[Git][reproducible-builds/reproducible-website][master] 2 commits: 2022-08: Misc cosmetic changes.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Fri Sep 9 12:53:39 UTC 2022
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
beebdeb9 by Chris Lamb at 2022-09-09T13:52:45+01:00
2022-08: Misc cosmetic changes.
- - - - -
5a0d6654 by Chris Lamb at 2022-09-09T13:53:24+01:00
published as https://reproducible-builds.org/reports/2022-08/
- - - - -
1 changed file:
- _reports/2022-08.md
Changes:
=====================================
_reports/2022-08.md
=====================================
@@ -3,7 +3,8 @@ layout: report
year: "2022"
month: "08"
title: "Reproducible Builds in August 2022"
-draft: true
+draft: false
+date: 2022-09-09 12:53:24
---
[![]({{ "/images/reports/2022-08/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
@@ -12,13 +13,11 @@ draft: true
As ever, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-<br>
-
#### Community news
As announced last month, registration is currently **open** for our [in-person summit this year]({{ "/events/venice2022/" | relative_url }}) which is due to be held between **November 1st → November 3rd**. The event will take place in **Venice (Italy)**. Very soon we intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees. Please see the [announcement email](https://lists.reproducible-builds.org/pipermail/rb-general/2022-July/002666.html) for information about how to register..
-<br>
+---
[![]({{ "/images/reports/2022-08/nsa.png#right" | relative_url }})](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/)
@@ -30,33 +29,31 @@ The document expressly recommends having reproducible builds as part of "advance
The [full press release](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/) is available online.
-<br>
+---
[![]({{ "/images/reports/2022-08/appfair.png#right" | relative_url }})](https://appfair.net/)
On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Marc Prud'hommeaux posted a feature request for *diffoscope* which additionally outlines a project called [The App Fair](https://appfair.net/), an autonomous distribution network of free and open-source macOS and iOS applications, where "validated apps are then signed and submitted for publication".
-<br>
+---
Author/blogger [Cory Doctorow](https://craphound.com/bio/) posted published a provocative blog post this month titled "[Your computer is tormented by a wicked god](https://pluralistic.net/2022/07/28/descartes-was-an-optimist/#uh-oh)". Touching on Ken Thompson's famous talk, "[Reflections on Trusting Trust](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf)", the early goals of "Secure Computing" and UEFI firmware interfaces:
> This is the core of a two-decade-old debate among security people, and it's one that the "benevolent God" faction has consistently had the upper hand in. They're the "curated computing" advocates who insist that preventing you from choosing an alternative app store or side-loading a program is for your own good – because if it's possible for you to override the manufacturer's wishes, then malicious software may impersonate you to do so, or you might be tricked into doing so. [..] This benevolent dictatorship model only works so long as the dictator is both perfectly benevolent and perfectly competent. We know the dictators aren't always benevolent. [...] But even if you trust a dictator's benevolence, you can't trust in their perfection. Everyone makes mistakes. Benevolent dictator computing works well, but fails badly. Designing a computer that intentionally can't be fully controlled by its owner is a nightmare, because that is a computer that, once compromised, can attack its owner with impunity.
-<br>
+---
Lastly, Chengyu HAN updated the [Reproducible Builds website]({{ "/" | relative_url }}) to correct an incorrect Git command. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fc235bb9)]
-<br>
-
#### Debian
[![]({{ "/images/reports/2022-08/debian.png#right" | relative_url }})](https://debian.org/)
-This month, the `essential` and `required` package sets became 100% reproducible in Debian *bookworm* on the `amd64` and `arm64` architectures. These two subsets of the full Debian archive refer to Debian package "priority" levels as described in the [§2.5 Priorities](https://www.debian.org/doc/debian-policy/ch-archive.html#s-priorities) section of the [Debian Policy](https://www.debian.org/doc/debian-policy/) — there is no canonical "minimal installation" package set in Debian due to its diverse methods of installation.
+In [Debian](https://debian.org/) this month, the `essential` and `required` package sets became 100% reproducible in Debian *bookworm* on the `amd64` and `arm64` architectures. These two subsets of the full Debian archive refer to Debian package "priority" levels as described in the [§2.5 Priorities](https://www.debian.org/doc/debian-policy/ch-archive.html#s-priorities) section of the [Debian Policy](https://www.debian.org/doc/debian-policy/) — there is no canonical "minimal installation" package set in Debian due to its diverse methods of installation.
As it happens, these package sets are *not* reproducible on the `i386` architecture because the `ncurses` package on that architecture is not yet reproducible, and the `sed` package currently fails to build from source on `armhf` too. The full list of reproducible packages within these package sets can be viewed within our QA system, such as on the page of [`required` packages in `amd64`](https://tests.reproducible-builds.org/debian/bookworm/amd64/pkg_set_required.html) and the list of [`essential` packages on `arm64`](https://tests.reproducible-builds.org/debian/bookworm/arm64/pkg_set_essential.html), both for Debian *bullseye*.
-<br>
+---
It recently has become very easy to install reproducible Debian Docker containers using `podman` on Debian bullseye:
@@ -67,7 +64,7 @@ $ podman run --rm -it debian:bullseye bash
The (pre-built) image used is itself built using [*debuerrotype*](https://github.com/debuerreotype/debuerreotype), as explained on [*docker.debian.net*](https://docker.debian.net/). This page also details how to build the image yourself and what checksums are expected if you do so.
-<br>
+---
Related to this, it has also become straightforward to reproducibly bootstrap Debian using [*mmdebstrap*](https://gitlab.mister-muffin.de/josch/mmdebstrap), a replacement for the usual *debootstrap* tool to create Debian root filesystems:
@@ -78,7 +75,7 @@ $ SOURCE_DATE_EPOCH=$(date --utc --date=2022-08-29 +%s) mmdebstrap unstable > un
This works for (at least) Debian *unstable*, *bullseye* and *bookworm*, and is tested automatically by a number of QA jobs set up by Holger Levsen ([*unstable*](https://jenkins.debian.net/job/reproducible_mmdebstrap_unstable/), [*bookworm*](https://jenkins.debian.net/job/reproducible_mmdebstrap_bookworm/) and [*bullseye*](https://jenkins.debian.net/job/reproducible_mmdebstrap_bullseye/))
-<br>
+---
Work has also taken place to ensure that the canonical *debootstrap* and *cdebootstrap* tools are *also* capable of bootstrapping Debian reproducibly, although it currently requires a few extra steps:
@@ -88,12 +85,10 @@ Work has also taken place to ensure that the canonical *debootstrap* and *cdeboo
This process works at least for *unstable*, *bullseye* and *bookworm* and is now being tested automatically by a number of QA jobs setup by Holger Levsen [[...](https://jenkins.debian.net/job/reproducible_debootstrap_bullseye/)][[...](https://jenkins.debian.net/job/reproducible_debootstrap_bookworm/)][[...](https://jenkins.debian.net/job/reproducible_debootstrap_unstable/)][[...](https://jenkins.debian.net/job/reproducible_cdebootstrap_bullseye/)][[...](https://jenkins.debian.net/job/reproducible_cdebootstrap_bookworm/)][[...](https://jenkins.debian.net/job/reproducible_cdebootstrap_unstable/)]. As part of this work, Holger filed two bugs to request a better initialisation of the `/etc/machine-id` file in both *debootstrap* [[...](https://bugs.debian.org/1018740)] and *cdebootstrap* [[...](https://bugs.debian.org/1018741)].
-<br>
+---
Elsewhere in Debian, 131 reviews of Debian packages were added, 20 were updated and 27 were removed this month, adding to [our extensive knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb added a number of issue types, including: `randomness_in_browserify_output` [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b2d75f42)], `haskell_abi_hash_differences` [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/732f0fc1)], `nondeterministic_ids_in_html_output_generated_by_python_sphinx_panels` [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/3c9fbbcb)]. Lastly, Mattia Rizzolo removed the `deterministic` flag from the `captures_kernel_variant` flag [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/83ea690e)].
-<br>
-
#### Other distributions
[![]({{ "/images/reports/2022-08/guix.png#right" | relative_url }})](https://guix.gnu.org/)
@@ -116,8 +111,6 @@ Elsewhere in GNU Guix, however, Vagrant updated a number of packages such as `it
In openSUSE, Bernhard M. Wiedemann published his usual [openSUSE monthly report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/KXF3OGYAJMGB5LU2QJJZSOCIAL22JUBU/).
-<br>
-
#### [diffoscope](https://diffoscope.org)
[![]({{ "/images/reports/2022-08/diffoscope.png#right" | relative_url }})](https://diffoscope.org)
@@ -130,8 +123,6 @@ In openSUSE, Bernhard M. Wiedemann published his usual [openSUSE monthly report]
In addition, Vagrant Cascadian updated *diffoscope* in [GNU Guix](https://www.gnu.org/software/guix/), first to to version 220 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=04ef952a4928a427fa3d778e23d4e99299c9fa5a)] and later to 221 [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ec6122250de7c83a7e77054584a34767b11337db)].
-<br>
-
#### Community news
The Reproducible Builds project aims to fix as many currently-unreproducible packages as possible as well as to send all of our patches upstream wherever appropriate. This month we created a number of patches, including:
@@ -171,8 +162,6 @@ The Reproducible Builds project aims to fix as many currently-unreproducible pac
* [#1018802](https://bugs.debian.org/1018802) filed against [`localechooser`](https://tracker.debian.org/pkg/localechooser).
* [`uboot`](https://lists.denx.de/pipermail/u-boot/2022-August/492156.html) (Rasmus Villemoes proposed fixing gcc instead [[...](https://gcc.gnu.org/pipermail/gcc-patches/2022-August/600491.html)][[...](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93371)])
-<br>
-
#### Testing framework
[![]({{ "/images/reports/2022-08/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
@@ -209,8 +198,6 @@ The Reproducible Builds project runs a significant testing framework at [tests.r
In addition, Roland Clobus re-enabled the tests for *live-build* images [[...](https://salsa.debian.org/qa/jenkins.debian.net/-/commit/e4d7f0b5)] and added a feature where the build would retry instead of give up when the archive was synced whilst building an ISO [[...](https://salsa.debian.org/qa/jenkins.debian.net/-/commit/7b28da62)], and Vagrant Cascadian added logging to report the current target of the `/bin/sh` symlink [[...](https://salsa.debian.org/qa/jenkins.debian.net/-/commit/e4776858)].
-<br>
-
#### Contact
As ever, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/143fc03421f72a76d6acc45429f34a6b9cd21c0f...5a0d6654d4f6f34f700bbd1b5f46964c85342255
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/143fc03421f72a76d6acc45429f34a6b9cd21c0f...5a0d6654d4f6f34f700bbd1b5f46964c85342255
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20220909/2a11623f/attachment.htm>
More information about the rb-commits
mailing list