure the `needrestart` tool to restart all services automatically. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0aa17b9d)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c1fe64b8)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a729e95e)]
+ * Increase the [Linux kernel inotify](https://en.wikipedia.org/wiki/Inotify) watch limit further on all hosts. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0204b7cf)]
+ * Properly delete old `schroot` overlays. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/99ca0c3d)]
-* FIXME: From: Dan Shearer [posted to our rb-general list](https://lists.reproducible-builds.org/pipermail/rb-general/2021-June/002282.html) about Reproducibility and microcode updates: ' Here at LumoSQL we do repeated runs testing SQLite of various versions and configurations, storing the results in an SQLite database. Here is an example of the kind of variation that justifies what some have called our too-fussy test suite, a [microcode update that changes behaviour from one day to another](https://travisdowns.github.io/blog/2021/06/17/rip-zero-opt.html).
+* Mattia Rizzolo:
-* FIXME:Felix C. Stegerman did a 1.0.0 release of [`apksigcopier`](https://github.com/obfusk/apksigcopier) which is a tool to copy, extract and patch `.apk` signatures that is needed to facilitate reproducible builds on the [F-Droid](https://f-droid.org) Android application store and elsewhere. Holger Levsen subsequently sponsored an upload to Debian. (Still sitting in NEW atm.)
+ * Update the documentation regarding manual scheduling Debian builds to drop old references to the deprecated [Alioth](https://wiki.debian.org/Alioth) system. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7a500fe1)]
+ * Update a number of IP addresses for `armhf` architecture machines. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b242c74a)]
+* Roland Clobus (FIXME below):
-* [FIXME](https://www.theverge.com/2021/6/8/22524307/anom-encrypted-messaging-fbi-europol-afp-sting-operation-trojan-shield-greenlight)
+ * Cleanup RESULTSDIR when safe; publish results; unify whitespace. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1006e099)]
+ * Use a different folder for the results, that is accessible from the schroot. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dbc9471d)]
+ * Create a subdirectory for the ISO files, add more logging to the diffoscope call and publish the output of diffoscope. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1966e740)]
+ * Add DIFFOSCOPE environment variable. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dac906bf)]
+ * call\_diffoscope requires the variable TIMEOUT to be set. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a5d19afd)]
+ * Fixed invocation of mktemp with --tmpdir. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/396680fc)]
+ * Fixed location of 'rm' command. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/36c954df)]
+ * Cleanup with sudo Call 'lb config' before the second build. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/31b0c6c5)]
+ * 'lb clean --purge' requires root rights. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/456664d6)]
+ * Use TMPDIR instead of MY\_WORKSPACE, because call\_diffoscope assumes TMPDIR to be set. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ffb6bdd9)]
+ * Use and clean an isolated workspace. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5ce264f5)]
+ * Spelling corrections. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/eb492694)]
+ * Allow SOURCE\_DATE\_EPOCH and LIVE\_BUILD to enter the sudo environment. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cad52f63)]
+ * The environment variables must be before the command in sudo. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/abb8bef8)]
+ * sudo needs 2 environment variables set: SOURCE\_DATE\_EPOCH and LIVE\_BUILD. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/41cdf7e7)]
+ * Build live images twice and compare the output. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c2987737)]
-* [FIXME](https://arstechnica.com/gadgets/2021/06/counterfeit-pypi-packages-with-5000-downloads-installed-cryptominers/)
+* Vagrant Cascadian:
-* FIXME: Nilesh Patra [asked for help making the Debian brian package reproducible](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20210607/013052.html). Felix C. Stegerman proposed two patches, which seem to have fixed the remaining issues, and submitted them upstream, where they were merged.
+ * Document the access to the `armhf` architecture host servers. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/12dd6947)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1bfe9112)]
+ * Update the number of `armhf` architecture jobs and machines. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/bbf5e229)]
+ * Add build jobs and SSH keys (etc.) for various new machines. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/38eba435)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b8b85dba)]
-* FIXME: [F-Droid](https://f-droid.org) inclusion for the Swiss COVID Certificate Apps, which use Reproducible Builds, [is pending review](https://gitlab.com/fdroid/fdroiddata/-/merge_requests/9099). The upstream developers have been very helpful in making this happen.
+Finally, build node maintenance was performed by Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/93ee8ecb)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/994026c2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/57abb28c)], Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/033d2a6c)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e39f00c3)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/956888c8)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/24aac701)] and Vagrant Cascadian [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5f452539)].
-* FIXME: Android builds are sometimes not reproducible due to a bug in `coreLibraryDesugaring`; this [currently affects NewPipe](https://github.com/TeamNewPipe/NewPipe/issues/6486).
+<br>
-* FIXME: Electrum for Android [has been made reproducible](https://github.com/spesmilo/electrum/pull/7263).
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
-* FIXME: General #reproducible-builds IRC meeting on June 29th 2021
- * log at http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-06-29-15.00.html
- * next 27th of July at 15 UTC on #reproducible-builds on irc.oftc.net
- * agenda at https://pad.riseup.net/p/rb-irc-meetings-keep
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
-* FIXME: 300587e9 in website.git/_docs/jvm.md from Hervé Boutemy introduces Reproducible Central with its .buildspec for the JAVA ecosystem.
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
-* FIXME: https://www.lawfareblog.com/dangers-posed-evidentiary-softwareand-what-do-about-it
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
-* FIXME: Hannes Mehnert announced the launch of the reproducible MirageOS builds infrastructure -- https://hannes.robur.coop/Posts/Deploy -- together with where to get the unikernels https://builds.robur.coop - quote "To provide a high level of assurance and trust, if you distribute binaries in 2021, you should have a recipe how they can be reproduced in a bit-by-bit identical way. "
+ * Reddit: [/r/ReproducibleBuilds](https://reddit.com/r/reproduciblebuilds)
-* FIXME: kpcyrd did two series of tweets explaining steps he made for an reproducible alpine image:
- * https://twitter.com/sn0int/status/1408853977106718724
- * https://twitter.com/sn0int/status/1410280372051582978
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
bin/generate-draft.template
=====================================
@@ -77,7 +77,8 @@ In addition, build failure bugs were reported by:
{{ project }} version `{{ x['version'] }}` was [uploaded to Debian {{ x['distribution'] }}](https://tracker.debian.org/pkg/{{ project }}?FIXME) by {{ x['signed_by_name'] }}. It [included contributions already covered in previous months](https://salsa.debian.org/reproducible-builds/{{ project }}/commits/{% if project != 'diffoscope' %}debian/{% endif %}{{ x['version'] }}) as well as new ones from:
{% endfor %}
-{% for x, ys in commits[project].items()|sort %}* {{ x }}:{% for y in ys %}
+{% for x, ys in commits[project].items()|sort %}* {{ x }}:
+{% for y in ys %}
* {{ y['title'] }}. [[...]({% if project == "jenkins.debian.net" %}https://salsa.debian.org/qa/jenkins.debian.net/commit/{{ y['sha'] }}{% else %}https://salsa.debian.org/reproducible-builds/{{ project }}/commit/{{ y['sha'] }}{% endif %})]{% endfor %}
{% endfor %}
{% endfor %}
=====================================
images/reports/2021-06/alpine.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/alpine.png differ
=====================================
images/reports/2021-06/anom.jpg
=====================================
Binary files /dev/null and b/images/reports/2021-06/anom.jpg differ
=====================================
images/reports/2021-06/archlinux.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/archlinux.png differ
=====================================
images/reports/2021-06/debian.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/debian.png differ
=====================================
images/reports/2021-06/diffoscope.svg
=====================================
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ version="1.1"
+ width="128"
+ height="128"
+ id="svg2">
+ <defs
+ id="defs4" />
+ <metadata
+ id="metadata7">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ transform="matrix(1.0692573,0,0,1.0692573,-328.34726,-503.5515)"
+ id="layer1">
+ <g
+ id="g5409">
+ <g
+ transform="translate(5.418238,0)"
+ id="g5386">
+ <rect
+ width="90.304001"
+ height="50.999996"
+ x="316.36414"
+ y="472.80621"
+ id="rect4667-3"
+ style="fill:none;stroke:none" />
+ <g
+ id="text4673-8"
+ style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+ <path
+ d="m 316.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5371"
+ style="fill:#c00000;fill-opacity:1" />
+ <path
+ d="m 348.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5373"
+ style="fill:#c00000;fill-opacity:1" />
+ <path
+ d="m 380.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5375"
+ style="fill:#c00000;fill-opacity:1" />
+ </g>
+ <g
+ id="text5366"
+ style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+ <path
+ d="m 327.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5378" />
+ <path
+ d="m 359.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5380" />
+ <path
+ d="m 391.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5382" />
+ </g>
+ </g>
+ <use
+ id="use5399"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.8,0,0,0.8,82.417275,133.65028)"
+ id="use5401"
+ style="opacity:0.85"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.6,0,0,0.6,164.83455,260.05454)"
+ id="use5403"
+ style="opacity:0.7"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.4,0,0,0.4,247.25182,379.25208)"
+ id="use5405"
+ style="opacity:0.55"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ </g>
+ </g>
+</svg>
=====================================
images/reports/2021-06/fdroid.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/fdroid.png differ
=====================================
images/reports/2021-06/google-open-source.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/google-open-source.png differ
=====================================
images/reports/2021-06/lwn.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/lwn.png differ
=====================================
images/reports/2021-06/mirageos.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/mirageos.png differ
=====================================
images/reports/2021-06/nixos.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/nixos.png differ
=====================================
images/reports/2021-06/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/reproducible-builds.png differ
=====================================
images/reports/2021-06/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/testframework.png differ
=====================================
images/reports/2021-06/website.png
=====================================
Binary files /dev/null and b/images/reports/2021-06/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/7d27229c5ae6ea0a2eeaf513272be05d54ccccfd...094d14400fce323c7dbd9fa8f878b4116481161f
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/7d27229c5ae6ea0a2eeaf513272be05d54ccccfd...094d14400fce323c7dbd9fa8f878b4116481161f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20210702/9fb0b1ff/attachment.htm>
More information about the rb-commits
mailing list