[Git][reproducible-builds/reproducible-website][master] 2 commits: 2022-05: Lots of changes prior to publishing.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Mon Jun 6 12:23:42 UTC 2022
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
2c56634d by Chris Lamb at 2022-06-06T13:22:58+01:00
2022-05: Lots of changes prior to publishing.
- - - - -
e01a18c8 by Chris Lamb at 2022-06-06T13:23:27+01:00
published as https://reproducible-builds.org/reports/2022-05/
- - - - -
3 changed files:
- _reports/2022-05.md
- + images/reports/2022-05/holger-levsen-talk.png
- + images/reports/2022-05/roland-clobus-talk.png
Changes:
=====================================
_reports/2022-05.md
=====================================
@@ -3,7 +3,8 @@ layout: report
year: "2022"
month: "05"
title: "Reproducible Builds in May 2022"
-draft: true
+draft: false
+date: 2022-06-06 12:23:26
---
[![]({{ "/images/reports/2022-05/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
@@ -41,19 +42,34 @@ Johannes Schauer discovered a fascinating bug where simply naming your Python va
Simply renaming the dummy method from `_m` to `_b` was enough to workaround the problem. [Johannes' bug report](https://github.com/python/cpython/issues/92132) first led to a number of improvements in *diffoscope* to aid in dissecting `.pyc` files, but upstream identified this as caused by an issue surrounding [interned strings](https://en.wikipedia.org/wiki/String_interning) and is being tracked in [CPython bug #78274](https://github.com/python/cpython/issues/78274).
-#### SPDX forms new team to bring build metadata to Software Bill of Materials
+#### New SPDX team to incorporate build metadata in Software Bill of Materials
-[SPDX, the open standard for Software Bill of Materials (SBOM)](https://spdx.dev), is continuously developed by a number of teams and committees. SPDX now welcomes a new addition - a team dedicated to enhancing metadata about software builds, complementing reproducible builds in creating a more secure software supply chain. The SPDX Builds Team has been working throughout May to define the universal primitives shared by all build systems, including the 'who, what, where and how' of builds:
+[SPDX](https://spdx.dev), the open standard for [Software Bill of Materials](https://en.wikipedia.org/wiki/Software_supply_chain) (SBOM), is continuously developed by a number of teams and committees. However, SPDX has welcomed a new addition; a team dedicated to enhancing metadata about software builds, complementing reproducible builds in creating a more secure software supply chain. The "SPDX Builds Team" has been working throughout May to define the universal primitives shared by all build systems, including the "who, what, where and how" of builds:
-* Who: the identity of the person or organisation that controls the build infrastructure
+* Who: the identity of the person or organisation that controls the build infrastructure.
-* What: the inputs and outputs of a given build, combining metadata about the build's configuration with an SBOM describing source code and dependencies
+* What: the inputs and outputs of a given build, combining metadata about the build's configuration with an SBOM describing source code and dependencies.
-* Where: the software packages making up the build system, from build orchestration tools such as [Woodpecker CI](https://woodpecker-ci.org/docs/intro) and [Tekton](https://tekton.dev/) to language-specific tools
+* Where: the software packages making up the build system, from build orchestration tools such as [Woodpecker CI](https://woodpecker-ci.org/docs/intro) and [Tekton](https://tekton.dev/) to language-specific tools.
-* How: the invocation of a build, linking metadata of a build to the identity of the person or automation tool that initiated it
+* How: the invocation of a build, linking metadata of a build to the identity of the person or automation tool that initiated it.
+
+The SPDX Builds Team expects to have a usable data model by September, ready for inclusion in the SPDX 3.0 standard. The team welcomes new contributors, inviting those interested in joining to introduce themselves on the [SPDX-Tech](https://lists.spdx.org/g/spdx-tech) mailing list.
+
+#### Talks at Debian Reunion Hamburg
+
+Some of the Reproducible Builds team (Holger Levsen, Mattia Rizzolo, Roland Clobus, Philip Rinn, etc.) met in real life at the [Debian Reunion Hamburg](https://wiki.debian.org/DebianEvents/de/2022/DebianReunionHamburg/) ([official homepage](https://hamburg-2022.mini.debconf.org/)). There were several informal discussions amongst them, as well as two talks related to reproducible builds.
+
+First, Holger Levsen gave a talk on the status of [*Reproducible Builds for bullseye and bookworm and beyond*](https://meetings-archive.debian.net/pub/debian-meetings/2022/Debian-Reunion-Hamburg/debian-reunion-hamburg-2022-22-reproduciblebuilds-for-bullseye-bookworm-and-beyond.webm) (WebM, 210MB):
+
+[![]({{ "/images/reports/2022-05/holger-levsen-talk.png#center" | relative_url }})](https://meetings-archive.debian.net/pub/debian-meetings/2022/Debian-Reunion-Hamburg/debian-reunion-hamburg-2022-22-reproduciblebuilds-for-bullseye-bookworm-and-beyond.webm)
+
+Secondly, Roland Clobus gave a talk called [*Reproducible builds as applied to non-compiler output*](https://meetings-archive.debian.net/pub/debian-meetings/2022/Debian-Reunion-Hamburg/debian-reunion-hamburg-2022-24-reproducible-builds-as-applied-to-non-compiler-output.webm) (WebM, 115MB):
+
+[![]({{ "/images/reports/2022-05/roland-clobus-talk.png#center" | relative_url }})](https://gemmei.ftp.acc.umu.se/pub/debian-meetings/2022/Debian-Reunion-Hamburg/debian-reunion-hamburg-2022-24-reproducible-builds-as-applied-to-non-compiler-output.webm)
+
+<br>
-The SPDX Builds Team expects to have a usable data model by September, ready for inclusion in the upcoming SPDX 3.0 standard. The team welcomes new contributors, inviting those interested in joining to introduce themselves on the [SPDX Tech mailing list](https://lists.spdx.org/g/spdx-tech).
#### Supply-chain security attacks
@@ -165,7 +181,7 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
* [#1010855](https://bugs.debian.org/1010855) filed against [`longrun`](https://tracker.debian.org/pkg/longrun).
* [#1011452](https://bugs.debian.org/1011452) filed against [`rust-simplelog`](https://tracker.debian.org/pkg/rust-simplelog).
* [#1011752](https://bugs.debian.org/1011752) filed against [`freesas`](https://tracker.debian.org/pkg/freesas).
- * [FIXME`PeachPy`](https://github.com/Maratyszcza/PeachPy/pull/108#pullrequestreview-981950994) (merged, sort entries)
+ * [`PeachPy`](https://github.com/Maratyszcza/PeachPy/pull/108#pullrequestreview-981950994) (merged, sort entries)
* Johannes Schauer Marin Rodrigues:
@@ -272,7 +288,6 @@ On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/
* Yaobin Wen asked a number of questions in an attempt to discover the [best practices for manage Debian `.dsc` files](https://lists.reproducible-builds.org/pipermail/rb-general/2022-May/002590.html) using [*reprepro*](https://manpages.debian.org/unstable/reprepro/reprepro.1.en.html).
-Some of us (Holger Levsen, Mattia Rizzolo, Roland Clobus, Philip Rinn) met in real life at the [Debian Reunion Hamburg](https://wiki.debian.org/DebianEvents/de/2022/DebianReunionHamburg/) (also covered [here](https://hamburg-2022.mini.debconf.org/)). There were several informal discussions amongst them, while Holger and Roland gave well-received talks (FIXME: link to them).
<br>
=====================================
images/reports/2022-05/holger-levsen-talk.png
=====================================
Binary files /dev/null and b/images/reports/2022-05/holger-levsen-talk.png differ
=====================================
images/reports/2022-05/roland-clobus-talk.png
=====================================
Binary files /dev/null and b/images/reports/2022-05/roland-clobus-talk.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/5209d737accfd5139aa4cf534740a37fa33a5652...e01a18c818fe15b3f1580988975958f0d2cdee95
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/5209d737accfd5139aa4cf534740a37fa33a5652...e01a18c818fe15b3f1580988975958f0d2cdee95
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20220606/dd7edcd5/attachment.htm>
More information about the rb-commits
mailing list