[Git][reproducible-builds/reproducible-website][master] 2021-12: Initial draft

Chris Lamb (@lamby) gitlab at salsa.debian.org
Mon Jan 3 15:01:59 UTC 2022



Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
03cd2132 by Chris Lamb at 2022-01-03T15:00:45+00:00
2021-12: Initial draft

- - - - -


5 changed files:

- _reports/2021-12.md
- + images/reports/2021-12/debian.png
- + images/reports/2021-12/diffoscope.svg
- + images/reports/2021-12/reproducible-builds.png
- + images/reports/2021-12/tails.png


Changes:

=====================================
_reports/2021-12.md
=====================================
@@ -6,14 +6,159 @@ title: "Reproducible Builds in December 2021"
 draft: true
 ---
 
-FIXME: Julian Voisin blogged about setting up a rebuilderd instance to reproduce Tails images. https://dustri.org/b/reproducing-tails-with-rebuilderd.html
+[![]({{ "/images/reports/2021-12/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
 
-* https://gitlab.torproject.org/tpo/core/tor/-/raw/main/ChangeLog can now build reproducible tarballs
+**Welcome to the December 2021 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In these reports, we try and summarise what we have been up to over the past month, as well as what else has been occurring in the world of software supply-chain security.
+
+As a quick recap of what reproducible builds' is trying to address,  whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. As always, if you would like to contribute to the project, please get in touch with us directly or visit the [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
+
+<br>
+
+[![]({{ "/images/reports/2021-12/tails.png#right" | relative_url }})](https://tails.boum.org/)
+
+Early in December, Julian Voisin blogged about setting up a [*rebuilderd*](https://rebuilderd.com/) instance in order to reproduce [Tails](https://tails.boum.org/) images. Working on [previous work from 2018](https://dustri.org/b/please-try-to-build-tails-reproducibly.html), Julian has now setup an [public-facing instance](https://rebuilderd.dustri.org/) which is providing build attestations.
+
+As [Julian dryly notes in his post](https://dustri.org/b/reproducing-tails-with-rebuilderd.html), “Currently, this isn't really super-useful to anyone, except maybe some Tails developers who want to check that the release manager didn't backdoor the released image.” Naturally, we would contend — sincerely — that this *is* indeed useful.
+
+<br>
+
+The secure/anonymous [Tor browser](https://www.torproject.org/) now supports reproducible source releases. According to [the project's changelog](https://gitlab.torproject.org/tpo/core/tor/-/raw/main/ChangeLog), version `0.4.7.3-alpha` of Tor can now build reproducible tarballs via the `make dist-reprod` command. This issue was tracked via Tor issue [#26299](https://gitlab.torproject.org/tpo/core/tor/-/issues/26299).
+
+<br>
+
+[Fabian Keil](https://www.fabiankeil.de/) posted a question to [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month asking how they might analyse differences in images produced with the [FreeBSD](https://www.freebsd.org/) and [ElectroBSD](https://www.fabiankeil.de/gehacktes/electrobsd/)'s `mkimg` and `makefs` commands:
+
+> `After rebasing ElectroBSD from FreeBSD stable/11 to stable/12`<br>
+> `I recently noticed that the "memstick" images are unfortunately`<br>
+> `still not 100% reproducible.`
+
+[Fabian's original post](https://lists.reproducible-builds.org/pipermail/rb-general/2021-December/002445.html)) generated a [short back-and-forth](https://lists.reproducible-builds.org/pipermail/rb-general/2021-December/thread.html#2445) with Chris Lamb regarding how [*diffoscope*](https://diffoscope.org/) might be able to support the particular format of images generated by this command set.
+
+<br>
+
+## [*diffoscope*](https://diffoscope.org)
+
+[![]({{ "/images/reports/2021-12/diffoscope.svg#right" | relative_url }})](https://diffoscope.org)
+
+[*diffoscope*](https://diffoscope.org) is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploading versions `195`, `196`, `197` and `198` to Debian, as well as made the following changes:
+
+* Support showing *Ordering differences only* within `.dsc` field values. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/dcd83528)]
+* Add support for 'XMLb' files. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a9ecfb78)]
+* Also add, for example, `/usr/lib/x86_64-linux-gnu` to our local binary search path. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/eb34fe74)]
+* Support [OCaml](https://ocaml.org/) versions 4.11, 4.12 and 4.13. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0cba1b1f)]
+* Drop some unnecessary `has_same_content_as` logging calls. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8f79dd77)]
+* Replace `token` variable with an anonymously-named variable instead to remove extra lines. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/4837c43a)]
+* Don't use the runtime platform's native endianness when unpacking `.pyc` files. This fixes test failures on [big-endian](https://en.wikipedia.org/wiki/Endianness) machines. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a3211be2)]
+
+Mattia Rizzolo also made a number of changes to *diffoscope* this month as well, such as:
+
+* Also recognize [GnuCash](https://www.gnucash.org/) files as XML. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8258bd24)]
+* Support the [pgpdump](https://www.mew.org/~kazu/proj/pgpdump/en/) PGP packet visualiser version 0.34. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/962e3e2d)]
+* Ignore the new Lintian tag `binary-with-bad-dynamic-table`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/69713e2e)]
+* Fix the `Enhances` field in `debian/control`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f5b27785)]
+
+Finally, Brent Spillner fixed the version detection for [Black](https://black.readthedocs.io/en/stable/) 'uncompromising code formatter' [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3fb091b6)], Jelle van der Waa added an external tool reference for Arch Linux [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/dd358a4b)] and Roland Clobus added support for reporting when the `GNU_BUILD_ID` field has been modified [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/5c166d92)]. Thank you for your contributions!
+
+<br>
+
+## Distribution work
+
+[![]({{ "/images/reports/2021-12/debian.png#right" | relative_url }})](https://debian.org/)
+
+In Debian this month, 70 reviews of packages were added, 27 were updated and 41 were removed, adding to our [database of knowledge about specific issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issue types were created as well, including:
+
+* [`build_path_identifiers_in_documentation_generated_by_doxygen`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/1dcf54f7)
+* [`non_deterministic_doc_base_file_for_javadoc`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/065752f7)
+* [`nondeterministic_ordering_in_guile_binaries`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/9ba11d2c)
+
+[*strip-nondeterminism*](https://salsa.debian.org/reproducible-builds/strip-nondeterminism) version `1.13.0-1` was [uploaded to Debian unstable](https://tracker.debian.org/news/1287861/accepted-strip-nondeterminism-1130-1-source-into-unstable/) by Holger Levsen. It [included contributions already covered in previous months](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commits/debian/1.13.0-1) as well as new ones from Mattia Rizzolo, particularly that the `dh_strip_nondeterminism` Debian integration interface uses the new `get_non_binnmu_date_epoch()` utility when available: this is important to ensure that [*strip-nondeterminism* does not break some kinds of binNMUs](https://bugs.debian.org/999665).
+
+<br>
+
+In the world of [openSUSE](https://www.opensuse.org/), however, Bernhard M. Wiedemann posted his [monthly reproducible builds status report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/VGQAHNQ24ZMVUJ33MQUSWLWPPOQ5KRLK/).
+
+<br>
+
+## Upstream patches
+
+The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. In December, we wrote a large number of such patches, including:
 
 * Bernhard M. Wiedemann:
-    * [`python-eventlet`](https://build.opensuse.org/request/show/942632) (FTBFS-2028)
-    * [`g++7/rsync`](https://bugzilla.suse.com/show_bug.cgi?id=1193895) (toolchain, randomness)
-    * [`python-PyQRCode`](https://github.com/pyqrcode/pyqrcodeNG/pull/18) (date copyright year)
 
-* https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/VGQAHNQ24ZMVUJ33MQUSWLWPPOQ5KRLK/ openSUSE monthly
+    * [`g++7/rsync`](https://bugzilla.suse.com/show_bug.cgi?id=1193895) (randomness in output)
+    * [`python-eventlet`](https://build.opensuse.org/request/show/942632) (build fails in the future)
+    * [`python-PyQRCode`](https://github.com/pyqrcode/pyqrcodeNG/pull/18) (incorporates copyright year)
+
+* Chris Lamb:
+
+    * [#1001227](https://bugs.debian.org/1001227) filed against [`locust`](https://tracker.debian.org/pkg/locust).
+    * [#1001277](https://bugs.debian.org/1001277) filed against [`cwltool`](https://tracker.debian.org/pkg/cwltool).
+    * [#1001553](https://bugs.debian.org/1001553) filed against [`mate-submodules`](https://tracker.debian.org/pkg/mate-submodules).
+
+* Simon McVittie:
+
+    * [#1001210](https://bugs.debian.org/1001210) filed against [`ksh93u+m`](https://tracker.debian.org/pkg/ksh93u+m).
+    * [#1001223](https://bugs.debian.org/1001223) filed against [`dx`](https://tracker.debian.org/pkg/dx).
+
+* Vagrant Cascadian:
+
+    * [#1000944](https://bugs.debian.org/1000944) filed against [`apbs`](https://tracker.debian.org/pkg/apbs).
+    * [#1000945](https://bugs.debian.org/1000945) filed against [`binutils-riscv64-unknown-elf`](https://tracker.debian.org/pkg/binutils-riscv64-unknown-elf).
+    * [#1000946](https://bugs.debian.org/1000946) filed against [`gcc-riscv64-unknown-elf`](https://tracker.debian.org/pkg/gcc-riscv64-unknown-elf).
+    * [#1001850](https://bugs.debian.org/1001850) filed against [`userbindmount`](https://tracker.debian.org/pkg/userbindmount).
+    * [#1001853](https://bugs.debian.org/1001853) filed against [`nanomsg`](https://tracker.debian.org/pkg/nanomsg).
+    * [#1001854](https://bugs.debian.org/1001854) filed against [`freediameter`](https://tracker.debian.org/pkg/freediameter).
+    * [#1001856](https://bugs.debian.org/1001856) filed against [`gr-satellites`](https://tracker.debian.org/pkg/gr-satellites).
+    * [#1001859](https://bugs.debian.org/1001859) filed against [`kjs`](https://tracker.debian.org/pkg/kjs).
+    * [#1001860](https://bugs.debian.org/1001860) filed against [`xeus-python`](https://tracker.debian.org/pkg/xeus-python).
+    * [#1001866](https://bugs.debian.org/1001866) filed against [`libime`](https://tracker.debian.org/pkg/libime).
+    * [#1001867](https://bugs.debian.org/1001867) filed against [`fcitx5-gtk`](https://tracker.debian.org/pkg/fcitx5-gtk).
+    * [#1001868](https://bugs.debian.org/1001868) filed against [`fcitx`](https://tracker.debian.org/pkg/fcitx).
+    * [#1001869](https://bugs.debian.org/1001869) filed against [`libpodofo`](https://tracker.debian.org/pkg/libpodofo).
+    * [#1001870](https://bugs.debian.org/1001870) filed against [`meshlab`](https://tracker.debian.org/pkg/meshlab).
+    * [#1001872](https://bugs.debian.org/1001872) filed against [`eiskaltdcpp`](https://tracker.debian.org/pkg/eiskaltdcpp).
+    * [#1001873](https://bugs.debian.org/1001873) filed against [`editorconfig-core`](https://tracker.debian.org/pkg/editorconfig-core).
+    * [#1002671](https://bugs.debian.org/1002671) filed against [`python-parse-type`](https://tracker.debian.org/pkg/python-parse-type).
+    * [#1002673](https://bugs.debian.org/1002673) filed against [`sphinx-copybutton`](https://tracker.debian.org/pkg/sphinx-copybutton).
+    * [#1002674](https://bugs.debian.org/1002674) filed against [`fcitx5-qt`](https://tracker.debian.org/pkg/fcitx5-qt).
+
+<br>
+
+## Testing framework
+
+[![]({{ "/images/reports/2021-12/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project runs a significant testing framework at [tests.reproducible-builds.org](https://tests.reproducible-builds.org), to check packages and other artifacts for reproducibility. This month, the following changes were made:
+
+* Holger Levsen:
+
+    * Run the Debian scheduler less often. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6ed92b49)]
+    * Fix the name of the Debian '*testing*' suite name. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3cd4cee3)]
+    * Detect builds that are rescheduling due to problems with the [*diffoscope*](https://diffoscope.org/) container. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/84f85fb1)]
+    * No longer special-case particular machines having a different `/boot` partition size. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c7dff4f7)]
+    * Automatically fix failed `apt-daily` and `apt-daily-upgrade` services [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e911842c)], failed `e2scrub_all.service` & `user@` [systemd](https://systemd.io/) units [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f6b31608)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/770a4c23)] as well as 'generic' build failures [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ce178c91)].
+    * Simplify a script to powercycle `arm64` architecture nodes hosted at/by [codethink.co.uk](https://www.codethink.co.uk/). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/77199ee9)]
+    * Detect if the [*udd-mirror.debian.net*](https://udd-mirror.debian.net/) service is down. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5f3d6569)]
+    * Various miscellaneous node maintenance. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/78eda062)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6991d1e5)]
+
+* Roland Clobus (Debian 'live' image generation):
+
+    * If the latest snapshot is not complete yet, try to use the previous snapshot instead. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/11f2a91b)]
+    * Minor: whitespace correction + comment correction. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/6656e25f)]
+    * Use unique folders and reports for each Debian version. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/daa2baf6)]
+    * Turn off debugging. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/436248f4)]
+    * Add a better error description for incorrect/missing arguments. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1de71214)]
+
+Lastly, Mattia Rizzolo updated the automatic logfile parsing rules in a number of ways (eg. to ignore a warning about the [Python setuptools](https://github.com/pypa/setuptools) deprecation) [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/aa250e8a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/24b2bf99)] and Vagrant Cascadian adjusted the config for the [Squid](http://www.squid-cache.org/) caching proxy on a node. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0050751f)]
+
+<br>
+
+---
+
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
 
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)


=====================================
images/reports/2021-12/debian.png
=====================================
Binary files /dev/null and b/images/reports/2021-12/debian.png differ


=====================================
images/reports/2021-12/diffoscope.svg
=====================================
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   version="1.1"
+   width="128"
+   height="128"
+   id="svg2">
+  <defs
+     id="defs4" />
+  <metadata
+     id="metadata7">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     transform="matrix(1.0692573,0,0,1.0692573,-328.34726,-503.5515)"
+     id="layer1">
+    <g
+       id="g5409">
+      <g
+         transform="translate(5.418238,0)"
+         id="g5386">
+        <rect
+           width="90.304001"
+           height="50.999996"
+           x="316.36414"
+           y="472.80621"
+           id="rect4667-3"
+           style="fill:none;stroke:none" />
+        <g
+           id="text4673-8"
+           style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+          <path
+             d="m 316.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+             id="path5371"
+             style="fill:#c00000;fill-opacity:1" />
+          <path
+             d="m 348.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+             id="path5373"
+             style="fill:#c00000;fill-opacity:1" />
+          <path
+             d="m 380.36413,483.82622 0,3.968 26.304,0 0,-3.968"
+             id="path5375"
+             style="fill:#c00000;fill-opacity:1" />
+        </g>
+        <g
+           id="text5366"
+           style="font-size:64px;font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#008000;fill-opacity:1;stroke:none;font-family:Inconsolata;-inkscape-font-specification:Inconsolata Medium">
+          <path
+             d="m 327.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+             id="path5378" />
+          <path
+             d="m 359.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+             id="path5380" />
+          <path
+             d="m 391.69213,496.99019 0,10.88 -11.328,0 0,3.968 11.328,0 0,11.968 4.032,0 0,-11.968 10.944,0 0,-3.968 -10.944,0 0,-10.88 -4.032,0"
+             id="path5382" />
+        </g>
+      </g>
+      <use
+         id="use5399"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+      <use
+         transform="matrix(0.8,0,0,0.8,82.417275,133.65028)"
+         id="use5401"
+         style="opacity:0.85"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+      <use
+         transform="matrix(0.6,0,0,0.6,164.83455,260.05454)"
+         id="use5403"
+         style="opacity:0.7"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+      <use
+         transform="matrix(0.4,0,0,0.4,247.25182,379.25208)"
+         id="use5405"
+         style="opacity:0.55"
+         x="0"
+         y="0"
+         width="744.09448"
+         height="1052.3622"
+         xlink:href="#g5386" />
+    </g>
+  </g>
+</svg>


=====================================
images/reports/2021-12/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2021-12/reproducible-builds.png differ


=====================================
images/reports/2021-12/tails.png
=====================================
Binary files /dev/null and b/images/reports/2021-12/tails.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/03cd2132796489eccc27649b9a29d63780adcfb9

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/03cd2132796489eccc27649b9a29d63780adcfb9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20220103/ec339ed8/attachment.htm>


More information about the rb-commits mailing list