[Git][reproducible-builds/reproducible-website][master] 2 commits: 2023-05: Misc changes prior to publication.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Mon Jun 5 17:35:50 UTC 2023
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
67b3fb65 by Chris Lamb at 2023-06-05T10:35:09-07:00
2023-05: Misc changes prior to publication.
- - - - -
a5e9888a by Chris Lamb at 2023-06-05T10:35:41-07:00
published as https://reproducible-builds.org/reports/2023-05/
- - - - -
3 changed files:
- _reports/2023-05.md
- + images/reports/2023-05/fdroid.png
- + images/reports/2023-05/nixos.png
Changes:
=====================================
_reports/2023-05.md
=====================================
@@ -3,7 +3,8 @@ layout: report
year: "2023"
month: "05"
title: "Reproducible Builds in May 2023"
-draft: true
+draft: false
+date: 2023-06-05 17:35:40
---
**Welcome to the May 2023 report from the [Reproducible Builds](https://reproducible-builds.org) project**
@@ -41,13 +42,15 @@ Unfortunately, a PDF is not available publically yet, but a [Digital Object Iden
[![]({{ "/images/reports/2023-05/arXiv-2305.14157.png#left" | relative_url }})](https://arxiv.org/abs/2305.14157)
-Elsewhere in academia, Betul Gokkaya, Leonardo Aniello and Basel Halak of the [School of Electronics and Computer Science](https://www.southampton.ac.uk/about/faculties-schools-departments/school-of-electronics-and-computer-science) at the [University of Southampton](https://www.southampton.ac.uk/) published a new paper containing a broad overview of attacks and comprehensive risk assessment for software supply chain security. Titled [*Software supply chain: review of attacks, risk assessment strategies and security controls*](https://arxiv.org/abs/2305.14157), analyses the most common software supply-chain attacks by providing the latest trend of analyzed attack, and identifies the security risks for open-source and third-party software supply chains. Furthermore, their study "introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks". ([arXiv.org](https://arxiv.org/abs/2305.14157), [PDF](https://arxiv.org/pdf/2305.14157.pdf))
+Elsewhere in academia, Betul Gokkaya, Leonardo Aniello and Basel Halak of the [School of Electronics and Computer Science](https://www.southampton.ac.uk/about/faculties-schools-departments/school-of-electronics-and-computer-science) at the [University of Southampton](https://www.southampton.ac.uk/) published a new paper containing a broad overview of attacks and comprehensive risk assessment for software supply chain security.
+
+Their paper, titled [*Software supply chain: review of attacks, risk assessment strategies and security controls*](https://arxiv.org/abs/2305.14157), analyses the most common software supply-chain attacks by providing the latest trend of analyzed attack, and identifies the security risks for open-source and third-party software supply chains. Furthermore, their study "introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks". ([arXiv.org](https://arxiv.org/abs/2305.14157), [PDF](https://arxiv.org/pdf/2305.14157.pdf))
---
[![]({{ "/images/reports/2023-05/nixos.png#right" | relative_url }})](https://reproducible.nixos.org)
-NixOS is now tracking two new reports at [https://reproducible.nixos.org](https://reproducible): aside from the collection of build-time dependencies of the minimal and Gnome installation ISOs, it now also contains reports that are restricted to the artifacts that make it into the image. The minimal ISO is currently reproducible except for Python 3.10, which hopefully will be resolved with the coming update to Python 3.11.
+[NixOS](https://nixos.org/) is now tracking two new reports at [*reproducible.nixos.org*](https://reproducible.nixos.org/). Aside from the collection of build-time dependencies of the minimal and Gnome installation ISOs, this page now also contains reports that are restricted to the artifacts that make it into the image. The minimal ISO is currently reproducible except for Python 3.10, which hopefully will be resolved with the coming update to Python version 3.11.
---
@@ -55,27 +58,27 @@ On [our *rb-general* mailing list](https://lists.reproducible-builds.org/listinf
[![]({{ "/images/reports/2023-05/semantically.png#right" | relative_url }})](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/thread.html#2968)
-* David A. Wheeler [started a thread](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002968.html) noting that the [OSSGadget project's oss-reproducible tool](https://github.com/microsoft/OSSGadget/tree/main/src/oss-reproducible/README.md) was measuring something related to but not the same as reproducible builds. Initially they had adopted the term “semantically reproducible build” term for what it measured, which they defined as being "if its build results can be either recreated exactly (a bit for bit reproducible build), or if the differences between the release package and a rebuilt package are not expected to produce functional differences in normal cases." This [generated a significant number of replies](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/thread.html#2968). Several were concerned that people might confuse what they were measuring with reproducible builds. After discussion, the OSSGadget developers decided to [switch to the term "semantically equivalent"](https://github.com/microsoft/OSSGadget/issues/426) for what they measured, to reduce the risk of confusion.
+David A. Wheeler [started a thread](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002968.html) noting that the [OSSGadget project's oss-reproducible tool](https://github.com/microsoft/OSSGadget/tree/main/src/oss-reproducible/README.md) was measuring something related to but not the same as reproducible builds. Initially they had adopted the term “semantically reproducible build” term for what it measured, which they defined as being "if its build results can be either recreated exactly (a bit for bit reproducible build), or if the differences between the release package and a rebuilt package are not expected to produce functional differences in normal cases." This [generated a significant number of replies](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/thread.html#2968), and several were concerned that people might confuse what they were measuring with "reproducible builds". After discussion, the OSSGadget developers decided to [switch to the term "semantically equivalent"](https://github.com/microsoft/OSSGadget/issues/426) for what they measured in order to reduce the risk of confusion.
-* Vagrant Cascadian (*vagrantc*) posted an update about [GCC, binutils, and Debian's build-essential set](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002961.html) with "some progress, some hope, and I daresay, some fears…".
+Vagrant Cascadian (*vagrantc*) posted an update about [GCC, binutils, and Debian's build-essential set](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002961.html) with "some progress, some hope, and I daresay, some fears…".
-* *kpcyrd* asked a question about [building a reproducible Linux kernel package for Arch Linux](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002991.html) ([answered](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002992.html) by Arnout Engelen). In the same thread David A. Wheeler pointed out that [the Linux Kernel documentation has a chapter about Reproducible Kernel builds](https://docs.kernel.org/kbuild/reproducible-builds.html) now as well.
+Lastly, *kpcyrd* asked a question about [building a reproducible Linux kernel package for Arch Linux](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002991.html) ([answered](https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002992.html) by Arnout Engelen). In the same, thread David A. Wheeler pointed out that the [Linux Kernel documentation has a chapter about Reproducible kernel builds](https://docs.kernel.org/kbuild/reproducible-builds.html) now as well.
---
[![]({{ "/images/reports/2023-05/debian.png#right" | relative_url }})](https://debian.org/)
-In Debian this month, 9 reviews of Debian packages were added, 20 were updated and 6 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). In addition, Vagrant Cascadian added a link to the source code causing various `ecbuild` issues. [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/a5e2eb23)]
+In Debian this month, nine reviews of Debian packages were added, 20 were updated and 6 were removed this month, all adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). In addition, Vagrant Cascadian added a link to the source code causing various `ecbuild` issues. [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/a5e2eb23)]
---
-[![]({{ "/images/reports/2023-02/fdroid.png#right" | relative_url }})](https://f-droid.org/)
+[![]({{ "/images/reports/2023-05/fdroid.png#right" | relative_url }})](https://f-droid.org/)
The [F-Droid](https://f-droid.org/) project updated its Inclusion How-To with a [new section](https://f-droid.org/docs/Inclusion_How-To/#reproducible-builds) explaining why it considers reproducible builds to be best practice and hopes developers will support the team's efforts to make as many (new) apps reproducible as it reasonably can.
---
-[![]({{ "/images/reports/2023-04/diffoscope.png#right" | relative_url }})](https://diffoscope.org)
+[![]({{ "/images/reports/2023-05/diffoscope.png#right" | relative_url }})](https://diffoscope.org)
In [*diffoscope*](https://diffoscope.org) development this month, version `242` was [uploaded to Debian unstable](https://tracker.debian.org/news/1430496/accepted-diffoscope-242-source-into-unstable/) by Chris Lamb who also made the following changes:
@@ -129,7 +132,7 @@ In addition, Jason A. Donenfeld filed a bug (now fixed in the latest alpha versi
## Testing framework
-[![]({{ "/images/reports/2023-04/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+[![]({{ "/images/reports/2023-05/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
The Reproducible Builds project operates a comprehensive testing framework (available at [tests.reproducible-builds.org](https://tests.reproducible-builds.org)) in order to check packages and other artifacts for reproducibility. In May, a number of changes were made by Holger Levsen:
@@ -144,7 +147,6 @@ The Reproducible Builds project operates a comprehensive testing framework (avai
In addition, Vagrant Cascadian added the `nocheck`, `nopgo` and `nolto` when building `gcc-*` and `binutils` packages [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c51432de5)] as well as performed some node maintenance [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/82efa70ee)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/95c8f5d57)]. In addition, Roland Clobus updated the [openQA](http://open.qa/) configuration to specify longer timeouts and access to the developer mode [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ef0235102)] and updated the URL used for reproducible Debian Live images [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d5f600b34)].
-<br>
<br>
---
=====================================
images/reports/2023-05/fdroid.png
=====================================
Binary files /dev/null and b/images/reports/2023-05/fdroid.png differ
=====================================
images/reports/2023-05/nixos.png
=====================================
Binary files /dev/null and b/images/reports/2023-05/nixos.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/757c6fcb95f189de4aae0c1a96ed5e196f7d6bdc...a5e9888ae2a3df4a1e2203fe6e5301ca29833d1e
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/757c6fcb95f189de4aae0c1a96ed5e196f7d6bdc...a5e9888ae2a3df4a1e2203fe6e5301ca29833d1e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20230605/356872e9/attachment.htm>
More information about the rb-commits
mailing list