[Git][reproducible-builds/reproducible-website][master] 2 commits: Fixup some links in old reports.

Chris Lamb gitlab at salsa.debian.org
Wed Mar 3 11:06:10 UTC 2021



Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
35bd350b by Chris Lamb at 2021-03-03T11:05:02+00:00
Fixup some links in old reports.

- - - - -
f8e495d5 by Chris Lamb at 2021-03-03T11:05:38+00:00
2021-02: Initial draft

- - - - -


14 changed files:

- _reports/2020-03.md
- _reports/2021-01.md
- _reports/2021-02.md
- + images/reports/2021-02/birsan.png
- + images/reports/2021-02/bootstrappable-builds.png
- + images/reports/2021-02/debian.png
- + images/reports/2021-02/diffoscope.svg
- + images/reports/2021-02/gnu-mes-talk.png
- + images/reports/2021-02/intoto.png
- + images/reports/2021-02/opensuse.png
- + images/reports/2021-02/outreachy.png
- + images/reports/2021-02/qubes.png
- + images/reports/2021-02/reproducible-builds.png
- + images/reports/2021-02/testframework.png


Changes:

=====================================
_reports/2020-03.md
=====================================
@@ -43,7 +43,7 @@ Hervé Boutemy [also reported](https://lists.reproducible-builds.org/pipermail/r
 
 [![]({{ "/images/reports/2020-03/dettrace.jpeg#right" | relative_url }})](https://youtu.be/YkmS-vf12nE)
 
-In [last month's report]() we detailed [Omar Navarro Leija](https://gatowololo.github.io/)'s work in and around an academic paper titled [*Reproducible Containers*](https://gatowololo.github.io/resources/publications/dettrace.pdf) which describes in detail the workings of a user-space container tool called [`dettrace`](https://github.com/dettrace/dettrace) ([PDF](https://gatowololo.github.io/resources/publications/dettrace.pdf)). Since then, the PhD student from the [University Of Pennsylvania](https://home.www.upenn.edu/) presented on this tool at the [ASPLOS 2020](https://asplos-conference.org/) conference in Lausanne, Switzerland. Furthermore, there were contributions to `dettrace` from the Reproducible Builds community itself. [[...](https://github.com/dettrace/dettrace/pull/278)][[...](https://github.com/dettrace/dettrace/pull/277)]
+In [last month's report]({{ "/repots/2020-02/" }}) we detailed [Omar Navarro Leija](https://gatowololo.github.io/)'s work in and around an academic paper titled [*Reproducible Containers*](https://gatowololo.github.io/resources/publications/dettrace.pdf) which describes in detail the workings of a user-space container tool called [`dettrace`](https://github.com/dettrace/dettrace) ([PDF](https://gatowololo.github.io/resources/publications/dettrace.pdf)). Since then, the PhD student from the [University Of Pennsylvania](https://home.www.upenn.edu/) presented on this tool at the [ASPLOS 2020](https://asplos-conference.org/) conference in Lausanne, Switzerland. Furthermore, there were contributions to `dettrace` from the Reproducible Builds community itself. [[...](https://github.com/dettrace/dettrace/pull/278)][[...](https://github.com/dettrace/dettrace/pull/277)]
 
 <br>
 


=====================================
_reports/2021-01.md
=====================================
@@ -94,7 +94,7 @@ Bernhard M. Wiedemann posted his [monthly reproducible builds status report](htt
 
 #### [*diffoscope*](https://diffoscope.org)
 
-[![]({{ "/images/reports/2020-12/diffoscope.svg#right" | relative_url }})](https://diffoscope.org)
+[![]({{ "/images/reports/2021-01/diffoscope.svg#right" | relative_url }})](https://diffoscope.org)
 
 [*diffoscope*](https://diffoscope.org) is our project in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it provides human-readable diffs from many kinds of binary format. This month, Chris Lamb made a large number of changes (including releasing [version 164](https://diffoscope.org/news/diffoscope-163-released/), [version 165](https://diffoscope.org/news/diffoscope-163-released/) and [version 166](https://diffoscope.org/news/diffoscope-163-released/)):
 
@@ -158,7 +158,7 @@ Other changes were made by:
 
 The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
 
-* Arjen de Korte [created a pull request](https://github.com/php/php-src/pull/6564) for the [PHP programming language](https://www.php.net) to ensure that the ['phar' extension](https://www.php.net/manual/en/intro.phar.php) respects the [`SOURCE_DATE_EPOCH`](https://reproducible-builds.org/docs/source-date-epoch/) environment variable.
+* Arjen de Korte [created a pull request](https://github.com/php/php-src/pull/6564) for the [PHP programming language](https://www.php.net) to ensure that the ['phar' extension](https://www.php.net/manual/en/intro.phar.php) respects the [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) environment variable.
 
 * Bernhard M. Wiedemann:
 
@@ -196,7 +196,7 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
 
 ### Testing framework
 
-[![]({{ "/images/reports/2020-11/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+[![]({{ "/images/reports/2021-01/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
 
 The Reproducible Builds project operates a large [Jenkins](https://jenkins.io/)-based testing framework that powers [`tests.reproducible-builds.org`](https://tests.reproducible-builds.org). This month, the following changes were made:
 


=====================================
_reports/2021-02.md
=====================================
@@ -6,79 +6,212 @@ title: "Reproducible Builds in February 2021"
 draft: true
 ---
 
-* FIXME: FOSDEM
-   * https://fosdem.org/2021/schedule/event/gnumes/ - talk by Jan Nieuwenhuizen (janneke)
+[![]({{ "/images/reports/2021-02/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
 
-* https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html
+**Welcome to the report from the [Reproducible Builds](https://reproducible-builds.org) project for February 2021.** In our monthly reports, we try to outline the most important things that have happened in the world of reproducible builds. If you are interested in contributing to the project, though, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on [our website]({{ "/" | relative_url }}).
 
-* apt-transport-in-toto became available in bullseye for the first time
+---
+
+[![]({{ "/images/reports/2021-02/gnu-mes-talk.png#right" | relative_url }})](https://fosdem.org/2021/schedule/event/gnumes/)
+
+On Sunday 7th February, Jan '*janneke*' Nieuwenhuizen gave a talk at [FOSDEM '21](https://fosdem.org/2021/) on [GNU Mes](https://www.gnu.org/software/mes/): [*Reproducibility is not enough: The missing link between stage0/M2-Planet and Mes*](https://fosdem.org/2021/schedule/event/gnumes/). Taking place in the [Declarative and Minimalistic Computing devroom](https://fosdem.org/2021/schedule/track/declarative_and_minimalistic_computing/), Jan's talk touched on reproducible builds and how a minimal binary seed further reduces the security attack surface when creating (or "bootstrapping") a system from scratch.
+
+<br>
+
+A few days earlier, Eric Brewer, Rob Pike, Abhishek Arya, Anne Bertucio and Kim Lewandowski wrote a post on the [Google Security Blog](https://security.googleblog.com/) proposing an industry-wide framework they call "[*Know, Prevent, Fix*](https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html)" which aims to improve how the industry might think about vulnerabilities in open source software, including "Consensus on metadata and identity standards" and — more relevant to the Reproducible Builds project — "Increased transparency and review for critical software":
+
+> Ken Thompson's Turing Award lecture famously demonstrated in 1984 that authentic source code alone is not enough, and recent events have shown this attack is a real threat. How do you trust your build system? All the components of it must be trusted and verified through a continuous process of building trust. Reproducible builds help—there is a deterministic outcome for the build and we can thus verify that we got it right—but are harder to achieve due to ephemeral data (such as timestamps) ending up in the release artifact. And safe reproducible builds require verification tools, which in turn must be built verifiably and reproducibly, and so on. We must construct a network of trusted tools and build products. [[...](https://security.googleblog.com/2021/02/know-prevent-fix-framework-for-shifting.html)]
+
+<br>
+
+After that, [Drew DeVault](https://drewdevault.com/) wrote an interesting blog post titled [*How to make your downstream users happy*](https://drewdevault.com/2021/02/09/How-to-make-your-downstreams-happy.html), pointing out that "There are a number of things that your FOSS project can be doing which will make the lives of your downstream users easier, particularly if you’re writing a library or programmer-facing tooling". We concur, especially with Drew's recommendations to use the Reproducible Builds' [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) environment variable.
+
+<br>
+
+[![]({{ "/images/reports/2021-02/birsan.png#right" | relative_url }})](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
+
+Another blog post this month was written by [Alex Birsan](https://twitter.com/alxbrsn) where he [details a novel supply-chain attack](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), similar to (but also distinct from) the various [typo-squatting attacks](https://en.wikipedia.org/wiki/Typosquatting) that have been increasingly popular in the past year or so. Alex's post begins with the ominous phrase: "Ever since I started learning how to code, I have been fascinated by the level of trust we put [in] `pip install package_name`".
+
+<br>
+
+[![]({{ "/images/reports/2021-02/intoto.png#right" | relative_url }})](https://in-toto.io/)
+
+Closer to home, Justin Cappos informatively replied to an email on our mailing list answering the question [*How we could accelerate deployment of verified reproducible builds?*](https://lists.reproducible-builds.org/pipermail/rb-general/2021-February/002183.html), describing some of the workings of [`in-toto`](https://in-toto.io/) with regards to the potentially distributed validation of binary signatures. [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2021-February/002183.html)]
+
+<br>
+
+## Software development
+
+### [*diffoscope*](https://diffoscope.org)
+
+[![]({{ "/images/reports/2021-02/diffoscope.svg#right" | relative_url }})](https://diffoscope.org)
+
+[*diffoscope*](https://diffoscope.org) is the Reproducible Build's project in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it provides human-readable diffs from many kinds of binary format. This month, [Chris Lamb](https://chris-lamb.co.uk) made a large number of changes (including releasing [version 167](https://diffoscope.org/news/diffoscope-167-released/) and [version 168](https://diffoscope.org/news/diffoscope-168-released/)):
+
+* Bug fixes:
+
+    * Don't call `difflib.Differ.compare` with very large inputs; it is at least [O(n^2)](https://en.wikipedia.org/wiki/Big_O_notation) and makes *diffoscope* (appear to) hang. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/issues/240)]
+    * Don't rely on `dumpimage` returning an appropriate exit code; check that the file actually exists. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a3fbad4)]
+    * Don't rely on `magic.Magic` to have an identical API between file's `magic.py` and PyPI's `python-magic` library. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/issues/238)]
+
+* Revamp temporary file handling:
+
+    * Ensure we cleanup our temporary directory by avoiding confusion between the `TemporaryDirectory` instance and the underlying directory. ([#981123](https://bugs.debian.org/981123))
+    * Try and use a potentially-useful suffix to our temporary directory. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/34477c5)]
+
+* Testsuite improvements:
+
+    * Strip newlines when determining the [Black](https://github.com/psf/black) source code formatter version to avoid `requires black >= 20.8b1 (18.9b0\n detected)` in test output. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/77da137)]
+    * Fix [`weakref`](https://docs.python.org/3/library/weakref.html)-related handling in Python 3.7 (i.e. Debian *buster*). [[...](https://salsa.debian.org/reproducible-builds/diffoscope/issues/239)]
+    * If our temporary directory does not exist anymore, recreate it. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/b666c07)]
+    * Fix FIT-related tests in Debian *buster* [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/71ce125)] and `fit_expected_diff` [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e70171a)].
+    * [Gnumeric](http://www.gnumeric.org/) is back in testing so re-add to (test) `Build-Depends`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7010ead)]
+    * Mark `test_apk.py::test_android_manifest` as being allowed to fail for now. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8fd4b6a)]
+    * Add `u-boot-tools` to (test) Build-Depends so [salsa.debian.org](https://salsa.debian.org/) pipelines test the new U-Boot FIT comparator. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c441700)]
+    * Move to `assert_diff` utility in a number of tests. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c1a43a2)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/4d0c4e4)]
+
+* Codebase improvements:
+
+    * Correct capitalisation of 'jQuery'. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/654bfa8)]
+    * Update various copyright years. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c18be23)]
+    * Tidy imports in `diffoscope.comparators.fit`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/28eec32)]
+    * Don't use `Inheriting PATH of X`, use `PATH is X` in logging messages. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2e6ea68)]
+    * Drop unused `Config.acl` and `Config.xattr` attributes [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f6fc6ce)] and set a default `Config.extended_filesystem_attributes`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/baddc55)]
+
+Vagrant Cascadian updated *diffoscope* in [GNU Guix](https://guix.gnu.org/) to versions 165 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=b6ad414f4725b96cf799d74bbc11d5dcbb44c75b)], 166, [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=f813750a4aa07797e0120babdd5efbe17f1d3911)] and 167 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=90ccb46a5534a031a6a6d994fd9b7ee2b5ccbf84)].
+
+### Debian
+
+[![]({{ "/images/reports/2021-02/debian.png#right" | relative_url }})](https://debian.org/)
 
-* [Frédéric Pierret restarted the discussion on .buildinfo files for rpm]( https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/OLCD2L6I5KUKWR6WLIUXFUYZ7KAQ66E3/)
+Roland Clobus created a page on the [Debian Wiki](https://wiki.debian.org/) to detail his progress in [creating reproducible "live" images](https://wiki.debian.org/ReproducibleInstalls/LiveImages) (i.e. bootable USB sticks, etc.). In [Roland's post to our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2021-February/002189.html), Roland included a short summary that included:
 
-* Frédéric Pierret made disorderfs and reprotest available in the official Fedora repos.
+> The 'standard' image is reproducible, if `fontconfig` and `mdadm` are patched. For `fontconfig` I've created a patch that works for live-build, but not for all other tool that might who need it. For `mdadm` I'm finalizing a patch.
 
-* packaged [`dettrace`](https://build.opensuse.org/request/show/869868) for openSUSE using theunreproduciblepackage as test.
+[![]({{ "/images/reports/2021-02/intoto.png#right" | relative_url }})](https://in-toto.io/)
+
+Elsewhere, The [`apt-transport-in-toto`](https://tracker.debian.org/pkg/apt-transport-in-toto) package (an add-on for APT to use [in-toto](https://in-toto.io/) supply-chain verifications), is now available in the *bullseye* distribution for the first time and will, therefore, be included in the next stable release of Debian.
+
+Holger Levsen suggested the creation of a partial mirror of [*snapshot.debian.org*](https://snapshot.debian.org/) (a service needed to rebuild Debian packages) to work around problems with the widespread adoption of the *snapshot.debian.org* site [[...](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20210222/012913.html)]. In addition, a new [`metasnap.debian.net`](http://metasnap.debian.net/) service was announced in a [recent edition of Misc Developer News](https://lists.debian.org/debian-devel-announce/2021/02/msg00005.html). This new offering is designed to complement the existing [*snapshot.debian.org*](https://snapshot.debian.org/) service to answer questions such as:
+
+* Given a certain timestamp, which version of a certain package was in a given suite at that time?
+* Given a versioned package, in which suite was that package present during which periods of time?
+* Given a package and a suite name, which versions where present in that suite during which times?
+
+45 reviews of Debian packages were added, 39 were updated and 28 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Two issue types were added by Chris Lamb: [`build_path_in_documentation_generated_by_pdflatex`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/e85e7d6e) and [`build_path_in_record_file_generated_by_pybuild_flit_plugin`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/53bbee9b).
+
+### Other distributions
+
+[![]({{ "/images/reports/2021-02/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Bernhard M. Wiedemann posted his [monthly reproducible builds status report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/3A6DKFPDDRLPZBEUSHD234RHHQ77AZCH/) for the [openSUSE](https://www.opensuse.org/) distribution which had a number of followups on the topic of unique identifiers in PDF files and [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}). Bernhard also packaged [dettrace](https://github.com/dettrace/dettrace) (covered in [a previous month's report]({{ "/reports/2020-02/" }})) for openSUSE too [[...](https://build.opensuse.org/request/show/869868)].
+
+[![]({{ "/images/reports/2021-02/qubes.png#right" | relative_url }})](https://www.qubes-os.org/)
+
+Marek Marczykowski-Górecki wrote a lengthy blog post about the development process of [Qubes-OS](https://www.qubes-os.org/) titled "[*Improvements in testing and building: GitLab CI and reproducible builds*](https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/)". Marek describes the problem solved by reproducible builds as follows:
+
+> [Imagine] that an attacker wishes to feed unsuspecting users a compromised package. The attacker knows that the source code is public, so any malicious code he inserts into it would be highly exposed and at risk of detection. On the other hand, he reasons, compromising the build infrastructure would allow him to surreptitiously insert malicious changes that would make it into the resultant package. Since the source code remains untouched, his malicious changes are less likely to be detected. This is where the value of reproducible builds comes in. If the build process is reproducible, then we will immediately notice that building a package from the untouched source code results in a package that is different from the compromised one. This would be a major red flag that would prompt an immediate security investigation. [[...](https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/)]
+
+In [Fedora](https://fedoraproject.org/), Frédéric Pierret [restarted a discussion regarding `.buildinfo` files for RPM]( https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/OLCD2L6I5KUKWR6WLIUXFUYZ7KAQ66E3/), and made [*disorderfs*](https://salsa.debian.org/reproducible-builds/disorderfs) and [*reprotest*](https://salsa.debian.org/reproducible-builds/reprotest) available in the official Fedora repos.
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
 
 * Bernhard M. Wiedemann:
-    * [`kanku/perl-MooseX-App`](https://bugzilla.opensuse.org/show_bug.cgi?id=1181616) (report random order => Frank Schreiner [fixed it](https://github.com/maros/MooseX-App/pull/64), toolchain, sort)
-    * [`jpype`](https://github.com/jpype-project/jpype/pull/931) (filesys: sort python glob/readdir)
-    * [`smlnj`](https://bugzilla.opensuse.org/show_bug.cgi?id=1181652) (reported unknown nondeterminism)
-    * [`ipxe`](https://github.com/ipxe/ipxe/pull/234) (date, random)
-    * [`ipxe`](https://github.com/ipxe/ipxe/pull/252) (date/mtime)
-    * [`cpan`](https://github.com/aferreira/cpan-Term-Size-Perl/pull/1) (date)
-    * [`syslinux/isohybrid`](https://build.opensuse.org/request/show/868912) (toolchain, fix random MBR ID for ipxe.iso)
-    * [`calc`](https://build.opensuse.org/request/show/872190) (CPU (needed fixups for non-intel))
-    * [`lagrange`](https://build.opensuse.org/request/show/873004) (CPU)
-    * [`gmic`](https://github.com/dtschump/gmic/pull/288) (merged, date / copyright year)
-    * [`gocr`](https://build.opensuse.org/request/show/875812) (random)
-    * [`HTTP`](https://github.com/dagolden/HTTP-CookieJar/pull/10) (fix FTBFS-2021)
-    * [`libsoup`](https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/177) (merged, FTBFS-2027)
+
+    * [`automake/pcre`](https://bugzilla.opensuse.org/show_bug.cgi?id=1182604) (filesystem and [ASLR](https://en.wikipedia.org/wiki/Address_space_layout_randomization)-related issue))
+    * [`calc`](https://build.opensuse.org/request/show/872190) (required fixes for non-Intel CPUs)
+    * [`cpan`](https://github.com/aferreira/cpan-Term-Size-Perl/pull/1) (date-related issue)
+    * [`gmic`](https://github.com/dtschump/gmic/pull/288) (address a copyright year)
+    * [`gocr`](https://build.opensuse.org/request/show/875812) (randomisation issue)
+    * [`HTTP`](https://github.com/dagolden/HTTP-CookieJar/pull/10) (fix build failures after June 2021)
+    * [`ipxe`](https://github.com/ipxe/ipxe/pull/234) (date issue, random issue)
+    * [`ipxe`](https://github.com/ipxe/ipxe/pull/252) (modification time issue)
+    * [`jpype`](https://github.com/jpype-project/jpype/pull/931) (sort a Python-based filesystem ordering)
+    * [`lagrange`](https://build.opensuse.org/request/show/873004) (CPU-related issue)
+    * [`libsoup`](https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/177) (fix build failing in 2027)
+    * [`openscap`](https://github.com/OpenSCAP/openscap/pull/1699) (modification time issue)
     * `scap-security-guide`:
-        * [sort python readdir](https://github.com/ComplianceAsCode/content/pull/6647)
-        * [date](https://github.com/ComplianceAsCode/content/pull/6642)
-        * [`openscap`](https://github.com/OpenSCAP/openscap/pull/1699) (toolchain, mtime/date)
-    * [`automake/pcre`](https://bugzilla.opensuse.org/show_bug.cgi?id=1182604) (merged, toolchain, filesys+ASLR)
+        * Sort a Python-based filesystem ordering. [[...](https://github.com/ComplianceAsCode/content/pull/6647)]
+        * Date-related issue. [[...](https://github.com/ComplianceAsCode/content/pull/6642)]
+    * [`syslinux/isohybrid`](https://build.opensuse.org/request/show/868912) (fix a nondeterministic [MBR](https://en.wikipedia.org/wiki/Master_boot_record) ID for `ipxe.iso`)
+
+* Chris Lamb:
+
+    * [#981570](https://bugs.debian.org/981570) filed against [`crossfire`](https://tracker.debian.org/pkg/crossfire).
+    * [#981571](https://bugs.debian.org/981571) filed against [`zmk`](https://tracker.debian.org/pkg/zmk).
+    * [#982529](https://bugs.debian.org/982529) filed against [`python-aiosqlite`](https://tracker.debian.org/pkg/python-aiosqlite).
+    * [#982851](https://bugs.debian.org/982851) filed against [`mocassin`](https://tracker.debian.org/pkg/mocassin) ([forwarded upstream](https://github.com/rwesson/mocassin/pull/13)).
+    * [#983033](https://bugs.debian.org/983033) filed against [`golang-github-revel-revel`](https://tracker.debian.org/pkg/golang-github-revel-revel).
+    * [#983046](https://bugs.debian.org/983046) filed against [`kjs`](https://tracker.debian.org/pkg/kjs).
+    * [#983163](https://bugs.debian.org/983163) filed against [`golang-github-viant-toolbox`](https://tracker.debian.org/pkg/golang-github-viant-toolbox).
+
+* Vagrant Cascadian:
+
+    * [#983126](https://bugs.debian.org/983126) filed against [`iptotal`](https://tracker.debian.org/pkg/iptotal).
+    * [#983138](https://bugs.debian.org/983138) filed against [`ypserv`](https://tracker.debian.org/pkg/ypserv).
+    * [#983142](https://bugs.debian.org/983142) filed against [`circlator`](https://tracker.debian.org/pkg/circlator).
+    * [#983147](https://bugs.debian.org/983147) filed against [`armagetronad`](https://tracker.debian.org/pkg/armagetronad).
+    * [#983148](https://bugs.debian.org/983148) filed against [`wxmaxima`](https://tracker.debian.org/pkg/wxmaxima).
+    * [#983202](https://bugs.debian.org/983202) filed against [`time`](https://tracker.debian.org/pkg/time).
+    * [#983208](https://bugs.debian.org/983208) & [#983209](https://bugs.debian.org/983209) filed against [`lynx`](https://tracker.debian.org/pkg/lynx).
+    * [#983302](https://bugs.debian.org/983302) & [#983303](https://bugs.debian.org/983303) filed against [`imagemagick`](https://tracker.debian.org/pkg/imagemagick).
+    * [#983584](https://bugs.debian.org/983584) filed against [`paraview`](https://tracker.debian.org/pkg/paraview).
+    * [#983588](https://bugs.debian.org/983588) filed against [`xmlgraphics-commons`](https://tracker.debian.org/pkg/xmlgraphics-commons).
+
+### Testing framework
+
+[![]({{ "/images/reports/2021-02/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a [Jenkins](https://jenkins.io/)-based testing framework that powers [`tests.reproducible-builds.org`](https://tests.reproducible-builds.org). This month, the following changes were made:
+
+* Frédéric Pierret ([Qubes-OS](https://www.qubes-os.org/)):
+
+    * Add a new `buildinfos_suites` job. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4750f260)]
+    * Adjust the `ARCHES` and per-suite list for our new job. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/82e34937)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7020347f)]
+
+* Holger Levsen:
+
+    * Switch the `ionos7` host to Debian *bullseye* [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9ca30125)] and update the [PostgreSQL](https://www.postgresql.org/)-related packages for a `.buildinfo`-related service hosted on Debian *bullseye* too [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8fdfbdf3)].
+    * Improve the `deploy_jdn` script, adding support for short options [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/01a5042d)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/27374dcc)], conditional deployment [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c26ea9f7)] and some general code improvements [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/23a9bcd2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b108293d)].
+    * Fix failed networking and "`pbuilder_create` scope" issues in the node health check system. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ac45dd4c)]
+    * Move more IRC notifications to the `#reproducible-changes` channel [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ce6caae6)] and be verbose about sleeping time. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d8c3c736)]
+
+    * Package rebuilder prototype:
+
+        * Drop a reference and workaround to Debian bug related to signed `.buildinfo` files ([#955050](https://bugs.debian.org/955050)) as it has been fixed upstream. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2202e4ab)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d452797d)]
+        * Remove a workaround that was previously needed for the version of [`sbuild`](https://tracker.debian.org/pkg/sbuild) in Debian *buster*. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/190416c6)]
+        * Use `debrebuild --builder=sbuild` to better mimic the behaviour of the [official Debian build servers](https://buildd.debian.org/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/62524892)]
+        * Make some miscellaneous code improvements. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/24bb6a1a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9e4ebffc)]
+
+Lastly, build node maintenance was performed by Holger Levsen [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/beecf594)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d3ef2405)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/87f84a05)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7d410b25)], Mattia Rizzolo [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f24efd32)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6e0a1fc6)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/342d19d7)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6c4e167f)] and Vagrant Cascadian [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/34886eb4)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/90940d17)].
+
+### Other development news
+
+[On our website this month]({{ "/" | relative_url }}), Holger Levsen added a public [`reproducible-builds-developers-keys.asc`](https://reproducible-builds.org/reproducible-builds-developers-keys.asc) file which contains the GPG keys used by some Reproducible Builds developers [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/140de8d)] and Joshua Watt added a link to [Yocto Project](https://www.yoctoproject.org/)'s reproducible builds summary. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3e5c7b0)]
 
+[*strip-nondeterminism*](https://tracker.debian.org/pkg/strip-nondeterminism) is our tool to remove specific non-deterministic results from a completed build. This month, Chris Lamb [uploaded version `1.11.0-1` to Debian unstable](https://tracker.debian.org/news/1228381/accepted-strip-nondeterminism-1110-1-source-into-unstable/), notably to include a contribution from Helmut Grohne in order to normalise `PO-Revision-Date` fields (in addition to `POT-Creation-Date`) in [GNU *gettext*](https://www.gnu.org/software/gettext/) translation ifiles ([#981895](https://bugs.debian.org/981895)).
 
-* Drew DeVault wrote a blog post [How to make your downstream users happy](https://drewdevault.com/2021/02/09/How-to-make-your-downstreams-happy.html) which among other things pointed out SOURCE_DATE_EPOCH.
+In a thread on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general) which was started to discuss potential ideas for [Outreachy](https://www.outreachy.org/), Chris Lamb mentioned that he had been working on a proof-of-concept for a tool to automatically classify issues from the output of [diffoscope](https://diffoscope.org) and has [added it to the `reproducible-notes.git` repository](https://salsa.debian.org/reproducible-builds/reproducible-notes/-/blob/master/bin/auto-classify). [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2021-February/thread.html#2193)]
 
+[*reprotest*](https://tracker.debian.org/pkg/reprotest) is the Reproducible Build's project end-user tool to build same source code twice in widely differing environments, checking the binaries produced by the builds for any differences. This month, Frédéric Pierret made a number of changes to its RPM spec file [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/fca02bb)][[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/4ac84ed)] and improved the testsuite in a handful of ways [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/6a51832)][[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/0c17de7)]. Vagrant Cascadian then updated the version in [GNU Guix](https://guix.gnu.org/). [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8692f0e73b200638fd8bd01fecad068903cfa77a)]
 
-* [FIXME](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
+In a thread started to discuss potential ideas for [Outreachy](https://www.outreachy.org/), Chris Lamb mentioned he had been working on a proof-of-concept for a tool to automatically classify issues from the output of [*diffoscope*](https://diffoscope.org) and has thus [added it to the `reproducible-notes.git` Git repository](https://salsa.debian.org/reproducible-builds/reproducible-notes/-/blob/master/bin/auto-classify). [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2021-February/thread.html#2193)]
 
-* [982851 https://github.com/rwesson/mocassin/pull/13](forwarded)
+<br>
+<br>
 
-* FIXME: metasnap.d.n is described in [Misc Developer News (#54)](https://lists.debian.org/debian-devel-announce/2021/02/msg00005.html) as
-	 Tools like debrebuild or debbisect need to know which snapshot.d.o
-	 timestamp to use to obtain a certain package or set of packages. The new
-	 metasnap service provides this information in a machine readable
-	 format. It allows one to retrieve a list of all existing snapshot.d.o
-	 timestamps, find out which version a package had at a certain timestamp,
-	 which timestamp and suite referenced a certain package or which minimal
-	 set of timestamps contains a given set of packages. The `first_seen`
-	 attribute of the snapshot.d.o API is insufficient to provide this
-	 functionality because it lists when a file was first seen in the pool
-	 directory. This does not allow to find out the suite that referenced a
-	 package and breaks down in situations where a file was in the pool
-	 directory but not referenced by any Packages file or where a package with
-	 the same version and architecture existed in a suite in multiple
-	 intervals. The service website metasnap.debian.net[8] contains more
-	 information, allows one to download the full sqlite database containing
-	 the version information, explains all the possible queries and provides a
-	 javascript driven demo of the API that shows how to use the service to
-	 find out a set of snapshot.d.o timestamps that is needed to provide all
-	 packages from a buildinfo file. You can also try out the latter
-	 functionality by running this command:
-	
-	 curl -F 'buildinfo=<foo.buildinfo' https://metasnap.debian.net/cgi-bin/api
+[![]({{ "/images/reports/2021-02/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
 
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/3A6DKFPDDRLPZBEUSHD234RHHQ77AZCH/)
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
 
-* [FIXME: Holger suggested to create a partial mirror of snapshot.debian.org, which is needed to rebuild Debian bullseye/amd64 to work around problems with the wide adoption of snapshot.debian.org](https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20210222/012913.html).
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
 
-* Marek Marczykowski-Górecki published a blog post about Qubes-OS development titled [FIXME: Improvements in testing and building: GitLab CI and reproducible builds](https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/).
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
 
-* For the [GNU Guix](https://guix.gnu.org/) distribution, Vagrant Cascadian updated *diffoscope* to versions 165 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=b6ad414f4725b96cf799d74bbc11d5dcbb44c75b)], 166, [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=f813750a4aa07797e0120babdd5efbe17f1d3911)], and 167 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=90ccb46a5534a031a6a6d994fd9b7ee2b5ccbf84)].
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
 
-* For the [GNU Guix](https://guix.gnu.org/) distribution, Vagrant Cascadian updated *reprotest* to version 0.7.16 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8692f0e73b200638fd8bd01fecad068903cfa77a)].
+ * Reddit: [/r/ReproducibleBuilds](https://reddit.com/r/reproduciblebuilds)
 
-* For the [GNU Guix](https://guix.gnu.org/) distribution, Vagrant Cascadian updated *disorderfs* to version 0.5.11 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=599c641402a7bd8a8ca7e7cb7f6bf9e305e6a691)].
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)


=====================================
images/reports/2021-02/birsan.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/birsan.png differ


=====================================
images/reports/2021-02/bootstrappable-builds.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/bootstrappable-builds.png differ


=====================================
images/reports/2021-02/debian.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/debian.png differ


=====================================
images/reports/2021-02/diffoscope.svg
=====================================
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   version="1.1"
+   width="128"
+   height="128"
+   id="svg2">
+  <defs
+     id="defs4" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     transform="matrix(1.0692573,0,0,1.0692573,-328.34726,-503.5515)"
+     id="layer1">
+    <g
+       id="g5409">
+      <g
+         transform="translate(5.418238,0)"
+         id="g5386">
+        <rect
+           width="90.304001"
+           height="50.999996"
+           x="316.36414"
+           y="472.80621"
+           id="rect4667-3"
+           style="fill:none;stroke:none" />
+        <g
+           id="text4673-8"
+           style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+          <path
+             d="m 316.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+             id="path5371"
+             style="fill:#c00000;fill-opacity:1" />
+          <path
+             d="m 348.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+             id="path5373"
+             style="fill:#c00000;fill-opacity:1" />
+          <path
+             d="m 380.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+             id="path5375"
+             style="fill:#c00000;fill-opacity:1" />
+        </g>
+        <g
+           id="text5366"
+           style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+          <path
+             d="m 327.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+             id="path5378" />
+          <path
+             d="m 359.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+             id="path5380" />
+          <path
+             d="m 391.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+             id="path5382" />
+        </g>
+      </g>
+      <use
+         id="use5399"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+      <use
+         transform="matrix(0.8,0,0,0.8,82.417275,133.65028)"
+         id="use5401"
+         style="opacity:0.85"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+      <use
+         transform="matrix(0.6,0,0,0.6,164.83455,260.05454)"
+         id="use5403"
+         style="opacity:0.7"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+      <use
+         transform="matrix(0.4,0,0,0.4,247.25182,379.25208)"
+         id="use5405"
+         style="opacity:0.55"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+    </g>
+  </g>
+</svg>


=====================================
images/reports/2021-02/gnu-mes-talk.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/gnu-mes-talk.png differ


=====================================
images/reports/2021-02/intoto.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/intoto.png differ


=====================================
images/reports/2021-02/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/opensuse.png differ


=====================================
images/reports/2021-02/outreachy.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/outreachy.png differ


=====================================
images/reports/2021-02/qubes.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/qubes.png differ


=====================================
images/reports/2021-02/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/reproducible-builds.png differ


=====================================
images/reports/2021-02/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2021-02/testframework.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/ef199e079078a75c36a571c8234b04464e929a3c...f8e495d54a82035d06ea5b0ff347ccc1e7cd001a

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/ef199e079078a75c36a571c8234b04464e929a3c...f8e495d54a82035d06ea5b0ff347ccc1e7cd001a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20210303/24044de4/attachment.htm>


More information about the rb-commits mailing list