[Git][reproducible-builds/reproducible-website][master] 2023-01: fix typos & links; improve some wording
FC Stegerman (@obfusk)
gitlab at salsa.debian.org
Thu Feb 2 23:56:57 UTC 2023
FC Stegerman pushed to branch master at Reproducible Builds / reproducible-website
Commits:
48f83c9a by FC Stegerman at 2023-02-03T00:56:32+01:00
2023-01: fix typos & links; improve some wording
- - - - -
1 changed file:
- _reports/2023-01.md
Changes:
=====================================
_reports/2023-01.md
=====================================
@@ -23,7 +23,7 @@ In a curious turn of events, GitHub first announced this month that the checksum
> … the default compression for Git archives has recently changed. As result, archives downloaded from GitHub may have different checksums even though the contents are completely unchanged.
-This would have had quite wide-ranging implications for anyone wishing to validate and verify downloaded archives using cryptographic signatures. However, GitHub reversed this decision, updating their [original announcement](https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/) with a message that "We are reverting this change for now. More details to follow." It appears that this was informed in part by an [in-depth discussion in the GitHub Community issue tracker](https://github.com/orgs/community/discussions/45830).
+This change (which [was brought up on our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2022-October/002709.html) last October) would have had quite wide-ranging implications for anyone wishing to validate and verify downloaded archives using cryptographic signatures. However, GitHub reversed this decision, updating their [original announcement](https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/) with a message that "We are reverting this change for now. More details to follow." It appears that this was informed in part by an [in-depth discussion in the GitHub Community issue tracker](https://github.com/orgs/community/discussions/45830).
<br>
@@ -43,11 +43,11 @@ Contributor *Seb35* updated [our website]({{ "/" | relative_url }}) to fix broke
Noak Jönsson has written an interesting paper entitled [*The State of Software Diversity in the Software Supply Chain of Ethereum Clients*](https://www.cesarsotovalero.net/files/publications/The_State_Of_Software_Diversity_In_The_Software_Supply_Chain.pdf). As the paper outlines:
-> In this report, the software supply chains of the most popular Ethereum clients are cataloged and analyzed. The dependency graphs of Ethereum clients developed in Go, Rust, and Java, are studied. These client are Geth, Prysm, OpenEthereum, Lighthouse, Besu, and Teku. To do so, their dependency graphs are transformed into a unified format. Quantitative metrics are used to depict the software supply chain of the blockchain. The results show a clear difference in the size of the software supply chain required for the execution layer and consensus layer of Ethereum. [[…](https://www.cesarsotovalero.net/files/publications/The_State_Of_Software_Diversity_In_The_Software_Supply_Chain.pdf)]
+> In this report, the software supply chains of the most popular Ethereum clients are cataloged and analyzed. The dependency graphs of Ethereum clients developed in Go, Rust, and Java, are studied. These client are Geth, Prysm, OpenEthereum, Lighthouse, Besu, and Teku. To do so, their dependency graphs are transformed into a unified format. Quantitative metrics are used to depict the software supply chain of the blockchain. The results show a clear difference in the size of the software supply chain required for the execution layer and consensus layer of Ethereum.
<br>
-Yongkui Han posted to [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) discussing [making reproducible builds & GitBOM work together without gitBOM-ID embedding](https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002813.html). GitBOM (now renamed to [OmniBOR](https://omnibor.io/)) is a project to "enable automatic, verifiable artifact resolution across today's diverse software supply-chains" [[…](https://omnibor.io/)]. In addition, Fabian Keil wrote to us asking whether [anyone in the community would be at Chemnitz Linux Days 2023](https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002811.html), which is due to take place on 11th and 12th March ([event info](https://chemnitzer.linux-tage.de/2023/en).
+Yongkui Han posted to [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) discussing [making reproducible builds & GitBOM work together without gitBOM-ID embedding](https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002813.html). GitBOM (now renamed to [OmniBOR](https://omnibor.io/)) is a project to "enable automatic, verifiable artifact resolution across today's diverse software supply-chains" [[…](https://omnibor.io/)]. In addition, Fabian Keil wrote to us asking whether [anyone in the community would be at Chemnitz Linux Days 2023](https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002811.html), which is due to take place on 11th and 12th March ([event info](https://chemnitzer.linux-tage.de/2023/en)).
<br>
@@ -67,7 +67,7 @@ The extremely popular [Signal messenger app](https://signal.org/) added upstream
There was a very large number of changes in the [F-Droid](https://f-droid.org/) and wider Android ecosystem this month:
-On January 15th, a blog post entitled [*Towards a reproducible F-Droid*](https://f-droid.org/en/2023/01/15/towards-a-reproducible-fdroid.html) was published on the [F-Droid](https://f-droid.org/), outlining the reasons why "F-Droid signs published APKs with its own keys" and how reproducible builds can help prevent issues with that. In particular:
+On January 15th, a blog post entitled [*Towards a reproducible F-Droid*](https://f-droid.org/en/2023/01/15/towards-a-reproducible-fdroid.html) was published on the [F-Droid website](https://f-droid.org/), outlining the reasons why "F-Droid signs published APKs with its own keys" and how reproducible builds allow using upstream developers' keys instead. In particular:
> In response to […] criticisms, we started [encouraging new apps to enable reproducible builds](https://gitlab.com/fdroid/fdroiddata/-/issues/2816). It turns out that reproducible builds are not so difficult to achieve for many apps. [In the past few months we’ve gotten many more reproducible apps in F-Droid than before](https://gitlab.com/fdroid/fdroiddata/-/issues/2844). Currently we can’t highlight which apps are reproducible in the client, so maybe you haven’t noticed that there are many new apps signed with upstream developers’ keys.
@@ -77,13 +77,13 @@ In addition:
* F-Droid added 13 apps published with reproducible builds this month. [[…](https://gitlab.com/fdroid/fdroiddata/-/issues/2844)]
-* FC Stegerman outlined a bug where [`baseline.profm` files are nondeterministic](https://gist.github.com/obfusk/61046e09cee352ae6dd109911534b12e). As they note, this issue [should already be fixed](https://android.googlesource.com/platform/tools/base/+/2f2c6b30b55e18e2672edf5ee8e8e583be759d3e) but it is not yet part of the official [Android Gradle plugin release](https://developer.android.com/studio/releases/gradle-plugin).
+* FC Stegerman outlined a bug where [`baseline.profm` files are nondeterministic](https://gist.github.com/obfusk/61046e09cee352ae6dd109911534b12e). As they note, this issue [has now been fixed](https://android.googlesource.com/platform/tools/base/+/2f2c6b30b55e18e2672edf5ee8e8e583be759d3e) but the fix is not yet part of an official [Android Gradle plugin release](https://developer.android.com/studio/releases/gradle-plugin).
* GitLab user [*Parwor*](https://gitlab.com/Parwor) discovered that the number of CPU cores can affect the reproducibility of `.dex` files. [[…](https://gitlab.com/fdroid/rfp/-/issues/1519#note_1226216164)]
-* FC Stegerman also announced the `0.2.0` and `0.2.1` releases of [*reproducible-apk-tools*](https://github.com/obfusk/reproducible-apk-tools), a suite of tools to help make `.apk` files reproducible. Several new subcommands and scripts were added, and a number of bugs were fixed as well [[…](https://lists.reproducible-builds.org/pipermail/rb-general/2023-january/002815.html)][[…](https://lists.reproducible-builds.org/pipermail/rb-general/2023-january/002816.html)]. They also updated the [F-Droid website](https://f-droid.org/) to improve the reproducibility-related documentation. [[…](https://gitlab.com/fdroid/fdroid-website/-/merge_requests/895/diffs)][[…](https://gitlab.com/fdroid/fdroid-website/-/merge_requests/901/diffs)]
+* FC Stegerman also announced the `0.2.0` and `0.2.1` releases of [*reproducible-apk-tools*](https://github.com/obfusk/reproducible-apk-tools), a suite of tools to help make `.apk` files reproducible. Several new subcommands and scripts were added, and a number of bugs were fixed as well [[…](https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002815.html)][[…](https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002816.html)]. They also updated the [F-Droid website](https://f-droid.org/) to improve the reproducibility-related documentation. [[…](https://gitlab.com/fdroid/fdroid-website/-/merge_requests/895/diffs)][[…](https://gitlab.com/fdroid/fdroid-website/-/merge_requests/901/diffs)]
-* A number of bugs related to reproducibility were discovered in Android itself. Firstly, the non-deterministic order of `.zip` entries in `.apk` files [[…]](https://issuetracker.google.com/issues/265653160)] and then newline differences between building on Windows versus Linux can make builds not reproducible as well. [[…](https://issuetracker.google.com/issues/266109851)]. (Note that these links may require a Google account to view.)
+* A number of bugs related to reproducibility were discovered in Android itself. Firstly, the non-deterministic order of `.zip` entries in `.apk` files [[…](https://issuetracker.google.com/issues/265653160)] and then newline differences between building on Windows versus Linux that can make builds not reproducible as well. [[…](https://issuetracker.google.com/issues/266109851)] (Note that these links may require a Google account to view.)
* And just before the end of the month, FC Stegerman started a thread on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general) on the topic of [hiding data/code in APK embedded signatures](https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002825.html) which has been made possible by the [Android APK Signature Scheme v2/v3](https://source.android.com/docs/security/features/apksigning). As part of this, they made an Android app that reads the APK Signing block of its own APK and extracts a payload in order to alter its behaviour called [*sigblock-code-poc*](https://github.com/obfusk/sigblock-code-poc).
@@ -91,7 +91,7 @@ In addition:
[![]({{ "/images/reports/2023-01/debian.png#right" | relative_url }})](https://debian.org/)
-As mentioned in [last months report]({{ "/reports/2022-12/" | relative_url }}), Vagrant Cascadian has been organising a series of online sprints in order to 'clear the huge backlog of reproducible builds patches submitted' by performing NMUs ([Non-Maintainer Uploads](https://wiki.debian.org/NonMaintainerUpload)). During January, a sprint took place on the 10th, resulting in the following uploads:
+As mentioned in [last month's report]({{ "/reports/2022-12/" | relative_url }}), Vagrant Cascadian has been organising a series of online sprints in order to 'clear the huge backlog of reproducible builds patches submitted' by performing NMUs ([Non-Maintainer Uploads](https://wiki.debian.org/NonMaintainerUpload)). During January, a sprint took place on the 10th, resulting in the following uploads:
* Chris Lamb:
@@ -124,7 +124,7 @@ In other distributions:
* Bernhard M. Wiedemann published another [monthly report for reproducibility within openSUSE](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/RQ3TMTIOU7HUX5TIP7IE7KT7ZWERWPXB/), as well as [a belated report for December 2022](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/2DKRGC4EIBVUVP6RWHBCEL5SJKCTWRFM/).
-* It was announced that [Fedora Rawhide](https://docs.fedoraproject.org/en-US/releases/rawhide/) now 'clamps' file modification types to [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}). […](https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/2BDU7CFZGEXUWBHJIZDB2QAOIR2R5TFN/)]
+* It was announced that [Fedora Rawhide](https://docs.fedoraproject.org/en-US/releases/rawhide/) now 'clamps' file modification types to [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}). [[…](https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/2BDU7CFZGEXUWBHJIZDB2QAOIR2R5TFN/)]
* Finally, an existing tool called [*rpmreproduce*](https://github.com/fepitre/rpmreproduce) was (re-)discovered this month, which claims that "given a buildinfo file from a RPM package, [it can] generate instructions for attempting to reproduce the binary packages built from the associated source and build information."
@@ -146,8 +146,8 @@ In other distributions:
In addition, FC Stegerman (*obfusk*) made a number of changes, including:
-* Updating the `test_text_proper_indentation` test to support the latest version(s) of [`file(1)`](https://en.wikipedia.org/wiki/File_(command)). [[…](https://bugs.debian.org/329)]
-* Use a `extras_require.json` file to store some build/release metadata, instead of accessing the internet. [[…](https://bugs.debian.org/325)]]
+* Updating the `test_text_proper_indentation` test to support the latest version(s) of [`file(1)`](https://en.wikipedia.org/wiki/File_(command)). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/329)]
+* Use an `extras_require.json` file to store some build/release metadata, instead of accessing the internet. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/325)]
* Updating an APK-related [`file(1)`](https://en.wikipedia.org/wiki/File_(command)) regular expression. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/72f8f33d)]
* On the [*diffoscope.org* website](https://diffoscope.org/), de-duplicate contributors by e-mail. [[…](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/1ebaa67)]
@@ -206,7 +206,7 @@ The Reproducible Builds project attempts to fix as many currently-unreproducible
* FC Stegerman:
- * Several patches for [`file(1)`](https://en.wikipedia.org/wiki/File_(command)) are now included in the Debian packaging. [[…](https://github.com/file/file/search?q=FC+Stegerman&type=commits)]
+ * Several patches for [`file(1)`](https://en.wikipedia.org/wiki/File_(command)) (which is used by reproducible builds tools like *diffoscope* and *strip-nondeterminism*) that improve detection of various file formats are now included in the Debian packaging. [[…](https://github.com/file/file/search?q=FC+Stegerman&type=commits)]
---
@@ -222,18 +222,18 @@ The Reproducible Builds project operates a comprehensive testing framework at [t
* Debian-related changes:
- * Only keep [diffoscope](https://diffoscope.org)'s HTML output (ie. no `.json` or `.txt)) for LTS suites and older in order to save diskspace on the Jenkins host. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/098742fb)]
+ * Only keep [diffoscope](https://diffoscope.org)'s HTML output (ie. no `.json` or `.txt`) for LTS suites and older in order to save diskspace on the Jenkins host. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/098742fb)]
* Re-create `pbuilder` base less frequently for the `stretch`, `bookworm` and `experimental` suites. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d2d7923c)]
* OpenWrt-related changes:
- * Add gcc-multilib to OPENWRT_HOST_PACKAGES and install it on the nodes that need it. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7f88cba8)]
+ * Add gcc-multilib to `OPENWRT_HOST_PACKAGES` and install it on the nodes that need it. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7f88cba8)]
* Detect more problems in the health check when failing to build OpenWrt. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/02ce1d17)]
* Misc changes:
* Update the `chroot-run` script to correctly manage `/dev` and `/dev/pts`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0e49a9eb)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a68ae0fd)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f18ba089)]
- * Update the Jenkins 'shell monitor' script to collect disk stats less frequently [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2ea61357)] and to include various directory stats [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/00400ad4)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e5b31286)].
+ * Update the Jenkins 'shell monitor' script to collect disk stats less frequently [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2ea61357)] and to include various directory stats. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/00400ad4)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e5b31286)]
* Update the 'real' year in the configuration in order to be able to detect whether a node is running in the future or not. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3827ba7c)]
* Bump copyright years in the default page footer. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ff82ec5f)]
@@ -241,10 +241,12 @@ In addition, Christian Marangi submitted a patch to build OpenWrt packages with
---
-If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. You can get in touch with us via:
+If you are interested in contributing to the Reproducible Builds project, please visit the [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. You can get in touch with us via:
* IRC: `#reproducible-builds` on `irc.oftc.net`.
* Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
* Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/48f83c9a4e542c12be5c65244c583b9125c7cf48
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/48f83c9a4e542c12be5c65244c583b9125c7cf48
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20230202/2c5b8b6e/attachment.htm>
More information about the rb-commits
mailing list