[Git][reproducible-builds/reproducible-website][master] 3 commits: Trivial changes to previous reports.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Thu Nov 4 15:57:01 UTC 2021
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
e6c1ab60 by Chris Lamb at 2021-11-04T10:30:40+00:00
Trivial changes to previous reports.
- - - - -
e6b36ccf by Chris Lamb at 2021-11-04T15:50:20+00:00
2021-10: Initial draft
- - - - -
46855055 by Chris Lamb at 2021-11-04T15:54:09+00:00
Merge branch '2021-10'
* 2021-10:
2021-10: Initial draft
Trivial changes to previous reports.
- - - - -
14 changed files:
- _reports/2021-08.md
- _reports/2021-09.md
- _reports/2021-10.md
- + images/reports/2021-10/cip.png
- + images/reports/2021-10/codethink.png
- + images/reports/2021-10/debian.png
- + images/reports/2021-10/diffoscope.svg
- + images/reports/2021-10/ircmeeting.png
- + images/reports/2021-10/openssf.png
- + images/reports/2021-10/opensuse.png
- + images/reports/2021-10/packagingcon.png
- + images/reports/2021-10/qubes.png
- + images/reports/2021-10/reproducible-builds.png
- + images/reports/2021-10/website.png
Changes:
=====================================
_reports/2021-08.md
=====================================
@@ -39,7 +39,7 @@ As reported in our [May report]({{ "/reports/2021-05/" | relative_url }}), the p
[![]({{ "/images/reports/2021-08/ircmeeting.png#right" | relative_url }})](https://lists.reproducible-builds.org/pipermail/rb-general/2021-August/002351.html)
-Lastly, We ran another productive meeting on IRC in August ([original announcement](https://lists.reproducible-builds.org/pipermail/rb-general/2021-August/002351.html)) which ran for just short of two hours. A [full set of notes](http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-08-31-14.59.html) from the meeting is available.
+Lastly, we ran another productive meeting on IRC in August ([original announcement](https://lists.reproducible-builds.org/pipermail/rb-general/2021-August/002351.html)) which ran for just short of two hours. A [full set of notes](http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-08-31-14.59.html) from the meeting is available.
<br>
=====================================
_reports/2021-09.md
=====================================
@@ -41,7 +41,7 @@ There was an interesting thread in the [/r/Signal](https://www.reddit.com/r/sign
### Distribution work
-Frédéric Pierret [announceda new testing service](https://lists.reproducible-builds.org/pipermail/rb-general/2021-September/002386.html) at [**beta.tests.reproducible-builds.org**](https://beta.tests.reproducible-builds.org/), showing actual rebuilds of binaries distributed by both the Debian and Qubes distributions.
+Frédéric Pierret [announced a new testing service](https://lists.reproducible-builds.org/pipermail/rb-general/2021-September/002386.html) at [**beta.tests.reproducible-builds.org**](https://beta.tests.reproducible-builds.org/), showing actual rebuilds of binaries distributed by both the Debian and Qubes distributions.
[![]({{ "/images/reports/2021-09/debian.png#right" | relative_url }})](https://debian.org/)
=====================================
_reports/2021-10.md
=====================================
@@ -6,53 +6,263 @@ title: "Reproducible Builds in October 2021"
draft: true
---
-* [FIXME](https://www.openwall.com/lists/oss-security/2021/10/03/1)
+[![]({{ "/images/reports/2021-10/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* [FIXME](https://www.codethink.co.uk/articles/2021/codethink-safety-certificate-exida/)
+**Welcome to the October 2021 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
+{: .lead}
-* [FIXME](https://github.com/ravinet/mahimahi/pull/147) followup to https://bugs.debian.org/977684
+<br>
-* [FIXME](http://bugs.debian.org/901307)
+This month Samanta Navarro posted to the `oss-security` security mailing on a novel category of exploit in the `.tar` archive format, where a [single `.tar` file contains *different contents depending on the tar utility being used*](https://www.openwall.com/lists/oss-security/2021/10/03/1). Naturally, this has consequences for reproducible builds as Samanta goes onto reply:
-* FIXME: SolarWinds presented at Supply Chain Security Con on Oct 11 about using in-toto in their build system. They also talk about doing everything twice, once in an isolated environment, to validate the first build ala reproducible builds. Here's the presentation from this talk: https://static.sched.com/hosted_files/supplychainsecurityconna21/df/SupplyChainCon-TrevorRosen-Keynote.pdf
+> Arch Linux uses libarchive (bsdtar) in its build environment. The default tar
+> program installed is GNU tar. It is possible to create a source distribution
+> which leads to different files seen by the build environment than compared to
+> a careful reviewer and other Linux distributions.
-* FIXME: Wolfgang Mauerer gave a presentation at the MiniDebConf 2021 Regensburg about the Civil Infrastructure Plattform, covering many subjects including Reproducible Builds. https://meetings-archive.debian.net/pub/debian-meetings/2021/MiniDebConf-Regensburg/civil-infrastructure-platform.webm
+Samanta notes that addressing the tar utilities themselves will not be a
+sufficient fix:
-* Bernhard M. Wiedemann
- * [`libsoup2`](https://build.opensuse.org/request/show/922724) (FTBFS-2027)
- * [`ipxe`](https://build.opensuse.org/request/show/922815) (version upgrade with various prior rb-fixes)
- * [`gtk4`](https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/4077) (merged, drop date)
- * [`pari`](https://bugzilla.opensuse.org/show_bug.cgi?id=1192192) (bug, parallelism)
+> I have submitted bug reports and patches to some projects but eventually I
+> had to conclude that the problem itself cannot be fixed by these
+> implementations alone. The best choice for these tools would be to only allow
+> archives which are fully compatible to standards but this in turn would
+> render a lot of archives broken.
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/OEMW25GJTNDVFIHARTBEJLEMWEKUV56F/)
+Reproducible builds, with its twin ideas of reaching consensus on the build outputs as well as precisely recording and describing the build environment, would can help address this problem at a higher level.
-* FIXME [Remove build paths from ffmpeg](https://ffmpeg.org/pipermail/ffmpeg-devel/2021-October/287098.html) [orignally submitted to Debian](https://bugs.debian.org/985187)
+<br>
-* [FIXME](https://lwn.net/Articles/873255/)
+[![]({{ "/images/reports/2021-10/codethink.png#right" | relative_url }})](https://www.codethink.co.uk/)
-* [forwarded 996948](https://github.com/sphinx-doc/sphinx/pull/9755)
+[Codethink](https://www.codethink.co.uk/) announced that they had [achieved ISO-26262 ASIL D Tool Certification](https://www.codethink.co.uk/articles/2021/codethink-safety-certificate-exida/), a way of determining specific safety standards for software. Codethink used open source tooling to achieve this, but they also leverage:
-* FIXME: announce new host & service (in setup), snapshot.r-b.o
- thanks to OSUOSL for the machine and hosting
- thanks to Debian for the discs
- thanks to Frederic for writing the service and housing the source mirror
- (thanks to Holger for fixing this FIXME eventually (aka, ping me) and for setting up the server)
+> Reproducibility, repeatability and traceability of builds, drawing heavily on best-practices championed by the Reproducible Builds project.
-* FIXME: Microsoft are now comparing NPM packages with their source repos: https://news.ycombinator.com/item?id=28966022
+<br>
-* [FIXME](https://pretalx.com/packagingcon-2021/schedule/)
+Elsewhere on the internet, [according to a comment on Hacker News](https://news.ycombinator.com/item?id=28966022), Microsoft are now comparing [NPM](https://www.npmjs.com/) Javascript packages with their original source repositories:
-* [FIXME](https://github.com/sphinx-doc/sphinx/issues/9778)
+> I got a PR in my repository a few days ago leading back to a team trying to make it easier for packages to be reproducible from source.
-* FIXME: reproducible-builds.org general monthly irc meeting: http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-10-26-14.59.html
+<br>
-* [FIXME](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998059)
+Lastly, Martin Monperrus [started an interesting thread on our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2021-October/002412.html) about Github, specifically that their "autogenerated release tarballs are not deterministic". The thread [generated a significant number of replies](https://lists.reproducible-builds.org/pipermail/rb-general/2021-October/thread.html#2412) that are worth reading.
-* [FIXME](https://openssf.org/blog/2021/10/25/openssf-quarterly-town-hall-announcement/)
+### Events and presentations
-* [FIXME](https://twitter.com/theopenssf/status/1454160177087795204)
+[![]({{ "/images/reports/2021-10/packagingcon.png#right" | relative_url }})](https://packaging-con.org/)
-* Vagrant Cascadian [updated to reprotest 0.7.18](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=fb3b26b2ab73a2f0da4a3f3ae6e00ce098f9e610) and [diffoscope 188](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=af4ce7bd413c3a50733bfcc05370903a1e3808bc)
-and
-[189](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=52ab88a5aae15f031ba5046a2997b04aabbf188a)
-in [GNU Guix](https://www.gnu.org/software/guix/).
+* [PackagingCon](https://packaging-con.org/) is a conference for developers of package management software, their communities and other stakeholders. This virtual event, which will take place on the **9th and 10th November 2021**, has a "mission is to bring different ecosystems together". The [schedule for the event](https://pretalx.com/packagingcon-2021/schedule/) is now available to view online.
+
+* The Linux Foundation's [OpenSSF](https://openssf.org/) group announced that the next [OpenSSF quarterly town hall](https://openssf.org/townhalls/) will [take place on **15th November 2021**](https://openssf.org/blog/2021/10/25/openssf-quarterly-town-hall-announcement/). Registration is now open.
+
+[![]({{ "/images/reports/2021-10/cip.png#right" | relative_url }})](https://cip-project.org/)
+
+* Last month, Wolfgang Mauerer gave a presentation at the [MiniDebConf 2021 Regensburg](https://wiki.debian.org/DebianEvents/de/2021/MiniDebConfRegensburg//) about the [Civil Infrastructure Platform](https://www.cip-project.org/) that covered many subjects including Reproducible Builds. [PDF slides](https://salsa.debian.org/debconf-team/public/mini/de2020/-/raw/master/talks/Civil-Infrastructure-Platform.pdf) of the talk are available, as is a [video recording](https://meetings-archive.debian.net/pub/debian-meetings/2021/MiniDebConf-Regensburg/civil-infrastructure-platform.webm).
+
+* In addition, Trevor Rosen from [SolarWinds](https://www.solarwinds.com/) presented at the Linux Foundation's [Supply Chain Security Con](https://events.linuxfoundation.org/supplychainsecuritycon-north-america/) last month on incorporating [*in-toto*](https://in-toto.io/) into their build system. *in-toto* a framework to secure the integrity of software supply chains. Trevor also discusses building everything twice to validate the first build à la reproducible builds. ([PDF slides](https://static.sched.com/hosted_files/supplychainsecurityconna21/df/SupplyChainCon-TrevorRosen-Keynote.pdf))
+
+* Lastly, Mattia Rizzolo posted an update on the [next Reproducible Builds in-person event](https://lists.reproducible-builds.org/pipermail/rb-general/2021-October/002404.html) to our mailing list: "currently we are thinking ahead to 2022".
+
+### Community news
+
+On our [mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Jeremiah [announced the release](https://lists.reproducible-builds.org/pipermail/rb-general/2021-October/002392.html) of version 1.4 of [`stage0-posix`](https://github.com/oriansj/stage0-posix), part of a broader effort to provide an ultra-minimal "bootstrap seed" to increase trust in our software stack.
+
+* Chris Lamb mentioned that [Azure are offering free compute power for open source projects](https://opensource.microsoft.com/azure-credits) which "might be useful for one of the many rebuilder projects".
+
+* *kpcyrd* announced the [release of *rebuilderd* v0.15.0](https://lists.reproducible-builds.org/pipermail/rb-general/2021-October/002401.html), but also linked to a [Twitter thread that contains intro on how *rebuilderd* works](https://twitter.com/kpcyrd/status/1450091461714776069) and a walk-through on how to write custom integrations.
+
+* Fredrik Strömberg [offered an update](https://lists.reproducible-builds.org/pipermail/rb-general/2021-October/002400.html) on the [*Sigsum*](https://www.sigsum.org/) project and some specific milestones within transparency logging efforts: "after a year of design iterations we have not only designed a transparency log but also decided to turn it into a project of its own".
+
+<br>
+
+[![]({{ "/images/reports/2021-10/website.png#right" | relative_url }})](https://reproducible-builds.org/)
+
+There were quite a few changes to the [Reproducible Builds website and documentation](https://reproducible-builds.org/) this month as well, including Feng Chai fixing updating some links on our 'publications' page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1a62a4e)] and *marco* updated our project metadata around the [Bitcoin Core building guide](https://github.com/bitcoin/bitcoin/blob/master/contrib/guix/README.md) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0f6cacd)].
+
+<br>
+
+Lastly, we ran another productive meeting on IRC during October. A [full set of notes](http://meetbot.debian.net/reproducible-builds/2021/reproducible-builds.2021-10-26-14.59.html) from the meeting is available to view..
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2021-10/qubes.png#right" | relative_url }})](https://lwn.net/Articles/873255/)
+
+Qubes was [heavily featured in the latest edition of Linux Weekly News](https://lwn.net/Articles/873255/), and a significant section was dedicated to discussing reproducibility. For example, it was mentioned that the "Qubes project has been working on [incorporating](https://www.qubes-os.org/news/2021/02/28/improvements-in-testing-and-building/) reproducible builds into its continuous integration (CI) infrastructure". But the LWN article goes onto describe that:
+
+> The [current goal](https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/) is to be able to build the Qubes OS Debian templates solely from packages that can be built reproducibly. [Templates](https://www.qubes-os.org/doc/templates/) in Qubes OS are VM images that can be used to start an application qube quickly based on the template. The qube will have read-only access to the root filesystem of the template, so that the same root filesystem can be shared with multiple application qubes. There are official templates for several variants of both Fedora and Debian, as well as community maintained templates for several other distributions.
+
+You can [view the whole article on LWN](https://lwn.net/Articles/873255/), and Frédéric also published a [lengthy summary about their work on reproducible builds in Qubes](https://www.qubes-os.org/news/2021/10/08/reproducible-builds-for-debian-a-big-step-forward/) as well for those wishing to learn more.
+
+<br>
+
+[![]({{ "/images/reports/2021-10/debian.png#right" | relative_url }})](https://debian.org/)
+
+In Debian this month, 133 reviews of Debian packages were added, 81 were updated and 24 were removed this month, adding to [Debian's ever-growing knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issues were categorised and added by Chris Lamb and Vagrant Cascadian too [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/cb37fe47)][[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/d67824a0)][[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/58a76f9c)]. In addition, work on alternative snapshot service has been progressed by Frédéric Pierret and Holger Levsen this month, including moving from the existing host (*snapshot.notset.fr*) to *snapshot.reproducible-builds.org* ([more info](https://lists.reproducible-builds.org/pipermail/rb-general/2021-October/002428.html)) — thanks to [OSUOSL](https://osuosl.org/) for the machine and hosting and Debian for the disks.
+
+<br>
+
+Finally, Bernhard M. Wiedemann posted his [monthly reproducible builds status report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/OEMW25GJTNDVFIHARTBEJLEMWEKUV56F/).
+
+<br>
+
+### [*diffoscope*](https://diffoscope.org)
+
+[![]({{ "/images/reports/2021-10/diffoscope.svg#right" | relative_url }})](https://diffoscope.org)
+
+[*diffoscope*](https://diffoscope.org) is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb made the following changes, including preparing and uploading versions 186, 187, 188 and 189 to Debian
+
+
+* New features:
+
+ * Add support for Python Sphinx inventory files (usually named `objects.inv` on-disk). [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/880e81ea)]
+ * Add support for comparing `.pyc` files. Thanks to Sergei Trofimovich for the inspiration. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/83e7f903)]
+ * Try some alternative suffixes (eg. `.py`) to support distributions that strip or retain them. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e2d3abe8)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d2ac5465)]
+
+* Bug fixes:
+
+ * Fix Python decompilation tests under Python 3.10+ [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e8d5f6a8)] and for Python 3.7 [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/ade8e628)].
+ * Don't raise a traceback if we cannot unmarshal Python bytecode. This is in order to support Python 3.7 failing to load `.pyc` files generated with newer versions of Python. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/286d5131)]
+ * Skip Python bytecode testing where we do not have an expected diff. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/ef878eca)]
+
+* Codebase improvements:
+
+ * Use our `file_version_is_lt` utility instead of accepting both versions of uImage expected diff. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/970d21a2)]
+ * Split out a custom call to `assert_diff` for a `.startswith` equivalent. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/daf549e4)]
+ * Use `skipif` instead of manual conditionals in some tests. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/34df4921)]
+
+In addition, Jelle van der Waa added external tool references for Arch Linux for `ocamlobjinfo`, `openssl` and `ffmpeg` [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/ee2fb1e9)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c0d178f5)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/52630c75)] and added Arch Linux as a Continuous Integration (CI) test target. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/da8e2a35)] and Vagrant Cascadian updated the testsuite to skip Python bytecode comparisons when `file(1)` is older than 5.39. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/4f7d531d)] as well as added external tool references for the Guix distribution for `dumppdf` and `ppudump`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/34cde92c)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/744ab18b)]. Vagrant Cascadian also updated the *diffoscope* package in [GNU Guix](https://www.gnu.org/software/guix/) [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=af4ce7bd413c3a50733bfcc05370903a1e3808bc)][[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=52ab88a5aae15f031ba5046a2997b04aabbf188a)].
+
+Lastly, Guangyuan Yang updated the FreeBSD package name on the website [[...](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/962ab69)], Mattia Rizzolo made a change to override a new Lintian warning due to the new test files [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1d6240fe)], Roland Clobus added support to detect and log if the `GNU_BUILD_ID` field in an ELF binary been modified [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/4cbae2d1)], Sandro Jäckel updated a number of helpful links on the website [[...](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/d865cf3)] and Sergei Trofimovich made the uImage test output support `file(`) version 5.41 [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/74a59a8f)].
+
+
+<br>
+
+### [*reprotest*](https://tracker.debian.org/pkg/reprotest)
+
+[*reprotest*](https://tracker.debian.org/pkg/reprotest) is the Reproducible Build's project end-user tool to build same source code twice in widely differing environments, checking the binaries produced by the builds for any differences.
+
+This month, *reprotest* version `0.7.18` was [uploaded to Debian unstable](https://tracker.debian.org/news/1266892/accepted-reprotest-0718-source-into-unstable/) by Holger Levsen, which also included a change by Holger to clarify that Python 3.9 is used nowadays [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/880588d)], but it also included two changes by Vasyl Gello to implement "realistic" CPU architecture shuffling [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/15e3c65)] and to log the selected variations when the verbosity is configured at a sufficiently high level [[...](https://salsa.debian.org/reproducible-builds/reprotest/commit/a2911a6)]. Finally, Vagrant Cascadian [updated reprotest to version 0.7.18](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=fb3b26b2ab73a2f0da4a3f3ae6e00ce098f9e610) in [GNU Guix](https://www.gnu.org/software/guix/).
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix unreproducible packages. We try to send all of our patches upstream where appropriate. We authored a large number of such patches this month, including:
+
+* Bernhard M. Wiedemann:
+
+ * [`gtk4`](https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/4077) (date-related issue)
+ * [`ipxe`](https://build.opensuse.org/request/show/922815) (version upgrade)
+ * [`libsoup2`](https://build.opensuse.org/request/show/922724) (build failure in the future)
+ * [`pari`](https://bugzilla.opensuse.org/show_bug.cgi?id=1192192) (parallelism-related issue)
+
+* Chris Lamb:
+
+ * [#901307](https://bugs.debian.org/901307) filed against [`sphinx-gallery`](https://tracker.debian.org/pkg/sphinx-gallery) ([re-opened with extensive updates](https://bugs.debian.org/901307#54)).
+ * [#995809](https://bugs.debian.org/995809) filed against [`libinput`](https://tracker.debian.org/pkg/libinput).
+ * [#995865](https://bugs.debian.org/995865) filed against [`python-pipx`](https://tracker.debian.org/pkg/python-pipx).
+ * [#996200](https://bugs.debian.org/996200) filed against [`node-inquirer`](https://tracker.debian.org/pkg/node-inquirer).
+ * [#996674](https://bugs.debian.org/996674) filed against [`libminidns-java`](https://tracker.debian.org/pkg/libminidns-java).
+ * [#996834](https://bugs.debian.org/996834) filed against [`pytools`](https://tracker.debian.org/pkg/pytools).
+ * [#996881](https://bugs.debian.org/996881) filed against [`pikepdf`](https://tracker.debian.org/pkg/pikepdf).
+ * [#996948](https://bugs.debian.org/996948) filed against [`sphinx`](https://tracker.debian.org/pkg/sphinx) ([forwarded upstream](https://github.com/sphinx-doc/sphinx/pull/9755))
+ * [#996999](https://bugs.debian.org/996999) filed against [`fenics-basix`](https://tracker.debian.org/pkg/fenics-basix).
+ * [#997000](https://bugs.debian.org/997000) filed against [`snakemake`](https://tracker.debian.org/pkg/snakemake).
+ * [#997689](https://bugs.debian.org/997689) filed against [`smplayer`](https://tracker.debian.org/pkg/smplayer).
+ * [#997949](https://bugs.debian.org/997949) filed against [`python-duniterpy`](https://tracker.debian.org/pkg/python-duniterpy).
+ * [#998104](https://bugs.debian.org/998104) filed against [`afnix`](https://tracker.debian.org/pkg/afnix).
+ * [#998059](https://bugs.debian.org/998059) filed against [`sphinx`](https://tracker.debian.org/pkg/sphinx) ([forwarded upstream](https://github.com/sphinx-doc/sphinx/issues/9778)).
+
+* Vagrant Cascadian:
+
+ * [#977684](https://bugs.debian.org/977684) filed against [`mahimahi`](https://tracker.debian.org/pkg/mahimahi) ([filed upstream](https://github.com/ravinet/mahimahi/pull/147)).
+ * [#985187](https://bugs.debian.org/985187) filed against [`mplayer`](https://tracker.debian.org/pkg/mplayer) ([forwarded upstream](https://ffmpeg.org/pipermail/ffmpeg-devel/2021-October/287098.html))
+ * [#995646](https://bugs.debian.org/995646) filed against [`abntex`](https://tracker.debian.org/pkg/abntex).
+ * [#995647](https://bugs.debian.org/995647) filed against [`cfi`](https://tracker.debian.org/pkg/cfi).
+ * [#995648](https://bugs.debian.org/995648) filed against [`cffi`](https://tracker.debian.org/pkg/cffi).
+ * [#995650](https://bugs.debian.org/995650) filed against [`chktex`](https://tracker.debian.org/pkg/chktex).
+ * [#995651](https://bugs.debian.org/995651) filed against [`fdutils`](https://tracker.debian.org/pkg/fdutils).
+ * [#995652](https://bugs.debian.org/995652) filed against [`gnu-standards`](https://tracker.debian.org/pkg/gnu-standards).
+ * [#995654](https://bugs.debian.org/995654) filed against [`malaga`](https://tracker.debian.org/pkg/malaga).
+ * [#995741](https://bugs.debian.org/995741) filed against [`latex-mk`](https://tracker.debian.org/pkg/latex-mk).
+ * [#995745](https://bugs.debian.org/995745) filed against [`kannel`](https://tracker.debian.org/pkg/kannel).
+ * [#995747](https://bugs.debian.org/995747) filed against [`xnee`](https://tracker.debian.org/pkg/xnee).
+ * [#995886](https://bugs.debian.org/995886), [#995896](https://bugs.debian.org/995896), [#995953](https://bugs.debian.org/995953) & [#995954](https://bugs.debian.org/995954) filed against [`cxref`](https://tracker.debian.org/pkg/cxref).
+ * [#995960](https://bugs.debian.org/995960) filed against [`xnee`](https://tracker.debian.org/pkg/xnee).
+ * [#996184](https://bugs.debian.org/996184) filed against [`binutils-or1k-elf`](https://tracker.debian.org/pkg/binutils-or1k-elf).
+ * [#996194](https://bugs.debian.org/996194) & [#996572](https://bugs.debian.org/996572) filed against [`gcc-arm-none-eabi`](https://tracker.debian.org/pkg/gcc-arm-none-eabi).
+ * [#996599](https://bugs.debian.org/996599) filed against [`xdmf`](https://tracker.debian.org/pkg/xdmf).
+ * [#996679](https://bugs.debian.org/996679) filed against [`flightgear`](https://tracker.debian.org/pkg/flightgear).
+ * [#997036](https://bugs.debian.org/997036) & [#997037](https://bugs.debian.org/997037) filed against [`kvirc`](https://tracker.debian.org/pkg/kvirc).
+
+<br>
+
+### Testing framework
+
+[![]({{ "/images/reports/2021-09/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project runs a testing framework at [tests.reproducible-builds.org](https://tests.reproducible-builds.org), to check packages and other artifacts for reproducibility. This month, the following changes were made:
+
+* Holger Levsen:
+
+ * [Debian](https://debian.org)-related changes:
+
+ * Incorporate a fix from *bremner* into '`builtin-pho`' related to binary-NMUs. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cfe68cba)]
+ * Keep *bullseye* environments around longe, in an attempt to fix a Jenkins issue. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/878ada14)]
+ * Improve the documentation of `buildinfos.debian.net`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ef18fb87)]
+ * Improve documentation for the '`builtin-pho`' setup. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fc01549e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ec2f1754)]
+
+ * [OpenWrt](https://openwrt.org)-related changes:
+
+ * Also use -j1 for better debugging. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d0853ec4)]
+ * Document that that Python 3.x is now used. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c0ffc4ad)]
+ * Enable further debugging for the toolchain build. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/985e6231)]
+
+ * New `snapshot.reproducible-builds.org` service:
+
+ * Actually add new node. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c2344063)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2c6e55af)]
+ * Install `xfsprogs` on `snapshot.reproducible-builds.org`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/cd334d27)]
+ * Create account for `fpierret` on new node. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/50e16fb9)]
+ * Run `node_health_check` job on new node too. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2045b027)]
+
+* Mattia Rizzolo:
+
+ * [Debian](https://debian.org)-related changes:
+
+ * Handle schroot errors when invoking *diffoscope* instead of masking them. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9b0620f6)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f831f1a1)]
+ * Declare and define some variables separately to avoid masking the subshell return code. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/532d3a0b)]
+ * Fix variable name. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/97e76c98)]
+ * Improve log reporting. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/299ab336)]
+ * Execute `apt-get update` with the `-q` argument to get more decent logs. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9b13cfd5)]
+ * Set the Debian HTTP mirror and proxy for `snapshot.reproducible-builds.org`. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9dea33de)]
+ * Install the `libarchive-tools` package (instead of `bsdtar`) when updating Jenkins nodes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/180cb3de)]
+
+ * Be stricter about errors when starting the node agent [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/131eb841)] and don't overwrite NODE\_NAME so that we can expect Jenkins to properly set for us [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2af6c39e)].
+ * Explicitly warn if the `NODE_NAME` is not a fully-qualified domain name (FQDN). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2828b20f)]
+ * Document whether a node runs in the future. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/66a44b4f)]
+ * Disable `postgresql_autodoc` as it not available in bullseye. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ed92df9b)]
+ * Don't be so eager when deleting schroot internals, call to schroot -e to terminate the schroots instead. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ab993ac3)]
+ * Only consider schroot underlays for deletion that are over a month old. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3537b671)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b30138a6)]
+ * Only try to unmount `/proc` if it's actually mounted. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fa802be1)]
+ * Move the `db_backup` task to its own Jenkins job. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/02fccbf3)]
+
+Lastly, Vasyl Gello added usage information to the `reproducible_build.sh` script [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/54c427b5)].
+
+<br>
+
+### Contributing
+
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
+>>>>>>> 2021-10
=====================================
images/reports/2021-10/cip.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/cip.png differ
=====================================
images/reports/2021-10/codethink.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/codethink.png differ
=====================================
images/reports/2021-10/debian.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/debian.png differ
=====================================
images/reports/2021-10/diffoscope.svg
=====================================
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ version="1.1"
+ width="128"
+ height="128"
+ id="svg2">
+ <defs
+ id="defs4" />
+ <metadata
+ id="metadata7">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ transform="matrix(1.0692573,0,0,1.0692573,-328.34726,-503.5515)"
+ id="layer1">
+ <g
+ id="g5409">
+ <g
+ transform="translate(5.418238,0)"
+ id="g5386">
+ <rect
+ width="90.304001"
+ height="50.999996"
+ x="316.36414"
+ y="472.80621"
+ id="rect4667-3"
+ style="fill:none;stroke:none" />
+ <g
+ id="text4673-8"
+ style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+ <path
+ d="m 316.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5371"
+ style="fill:#c00000;fill-opacity:1" />
+ <path
+ d="m 348.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5373"
+ style="fill:#c00000;fill-opacity:1" />
+ <path
+ d="m 380.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+ id="path5375"
+ style="fill:#c00000;fill-opacity:1" />
+ </g>
+ <g
+ id="text5366"
+ style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+ <path
+ d="m 327.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5378" />
+ <path
+ d="m 359.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5380" />
+ <path
+ d="m 391.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+ id="path5382" />
+ </g>
+ </g>
+ <use
+ id="use5399"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.8,0,0,0.8,82.417275,133.65028)"
+ id="use5401"
+ style="opacity:0.85"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.6,0,0,0.6,164.83455,260.05454)"
+ id="use5403"
+ style="opacity:0.7"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ <use
+ transform="matrix(0.4,0,0,0.4,247.25182,379.25208)"
+ id="use5405"
+ style="opacity:0.55"
+ x="0"
+ y="0"
+ width="744.09448"
+ height="1052.3622"
+ xlink:href="#g5386" />
+ </g>
+ </g>
+</svg>
=====================================
images/reports/2021-10/ircmeeting.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/ircmeeting.png differ
=====================================
images/reports/2021-10/openssf.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/openssf.png differ
=====================================
images/reports/2021-10/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/opensuse.png differ
=====================================
images/reports/2021-10/packagingcon.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/packagingcon.png differ
=====================================
images/reports/2021-10/qubes.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/qubes.png differ
=====================================
images/reports/2021-10/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/reproducible-builds.png differ
=====================================
images/reports/2021-10/website.png
=====================================
Binary files /dev/null and b/images/reports/2021-10/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/b9c905e732af2ab18923f78211aa9b48dea06611...468550550b9c431f057e81963988c7bb242dc7f2
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/b9c905e732af2ab18923f78211aa9b48dea06611...468550550b9c431f057e81963988c7bb242dc7f2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20211104/3d88e6bd/attachment.htm>
More information about the rb-commits
mailing list