[Git][reproducible-builds/reproducible-website][master] 2022-11: fix typos & grammar, reword a few things
FC Stegerman (@obfusk)
gitlab at salsa.debian.org
Wed Dec 7 00:31:11 UTC 2022
FC Stegerman pushed to branch master at Reproducible Builds / reproducible-website
Commits:
5080f8ae by FC Stegerman at 2022-12-07T01:30:09+01:00
2022-11: fix typos & grammar, reword a few things
- - - - -
1 changed file:
- _reports/2022-11.md
Changes:
=====================================
_reports/2022-11.md
=====================================
@@ -46,13 +46,13 @@ This article is an interview-based study which focuses on the adoption and uses
This is achieved through interviews with software practitioners and business managers, and touches on both the business and technical reasons supporting the adoption (or not) of Reproducible Builds. The article also begins with an excellent explanation and literature review, and even introduces a new helpful analogy for reproducible builds:
-> [Users are] able to perform a bitwise comparison of the two binaries to verify that they are identical and that the distributed binary is indeed built from the source code in the way the provider claims. Applied in this manner, R-Bs **function as a canary**, a mechanism that indicates when something might be wrong, and offer an improvement in security over running unverifed binaries on computer systems.
+> [Users are] able to perform a bitwise comparison of the two binaries to verify that they are identical and that the distributed binary is indeed built from the source code in the way the provider claims. Applied in this manner, R-Bs **function as a canary**, a mechanism that indicates when something might be wrong, and offer an improvement in security over running unverified binaries on computer systems.
The [full paper](https://link.springer.com/article/10.1007/s11219-022-09607-z) is available to download on an '[open access](https://en.wikipedia.org/wiki/Open_access)' basis.
[![]({{ "/images/reports/2022-11/integrity-paper.png#right" | relative_url }})](https://arxiv.org/pdf/2211.06249.pdf)
-Elsewhere in academia, Beatriz Reichert and Rafael Obelheiro1 have published a paper proposing a systematic threat model for a generic software development pipeline identifying possible mitigations for each threat ([PDF](https://arxiv.org/pdf/2211.06249.pdf). Under the *Tampering* rubric of their paper, various attacks against Continuous Integration (CI) processes:
+Elsewhere in academia, Beatriz Michelson Reichert and Rafael R. Obelheiro have published a paper proposing a systematic threat model for a generic software development pipeline identifying possible mitigations for each threat ([PDF](https://arxiv.org/pdf/2211.06249.pdf)). Under the *Tampering* rubric of their paper, various attacks against Continuous Integration (CI) processes:
> An attacker may insert a backdoor into a CI or build tool and thus introduce vulnerabilities into the software (resulting in an improper build). To avoid this threat, it is the developer’s responsibility to take due care when making use of third-party build tools. Tampered compilers can be mitigated using diversity, as in the diverse double compiling (DDC) technique. **Reproducible builds, a recent research topic, can also provide mitigation for this problem.** ([PDF](https://arxiv.org/pdf/2211.06249.pdf))
@@ -66,11 +66,11 @@ Elsewhere in academia, Beatriz Reichert and Rafael Obelheiro1 have published a p
* In the [.NET framework ecosystem](https://en.wikipedia.org/wiki/.NET), a wiki page for the [Roslyn .NET C# and Visual Basic compiler](https://learn.microsoft.com/en-gb/dotnet/csharp/roslyn-sdk/) was uncovered this month that [details its attempts to ensure end-to-end reproducible builds](https://github.com/dotnet/roslyn/blob/main/docs/compilers/Deterministic%20Inputs.md) by focusing on the definition on what are 'considered inputs to the compiler for the purpose of determinism'. This is a spiritual followup to a 2016 blog post by Microsoft developer [Jared Parsons](https://blog.paranoidcoding.com/) on '[Deterministic builds in Roslyn](https://blog.paranoidcoding.com/2016/04/05/deterministic-builds-in-roslyn.html)' which starts: 'It seems silly to celebrate features which should have been there from the start.'
-* [Ian Lance Taylor followed up to a old post](https://gcc.gnu.org/pipermail/gcc-patches/2022-November/606205.html) to report that a Jakub Jelinek's patch from September 2000 to remark that the patch is incomplete.
+* [Ian Lance Taylor followed up an old post](https://gcc.gnu.org/pipermail/gcc-patches/2022-November/606205.html) to report that Jakub Jelinek's patch from September 2000 is incomplete.
[![]({{ "/images/reports/2022-11/fdroid.png#right" | relative_url }})](https://f-droid.org/)
-* In [F-Droid](https://f-droid.org/) this month, Reproducible Builds contributor FC Stegerman created a [set of 'reproducible APK tools'](https://github.com/obfusk/reproducible-apk-tools) as a workaround to an [issue where files in APKs built on MacOS are disordered](https://gitlab.com/fdroid/fdroiddata/-/issues/2816#note_1179533719). In addition, a new issue was created to document [the overview of apps using reproducible builds](https://gitlab.com/fdroid/fdroiddata/-/issues/2844) and FC Stegerman released *apksigcopier* version 1.1.0 which [adds support for APKs signed by 'Gradle' or 'Signflinger'](https://github.com/obfusk/apksigcopier#what-about-apks-signed-by-gradlezipflingersignflinger-instead-of-apksigner).
+* In [F-Droid](https://f-droid.org/) this month, Reproducible Builds contributor FC Stegerman created a [set of 'reproducible APK tools'](https://github.com/obfusk/reproducible-apk-tools) as a workaround for issues like [the order of files in APKs built on macOS being non-deterministic](https://gitlab.com/fdroid/fdroiddata/-/issues/2816#note_1179533719). In addition, the new issue documenting [the overview of apps using reproducible builds](https://gitlab.com/fdroid/fdroiddata/-/issues/2844) shows that F-Droid added 11 new apps that use reproducible builds, and FC Stegerman released *apksigcopier* version 1.1.0 which [adds support for APKs signed by 'Signflinger'](https://github.com/obfusk/apksigcopier#what-about-apks-signed-by-gradlezipflingersignflinger-instead-of-apksigner).
* *martinSusz* has written up a [fascinating wiki page](https://github.com/martinSusz/rkdeveloptool/wiki/Generating--quasi-reproducible-BootROM-firmware-for-Rock-Chips-SoC) describing how to generate 'quasi-reproducible' firmware ROMs for [System-on-a-Chip](https://en.wikipedia.org/wiki/System_on_a_chip) (SoC) components fabricated by [Rock Chip](https://en.wikipedia.org/wiki/Rockchip). These chips are used in popular low-cost laptops such as the [Pine64 PinebookPro](https://www.pine64.org/pinebook-pro/) and [Asus C201](https://www.asus.com/us/laptops/for-home/chromebook/asus-chromebook-c201/). The link is worth viewing simply for the [interesting diagram](https://user-images.githubusercontent.com/119517241/205492847-f2e03cd0-c7b4-43f2-b7f0-e970e531e805.png).
@@ -114,7 +114,7 @@ Lastly, Roland Clobus posted his [latest update of the status of reproducible De
<br>
-In other, [Miro Hrončok](https://fedoraproject.org/wiki/User:Churchyard) proposed a change to 'clamp' build modification times to the value of [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}). This was [initially suggested and discussed on a `devel@` mailing list post](https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/MWKWFO52KTOGVGOEUDZT7YBOON2G5A2K/) but was later [written up on the Fedora Wiki](https://fedoraproject.org/wiki/Changes/ReproducibleBuildsClampMtimes) as well as being [officially proposed to Fedora Engineering Steering Committee (FESCo)](https://pagure.io/fesco/issue/2899).
+In other news, [Miro Hrončok](https://fedoraproject.org/wiki/User:Churchyard) proposed a change to 'clamp' build modification times to the value of [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}). This was [initially suggested and discussed on a `devel@` mailing list post](https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/MWKWFO52KTOGVGOEUDZT7YBOON2G5A2K/) but was later [written up on the Fedora Wiki](https://fedoraproject.org/wiki/Changes/ReproducibleBuildsClampMtimes) as well as being [officially proposed to Fedora Engineering Steering Committee (FESCo)](https://pagure.io/fesco/issue/2899).
---
@@ -166,7 +166,7 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
[*diffoscope*](https://diffoscope.org) is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions `226` and `227` to Debian:
* Support both `python3-progressbar` and `python3-progressbar2`, two modules providing the `progressbar` Python module. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/81903e0b)]
-* Don't run Python decompiling tests on Python bytecode that `file(1)` cannot detect yet and Python 3.11 cannot unmarshall. ([#1024335](https://bugs.debian.org/1024335))
+* Don't run Python decompiling tests on Python bytecode that `file(1)` cannot detect yet and Python 3.11 cannot unmarshal. ([#1024335](https://bugs.debian.org/1024335))
* Don't attempt to attach text-only differences notice if there are no differences to begin with. ([#1024171](https://bugs.debian.org/1024171))
* Make sure we recommend `apksigcopier`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/792115b9)]
* Tidy generation of `os_list`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f0be250e)]
@@ -174,13 +174,13 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
* Use our `assert_diff` helper in `test_lzip.py`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6d3a2779)]
* Drop other copyright notices from `lzip.py` and `test_lzip.py`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/4a6f0811)]
-In addition to this, Christopher Baines added [*lzip*](https://www.nongnu.org/lzip/) support [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e1b947b8)], and FC Stegerman added an optimisation where by we don't run `apktool` if no differences are detected before the signing block [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1852890a)].
+In addition to this, Christopher Baines added [*lzip*](https://www.nongnu.org/lzip/) support [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e1b947b8)], and FC Stegerman added an optimisation whereby we don't run `apktool` if no differences are detected before the signing block [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1852890a)].
---
[![]({{ "/images/reports/2022-11/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-A significant number of changes were made to the Reproducible Builds website and documentation this month, including Chris Lamb ensuring the [openEuler](https://www.openeuler.org/en/) logo is correctly visible with a white background [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f0251baa)], FC Stegerman de-duplicated by email address to avoid listing some contributors twice [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fed37547)], Hervé Boutemy added [Apache Mavern](https://maven.apache.org/) to the [list of affiliated projects]({{ "/who/projects/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5879bed0)] and *boyska* updated our [*Contribute*]({{ "/contribute/" | relative_url }}) page to remark that the [Reproducible Builds presence on *salsa.debian.org*](https://salsa.debian.org/reproducible-builds/) is not just the Git repository but is also for creating issues [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5471f8d8)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9b4238ad)]. In addition to all this, however, Holger Levsen made the following changes:
+A significant number of changes were made to the Reproducible Builds website and documentation this month, including Chris Lamb ensuring the [openEuler](https://www.openeuler.org/en/) logo is correctly visible with a white background [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f0251baa)], FC Stegerman de-duplicated by email address to avoid listing some contributors twice [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fed37547)], Hervé Boutemy added [Apache Maven](https://maven.apache.org/) to the [list of affiliated projects]({{ "/who/projects/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5879bed0)] and *boyska* updated our [*Contribute*]({{ "/contribute/" | relative_url }}) page to remark that the [Reproducible Builds presence on *salsa.debian.org*](https://salsa.debian.org/reproducible-builds/) is not just the Git repository but is also for creating issues [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5471f8d8)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9b4238ad)]. In addition to all this, however, Holger Levsen made the following changes:
* Add a number of existing publications [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6a3972fa)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/82d4570c)] and update metadata for some existing publications as well [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/435e36ec)].
* Hide draft posts on the [website homepage]({{ "/" | relative_url }}). [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/684acdce)]
@@ -198,7 +198,7 @@ The Reproducible Builds project operates a comprehensive testing framework at [t
* Improve the generation of 'meta' package sets (used in grouping packages for reporting/statistical purposes) to treat Debian *bookworm* as equivalent to Debian *unstable* in this specific case [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3d3ab211)]
and to parse the list of packages used in the Debian cloud images [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7f65008c)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a62656fa)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5b079c49)].
* Temporarily allow Frederic to `ssh(1)` into our snapshot server as the `jenkins` user. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9f407d14)]
-* Keep some reproducible jobs Jenkisn logs much longer [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/65fd1455)] ([later reverted](https://salsa.debian.org/qa/jenkins.debian.net/commit/7101f5c9)).
+* Keep some reproducible jobs Jenkins logs much longer [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/65fd1455)] ([later reverted](https://salsa.debian.org/qa/jenkins.debian.net/commit/7101f5c9)).
* Improve the node health checks to detect failures to update the Debian cloud image package set [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c4d670d2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7223af42)] and to improve prioritisation of some kernel warnings [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2f1cf2e6)].
* Always echo any IRC output to Jenkins' output as well. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6589dc83)]
* Deal gracefully with problems related to processing the cloud image package set. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/997b8184)]
@@ -207,7 +207,7 @@ Finally, Roland Clobus continued his work on testing Live Debian images, includi
<br>
-If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. You can get in touch with us via:
* IRC: `#reproducible-builds` on `irc.oftc.net`.
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/5080f8aef7aeeac752e30f3271a6cbb00581d61f
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/5080f8aef7aeeac752e30f3271a6cbb00581d61f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20221207/eec6ce16/attachment.htm>
More information about the rb-commits
mailing list