[Git][reproducible-builds/reproducible-website][master] 2024-03: Misc changes.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Thu Apr 11 12:26:27 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
30e2cd68 by Chris Lamb at 2024-04-11T12:57:47+01:00
2024-03: Misc changes.
- - - - -
2 changed files:
- _reports/2024-03.md
- images/reports/2024-03/5c4gfXVPAbU.jpg
Changes:
=====================================
_reports/2024-03.md
=====================================
@@ -12,44 +12,50 @@ draft: true
---
-### Making Fedora Linux (more) reproducible
+### Arch Linux minimal container userland now 100% reproducible
-[![]({{ "/images/reports/2024-03/5c4gfXVPAbU.jpg#right" | relative_url }})](https://www.youtube.com/watch?v=5c4gfXVPAbU)
+[![]({{ "/images/reports/2024-03/archlinux.png#right" | relative_url }})](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003301.html)
-In March, Davide Cavalca gave a talk at the [2024 Southern California Linux Expo](https://www.socallinuxexpo.org/scale/21x) (aka *SCALE 21x*) about the ongoing effort to [make the Fedora Linux distribution reproducible](https://www.socallinuxexpo.org/scale/21x/presentations/making-fedora-linux-more-reproducible).
+In remarkable news, Reproducible builds developer *kpcyrd* reported that that the [Arch Linux](https://archlinux.org/) "minimal container userland" [is now 100% reproducible](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003301.html) after work by developers *dvzv* and *Foxboron* on the one remaining package. This represents a "real world", widely-used Linux distribution being reproducible.
-Documented in [more detail on Fedora's website](https://docs.fedoraproject.org/en-US/reproducible-builds/), the talk touched on topics such as the specifics of implementing reproducible builds in Fedora, the challenges encountered, the current status and what's coming next. ([YouTube video](https://www.youtube.com/watch?v=5c4gfXVPAbU))
+Their post, which *kpcyrd* suffixed with the question "now what?", continues on to outline some potential next steps, including validating whether the container image itself could be reproduced bit-for-bit. The post, which was itself a followup for an [Arch Linux update earlier in the month](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003291.html), generated a [significant number of replies](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/thread.html#3301).
<br>
-### "*Increasing Trust in the Open Source Supply Chain with Reproducible Builds and Functional Package Management*"
+### Validating Debian's build infrastructure after the XZ backdoor
-[![]({{ "/images/reports/2024-03/hal-04482192.png#right" | relative_url }})](https://hal.science/hal-04482192)
+[![]({{ "/images/reports/2024-03/debian.png#right" | relative_url }})](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003321.html)
-Julien Malka published a brief but interesting paper in the [HAL open archive](https://en.wikipedia.org/wiki/HAL_(open_archive)) on [*Increasing Trust in the Open Source Supply Chain with Reproducible Builds and Functional Package Management*](https://hal.science/hal-04482192):
+From our [mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Vagrant Cascadian [wrote about](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003321.html) being asked about trying to perform concrete reproducibility checks for recent Debian security updates, in an attempt to gain some confidence about Debian's build infrastructure given that they performed builds in environments running the [high-profile XZ vulnerability](https://lwn.net/Articles/967866/).
-> Functional package managers (FPMs) and reproducible builds (R-B) are technologies and methodologies that are conceptually very different from the traditional software deployment model, and that have promising properties for software supply chain security. This thesis aims to evaluate the impact of FPMs and R-B on the security of the software supply chain and propose improvements to the FPM model to further improve trust in the open source supply chain. [PDF](https://hal.science/hal-04482192/document)
+Vagrant reports (with some caveats):
-Julien's paper poses a number of research questions on how the model of distributions such as [GNU Guix](https://guix.gnu.org/) and [NixOS](https://nixos.org/) can "be leveraged to further improve the safety of the software supply chain", etc.
+> So far, I have not found any reproducibility issues; everything I tested I was able to get to build bit-for-bit identical with what is in the
+Debian archive.
+
+That is to say, reproducibility testing permitted Vagrant and Debian to claim with some confidence that builds performed when this vulnerable version of XZ was installed were not interfered with.
<br>
-### Mailing list highlights
+### Making Fedora Linux (more) reproducible
-From [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+[![]({{ "/images/reports/2024-03/5c4gfXVPAbU.jpg#right" | relative_url }})](https://www.youtube.com/watch?v=5c4gfXVPAbU)
-* Vagrant Cascadian wrote about being asked about trying to perform concrete reproducibility checks for recent Debian security updates in an attempt to gain some confidence about Debian's build infrastructure, given that they performed builds in environments running the high-profile [XZ vulnerability](https://lwn.net/Articles/967866/). Vagrant reports (with some caveats):
+In March, Davide Cavalca gave a talk at the [2024 Southern California Linux Expo](https://www.socallinuxexpo.org/scale/21x) (aka *SCALE 21x*) about the ongoing effort to [make the Fedora Linux distribution reproducible](https://www.socallinuxexpo.org/scale/21x/presentations/making-fedora-linux-more-reproducible).
- > So far, I have not found any reproducibility issues; everything I tested I was able to get to build bit-for-bit identical with what is in the
-Debian archive.
+Documented in [more detail on Fedora's website](https://docs.fedoraproject.org/en-US/reproducible-builds/), the talk touched on topics such as the specifics of implementing reproducible builds in Fedora, the challenges encountered, the current status and what's coming next. ([YouTube video](https://www.youtube.com/watch?v=5c4gfXVPAbU))
+
+<br>
- That is to say, reproducibility testing permitted Vagrant and Debian to claim with some confidence that builds performed when this vulnerable version of XZ was installed were not interfered with.
+### "*Increasing Trust in the Open Source Supply Chain with Reproducible Builds and Functional Package Management*"
-* Reproducible builds developer *kpcyrd* reported that that the [Arch Linux](https://archlinux.org/) "minimal container userland" [is now 100% reproducible](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003301.html) after work by developers *dvzv* and *Foxboron* on the one remaining package. The post, which *kpcyrd* suffixed with the question "now what?", continues on to outline some potential next steps, including validating whether the container image itself could be reproduced bit-for-bit. The post [generated a significant number of replies](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/thread.html#3301).
+[![]({{ "/images/reports/2024-03/hal-04482192.png#right" | relative_url }})](https://hal.science/hal-04482192)
-* Alexander Railean of [Siemens](https://www.siemens.com/) asked the list to aid in understanding [how one can independently verify the reproducibility of Java projects](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003311.html) from the [Maven Central](https://central.sonatype.com/) repository. Having explored those repositories, Alexander could not find examples where the `buildinfo` file was present. Arnout Engelen [responded with some details](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003312.html).
+Julien Malka published a brief but interesting paper in the [HAL open archive](https://en.wikipedia.org/wiki/HAL_(open_archive)) on [*Increasing Trust in the Open Source Supply Chain with Reproducible Builds and Functional Package Management*](https://hal.science/hal-04482192):
-* Fay Stegerman [resuscitated a long-dormant thread](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003278.html) to report that she added support in her [`diff-zip-meta.py` tool](https://github.com/obfusk/reproducible-apk-tools#diff-zip-metapy) to expose extra timestamps embedded in `.zip` and `.apk` metadata.
+> Functional package managers (FPMs) and reproducible builds (R-B) are technologies and methodologies that are conceptually very different from the traditional software deployment model, and that have promising properties for software supply chain security. This thesis aims to evaluate the impact of FPMs and R-B on the security of the software supply chain and propose improvements to the FPM model to further improve trust in the open source supply chain. [PDF](https://hal.science/hal-04482192/document)
+
+Julien's paper poses a number of research questions on how the model of distributions such as [GNU Guix](https://guix.gnu.org/) and [NixOS](https://nixos.org/) can "be leveraged to further improve the safety of the software supply chain", etc.
<br>
@@ -85,6 +91,16 @@ Lastly, Bernhard M. Wiedemann posted another [monthly update](https://lists.open
<br>
+### Mailing list highlights
+
+Elsewhere on [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Alexander Railean of [Siemens](https://www.siemens.com/) asked the list to aid in understanding [how one can independently verify the reproducibility of Java projects](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003311.html) from the [Maven Central](https://central.sonatype.com/) repository. Having explored those repositories, Alexander could not find examples where the `buildinfo` file was present. Arnout Engelen [responded with some details](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003312.html).
+
+* Fay Stegerman [resuscitated a long-dormant thread](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003278.html) to report that she added support in her [`diff-zip-meta.py` tool](https://github.com/obfusk/reproducible-apk-tools#diff-zip-metapy) to expose extra timestamps embedded in `.zip` and `.apk` metadata.
+
+<br>
+
### Website updates
[![]({{ "/images/reports/2024-03/website.png#right" | relative_url }})]({{ "/" | relative_url }})
@@ -119,7 +135,7 @@ There were made a number of improvements to our website this month, including:
* New features:
- * Add support for the [`zipdetails`](https://perldoc.perl.org/zipdetails) tool from the Perl distribution. Thanks to Larry Doolittle et al. for the pointer to this tool. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d9dfe40d)]
+ * Add support for the [`zipdetails`](https://perldoc.perl.org/zipdetails) tool from the Perl distribution. Thanks to Fay Stegerman and Larry Doolittle et al. for the pointer and thread about this tool. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d9dfe40d)]
* Bug fixes:
=====================================
images/reports/2024-03/5c4gfXVPAbU.jpg
=====================================
Binary files a/images/reports/2024-03/5c4gfXVPAbU.jpg and b/images/reports/2024-03/5c4gfXVPAbU.jpg differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/30e2cd68b623afe57d696c4b310fc2c9328476ef
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/30e2cd68b623afe57d696c4b310fc2c9328476ef
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240411/8e55f681/attachment.htm>
More information about the rb-commits
mailing list