[Git][reproducible-builds/reproducible-website][master] 2024-07: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Tue Aug 6 15:59:14 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
5c991ff0 by Chris Lamb at 2024-08-06T16:57:51+01:00
2024-07: Initial draft
- - - - -
9 changed files:
- _reports/2024-07.md
- + images/reports/2024-07/10.1145-3643764.png
- + images/reports/2024-07/31243619.png
- + images/reports/2024-07/debian.png
- + images/reports/2024-07/diffoscope.png
- + images/reports/2024-07/reproducible-builds.png
- + images/reports/2024-07/summit.jpg
- + images/reports/2024-07/testframework.png
- + images/reports/2024-07/website.png
Changes:
=====================================
_reports/2024-07.md
=====================================
@@ -6,54 +6,218 @@ title: "Reproducible Builds in July 2024"
draft: true
---
-* [FIXME](https://github.com/obfusk/apksigcopier/issues/105) + [FIXME](https://issuetracker.google.com/issues/351408623)
+[![]({{ "/images/reports/2024-07/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* [FIXME](https://blog.josefsson.org/2024/07/10/towards-idempotent-rebuilds/)
+**Welcome to the June 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
-* [FIXME](https://dl.acm.org/doi/pdf/10.1145/3643764)
+In our reports, we outline what we've been up to over the past month and highlight news items in software supply-chain security more broadly. As always, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
+
+---
+
+<br>
+
+### [Reproducible Builds Summit 2024 (reminder)]({{ "/events/hamburg2024/" | relative_url }})
+
+[![]({{ "/images/reports/2024-07/summit.jpg#right" | relative_url }})]({{ "/events/hamburg2024/" | relative_url }})
+
+Last month, we were very pleased to announce the [upcoming Reproducible Builds Summit]({{ "/events/hamburg2024/" | relative_url }}), set to take place from _September 17th — 19th 2024_ in Hamburg, Germany. We are thrilled to host the seventh edition of this exciting event, following the success of previous summits in various iconic locations around the world, including Venice, Marrakesh, Paris, Berlin and Athens. Our summits are a unique gathering that brings together attendees from diverse projects, united by a shared vision of advancing the Reproducible Builds effort. During this enriching event, participants will have the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. Our aim is to create an inclusive space that fosters collaboration, innovation and problem-solving.
+
+If you're interesting in joining us this year, please make sure to [read the event page]({{ "/events/hamburg2024/" | relative_url }}), which has more details about the event and location. We are very much looking forward to seeing many readers of these reports there.
+
+<br>
+
+### "[*Pulling Linux up by its bootstraps*](https://lwn.net/Articles/983340/)" (LWN)
+
+In a recent edition of [Linux Weekly News](https://lwn.net/), [Daroc Alden](https://setupminimal.github.io/) has written an article on "bootstrappable" builds. Starting with a brief introduction that…
+
+> … a [bootstrappable build](https://lwn.net/Articles/841797/) is one that builds existing software from scratch — for example, building GCC without relying on an existing copy of GCC. In 2023, the Guix project [announced](https://lwn.net/Articles/930650/) that the project had reduced the size of the binary bootstrap seed needed to build its operating system to just 357-bytes — not counting the Linux kernel required to run the build process.
+
+The article goes onto to describe that "now, the [live-bootstrap](https://github.com/fosslinux/live-bootstrap) project has gone a step further and removed the need for an existing kernel at all." and concludes:
+
+> The real benefit of bootstrappable builds comes from a few things. Like reproducible builds, they can make users more confident that the binary packages downloaded from a package mirror really do correspond to the open-source project whose source code they can inspect. Bootstrappable builds have also had positive effects on the complexity of building a Linux distribution from scratch […]. But most of all, bootstrappable builds are a boon to the longevity of our software ecosystem. It's easy for old software to become unbuildable. By having a well-known, self-contained chain of software that can build itself from a small seed, in a variety of environments, bootstrappable builds can help ensure that today's software is not lost, no matter where the open-source community goes from here
+
+<br>
+
+### [*Towards Idempotent Rebuilds?*](https://blog.josefsson.org/2024/07/10/towards-idempotent-rebuilds/)
+
+[Trisquel](https://trisquel.info/) developer [Simon Josefsson](https://josefsson.org/) wrote an [interesting blog post](https://blog.josefsson.org/2024/07/10/towards-idempotent-rebuilds/) comparing the output of the `.deb` files from our [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org/debian/reproducible.html) testing framework and the ones in the official Debian archive. Following up from a [previous post on the reproducibility of Trisquel](https://blog.josefsson.org/2023/04/10/trisquel-is-42-reproducible/), Simon notes that "typically [the] rebuilds do not match the official packages, even when they say the package is reproducible", Simon correctly identifies that "the purpose of [these] rebuilds are not to say anything about the official binary build, instead the purpose is to offer a QA service to maintainers by performing two builds of a package and declaring success if both builds match."
+
+However, Simon's post swiftly moves on to announce a new tool called [*debdistrebuild*](https://gitlab.com/debdistutils/debdistrebuild) that performs rebuilds of the difference between two distributions in a [GitLab pipeline](https://docs.gitlab.com/ee/ci/pipelines/) and displays [*diffoscope*](https://diffoscope.org) output for further analysis.
+
+<br>
+
+### [*AROMA: Automatic Reproduction of Maven Artifacts*](https://dl.acm.org/doi/pdf/10.1145/3643764)
+
+[![]({{ "/images/reports/2024-07/10.1145-3643764.png#right" | relative_url }})](https://dl.acm.org/doi/pdf/10.1145/3643764)
+
+Mehdi Keshani, Tudor-Gabriel Velican, Gideon Bot and Sebastian Proksch of the [Delft University of Technology](https://www.tudelft.nl/en/), Netherlands, have published a new paper in the ACM Software Engineering on a new tool to automatically reproduce [Apache Maven](https://maven.apache.org/) artifacts:
+
+> [Reproducible Central](https://github.com/jvm-repo-rebuild/reproducible-central) is an initiative that curates a list of reproducible Maven libraries, but the list is limited and challenging to maintain due to manual efforts. [We] investigate the feasibility of automatically finding the source code of a library from its Maven release and recovering information about the original release environment. Our tool, AROMA, can obtain this critical information from the artifact and the source repository through several heuristics and we use the results for reproduction attempts of Maven packages. Overall, **our approach achieves an accuracy of up to 99.5%** when compared field-by-field to the existing manual approach [and] we reveal that **automatic reproducibility is feasible for 23.4% of the Maven packages using AROMA, and 8% of these packages are fully reproducible**.
+
+<br>
+
+### Community updates
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Nichita Morcotilo reached to the community, first to share their efforts "to build reproducible packages cross-platform with a new build tool called [`rattler-build`](https://github.com/prefix-dev/rattler-build), noting that "as you can imagine, building packages reproducibly on Windows is the hardest challenge (so far!)". Nichita goes onto mention that the Apple ecosystem appear to be using `ZERO_AR_DATE` over [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}). [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/003442.html)]
+
+* Roland Clobus announced that the Debian *bookworm* 12.6 live images are ["nearly reproducible"](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/003443.html), with more detail in the [post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/003443.html) itself and [input in the thread](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/thread.html#3443) from other contributors.
+
+* As reported in [last month's report]({{ "/reports/2024-06/" | relative_url }}), [Pol Dellaiera](https://orcid.org/0009-0008-7972-7160) completed his master thesis on [*Reproducibility in Software Engineering*](https://doi.org/10.5281/zenodo.12666898) at the [University of Mons](https://web.umons.ac.be/), Belgium. This month, Pol [announced this on the list with more background info](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/003449.html).
+
+* [Daniel Gröber asked for help](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/003452.html) in getting the [Yosys](https://yosyshq.net/yosys/) documentation to build reproducibly, citing issues in *inter alia* the PDF generation causing differing `CreationDate` metadata values.
+
+* James Addison [continued his long journey](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/003458.html) towards getting the [Sphinx](https://www.sphinx-doc.org/en/master/) documentation generator to build reproducible documentation. In this thread, James concerns himself with the problem that even "when [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) is configured, Sphinx projects that have configured their copyright notices using dynamic elements can produce nonsensical output under some circumstances." James' query ended up [generating a number of replies](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/thread.html#3458).
+
+* Allen '*gunner*' Gunner posted a brief update on the progress the core team is making towards introducing a Code of Conduct (CoC) such that it is "in place in time for the RB Summit in Hamburg in September". In particular, *gunner* asks "if you are interested in helping with CoC design and development in the weeks ahead, simply email `rb-core at lists.reproducible-builds.org` and let us know". [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/003475.html)]
+
+<br>
+
+### [*Extending the Scalability, Flexibility and Responsiveness of Secure Software Update Systems*](https://www.proquest.com/openview/07eb1454d3e506cd39b43ee0961bdabb/1?pq-origsite=gscholar&cbl=18750&diss=y)
+
+[![]({{ "/images/reports/2024-07/31243619.png#right" | relative_url }})](https://www.proquest.com/openview/07eb1454d3e506cd39b43ee0961bdabb/1?pq-origsite=gscholar&cbl=18750&diss=y)
+
+Congratulations to Marina Moore of the [New York Tandon School of Engineering](https://engineering.nyu.edu/) who has submitted her PhD thesis on [*Extending the Scalability, Flexibility and Responsiveness of Secure Software Update Systems*](https://www.proquest.com/openview/07eb1454d3e506cd39b43ee0961bdabb/1?pq-origsite=gscholar&cbl=18750&diss=y). The introduction outlines its contributions to the field:
+
+> [S]oftware repositories are a vital component of software development and release, with packages downloaded both for direct use and to use as dependencies for other software. Further, when software is updated due to patched vulnerabilities or new features, it is vital that users are able to see and install this patched version of the software. However, this process of updating software can also be the source of attack. To address these attacks, secure software update systems have been proposed. However, these secure software update systems have seen barriers to widespread adoption. The Update Framework (TUF) was introduced in 2010 to address several attacks on software update systems including repository compromise, rollback attacks, and arbitrary software installation. Despite this, compromises continue to occur, with millions of users impacted by such compromises. My work has addressed substantial challenges to adoption of secure software update systems grounded in an understanding of practical concerns. Work with industry and academic communities provided opportunities to discover challenges, expand adoption, and raise awareness about secure software updates. […]
+
+<br>
+
+### Development news
+
+[![]({{ "/images/reports/2024-07/debian.png#right" | relative_url }})](https://debian.org/)
+
+In Debian this month, 12 reviews of Debian packages were added, 13 were updated and 6 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A new toolchain issue types was identified as well, specifically [`ordering_differences_in_pkg_info`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/af496924).
+
+<br>
+
+Colin Percival filed a bug against the [LLVM](https://llvm.org/) compiler noting that [building `i386` binaries on the `i386` architecture is different when building `i386` binaries under `amd64`](https://github.com/llvm/llvm-project/issues/99396). The fix was narrowed down to "x87 excess precision, which can result in slightly different register choices when the compiler is hosted on `x86_64` or `i386`" and a fix committed. [[...](https://github.com/llvm/llvm-project/pull/100165/commits/28997387abf874345e9583c53739d2acbfedf761)]
+
+<br>
+
+Fay Stegerman [performed some in-depth research](https://github.com/obfusk/apksigcopier/issues/105) surrounding her [*apksigcopier*](https://github.com/obfusk/apksigcopier) tool, after a report that a number of Android `.apk` files could no longer be verified as reproducible. After much investigation, Fay identified the issue as follows:
+
+> Since `build-tools` >= 35.0.0-rc1, backwards-incompatible changes to `apksigner` break `apksigcopier` as it now by default forcibly replaces existing alignment padding and changed the default page alignment from 4k to 16k (same as Android Gradle Plugin >= 8.3, so the latter is only an issue when using older AGP). [[...](https://github.com/obfusk/apksigcopier/issues/105#issuecomment-2206799316)]
+
+… which resulted in a [bug being filed in Google's issue tracker](https://issuetracker.google.com/issues/351408623?pli=1).
+
+<br>
+
+[![]({{ "/images/reports/2024-07/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+Lastly, [diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb uploaded version `272` and Mattia Rizzolo uploaded version `273` to Debian, and the following changes were made as well:
+
+* Chris Lamb:
+
+ * Ensure that the `convert` utility is from ImageMagick version 6.x. The command-line interface has seemingly changed with the 7.x series of ImageMagick. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/bbcf367c)]
+ * Factor out version detection in `test_jpeg_image`. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/037bdcbb)]
+ * Correct the import of the `identify_version` method after a refactoring change in a [previous commit](https://salsa.debian.org/reproducible-builds/diffoscope/commit/037bdcbb). [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/38f76379)]
+ * Move away from using DSA OpenSSH keys in tests as support has been [deprecated and removed](https://lwn.net/Articles/958048/) in OpenSSH version 9.8p1. ([#382](https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/))
+ * Move to `assert_diff` in the `test_openssh_pub_key` packace. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e8c5dc10)]
+ * Update copyright years. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/5b5c8c62)]
+
+* Mattia Rizzolo:
+
+ * Add support for `ffmpeg` version 7.x which adds some extra context to the diff. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/cadfc73a)]
+ * Rework the handling of OpenSSH testing of DSA keys if OpenSSH is strictly 9.7, and add an OpenSSH key test with a `ed25519`-format key [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7917b746)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f3f72b9f)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/652b5793)]
+ * Temporarily disable a few packages that are not available in Debian *testing*. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/c6bba336)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f8a1e142)]
+ * Stop ignoring the results of Debian *testing* in the continuous integration system. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/bc2229c7)]
+ * Adjust options in `debian/source` to make sure not to pack the Python `sdist` directory into the binary Debian package. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/40b63b71)]
+ * Adjust Lintian overrides. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/633654ee)]
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2024-07/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+There were a number of improvements made to our website this month, including:
+
+* Bernhard M. Wiedemann updated the [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) page to include instructions on how to create reproducible `.zip` files from within Python using the [`zipfile`](https://docs.python.org/3/library/zipfile.html) module. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7678a3e8)]
+
+* Chris Lamb fixed a potential duplicate heading on the [Projects]({{ "/who/projects/" }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3a701087)]
+
+* Fay Stegerman added [`rbtlog`](https://github.com/obfusk/rbtlog) to the [Tools]({{ "/tools/" | relative_url }}) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6882b92f)] as well as added [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) to the [Projects]({{ "/who/projects/" }}) page [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f62c7c56)], before also ensuring that the latter page was always sorted regardless of the ordering within the input data files. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b3e7154b)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0bb01b9c)]
+
+* Holger Levsen added added Linus Nordberg to our [global list of contributors]({{ "/who/people/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/595ccb28)] as well as made a number of changes to the page for the upcoming [Reproducible Builds summit later this year]({{ "/events/hamburg2024/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/de398031)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ed5eb6f4)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d69d7503)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e048075e)].
+
+* Mattia Rizzolo updated the [Civil Infrastructure Platform](https://www.cip-project.org/) logo [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/13058e9e)] and also updated the [2024 summit page]({{ "/events/hamburg2024/" | relative_url }}) [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/99054850)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fc371a3f)].
+
+* Nichita Morcotilo added [`rattler-build`]( https://github.com/prefix-dev/rattler-build) to the [Projects]({{ "/who/projects/" }}) page. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a5130fea)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a9d32515)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5d1b5fc7)]
+
+* Pol Dellaiera updated the [Academic Publications]({{ "/docs/publications/" | relative_url }}) page, adding two publications. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b98049f2)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/36da2c24)]
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
- * [`maliit-keyboard`](https://build.opensuse.org/request/show/1185254) (nocheck)
+
+ * [`armagetron`](https://build.opensuse.org/request/show/1188202)
+ * [`blaspp`](https://github.com/icl-utk-edu/blaspp/pull/87) (hostname)
+ * [`cligen`](https://gitlab.com/gnutls/cligen/-/merge_requests/5) (GnuTLSs date)
+ * [`cloudflared`](https://github.com/cloudflare/cloudflared/pull/1289) (date)
* [`dpdk`](https://build.opensuse.org/request/show/1185443) (Sphinx doctrees)
- * [`openssl-3`](https://build.opensuse.org/request/show/1187438) (random, already upstream)
- * [`libdb-4_8`](https://build.opensuse.org/request/show/1190247) (jar mtime, needs upstreaming)
+ * [`fonttosfnt/xorg-x11-fonts`](https://gitlab.freedesktop.org/xorg/app/fonttosfnt/-/merge_requests/22) (toolchain, date)
+ * [`gegl`](https://build.opensuse.org/request/show/1188550) (build machine details)
* [`gettext-runtime`](https://build.opensuse.org/request/show/1188059) (jar mtime)
- * [`armagetron`](https://build.opensuse.org/request/show/1188202) (already merged upstream)
- * [`librcc`](https://build.opensuse.org/request/show/1188204) (already merged upstream)
- * [`latex2html`](https://build.opensuse.org/request/show/1188512) (nochecks)
- * [`libreoffice`](https://build.opensuse.org/request/show/1189287) (strip .jar mtimes + [`clucene-core`](https://build.opensuse.org/request/show/1188447) toolchain)
- * [`gegl`](https://build.opensuse.org/request/show/1188550) (drop build-machine-details)
- * [`reproducible-faketools`](https://build.opensuse.org/request/show/1186763) (0.5.2)
+ * [`kf6-kirigami+kf6-qqc2-desktop-style`](https://bugzilla.opensuse.org/show_bug.cgi?id=1228131) (race-condition)
+ * [`kubernetes1.26`](https://build.opensuse.org/request/show/1190449) (backport upstream fix for random path)
* [`lapackpp`](https://github.com/icl-utk-edu/lapackpp/pull/68) (hostname)
- * [`blaspp`](https://github.com/icl-utk-edu/blaspp/pull/87) (hostname)
- * [`paho`](https://github.com/eclipse/paho.mqtt.python/pull/854) (FTBFS-2026)
- * [`python-ruff`](https://github.com/astral-sh/ruff/issues/12169) (ASLR)
- * [`clamav`](https://github.com/Cisco-Talos/clamav/issues/1300) (FTBFS-2024-07-28, [submitted to openSUSE](https://build.opensuse.org/request/show/1190176))
- * [`libzypp`](https://github.com/openSUSE/libzypp/issues/559) (FTBFS-2038)
- * [`cligen`](https://gitlab.com/gnutls/cligen/-/merge_requests/5) (gnutls date)
- * [`cloudflared`](https://github.com/cloudflare/cloudflared/pull/1289) (date)
+ * [`latex2html`](https://build.opensuse.org/request/show/1188512) (nochecks)
+ * [`libdb-4_8`](https://build.opensuse.org/request/show/1190247) (`.jar` modification time)
+ * [`librcc`](https://build.opensuse.org/request/show/1188204) (already merged upstream)
+ * [`libreoffice`](https://build.opensuse.org/request/show/1189287) (strip `.jar` mtimes + [`clucene-core`](https://build.opensuse.org/request/show/1188447) toolchain)
+ * [`maliit-keyboard`](https://build.opensuse.org/request/show/1185254) (nocheck)
* [`nautilus`](https://gitlab.gnome.org/GNOME/nautilus/-/merge_requests/1555) (date)
- * [`rmt-server`](https://bugzilla.opensuse.org/show_bug.cgi?id=1227542) (report unknown issue, possible bug)
- * [`python3`](https://bugzilla.opensuse.org/show_bug.cgi?id=1227999) ([date](https://github.com/python/cpython/pull/121872), [sphinx/race](https://github.com/python/cpython/pull/121883), [`sphinxcontrib`](https://github.com/sphinx-doc/sphinxcontrib-devhelp/pull/13) (gzip mtime)
- * [`sphinx`](https://github.com/sphinx-doc/sphinx/pull/12606) (gzip mtime)
- * [`systemd/obs-pesign-integration`](https://bugzilla.opensuse.org/show_bug.cgi?id=1228091) (bug)
- * [`kf6-kirigami+kf6-qqc2-desktop-style`](https://bugzilla.opensuse.org/show_bug.cgi?id=1228131) (race-condition)
- * [`ghc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1228175) (report verification issue)
* [`openblas`](https://bugzilla.opensuse.org/show_bug.cgi?id=1228177) (CPU type, [fixed](https://build.opensuse.org/request/show/1190320))
- * [`kubernetes1.26`](https://build.opensuse.org/request/show/1190449) (backport upstream fix for random path)
- * [`apache-arrow`](https://bugzilla.opensuse.org/show_bug.cgi?id=1228393) (report FTBFS)
- * [`fonttosfnt/xorg-x11-fonts`](https://gitlab.freedesktop.org/xorg/app/fonttosfnt/-/merge_requests/22) (toolchain, date)
- * [`python-spyder-notebook`](https://bugzilla.opensuse.org/show_bug.cgi?id=1228441) (report FTBFS)
+ * [`openssl-3`](https://build.opensuse.org/request/show/1187438) (random-related issue)
+ * [`python-ruff`](https://github.com/astral-sh/ruff/issues/12169) (ASLR)
+ * [`python3`](https://bugzilla.opensuse.org/show_bug.cgi?id=1227999) ([date](https://github.com/python/cpython/pull/121872), [sphinx/race](https://github.com/python/cpython/pull/121883), [`sphinxcontrib`](https://github.com/sphinx-doc/sphinxcontrib-devhelp/pull/13) (gzip mtime)
+ * [`reproducible-faketools`](https://build.opensuse.org/request/show/1186763) (0.5.2)
+ * [`sphinx`](https://github.com/sphinx-doc/sphinx/pull/12606) (GZip modification time)
+
+* Chris Lamb:
+
+ * [#1076368](https://bugs.debian.org/1076368) filed against [`nautilus`](https://tracker.debian.org/pkg/nautilus).
+ * [#1076507](https://bugs.debian.org/1076507) filed against [`mccode`](https://tracker.debian.org/pkg/mccode).
+ * [#1076806](https://bugs.debian.org/1076806) filed against [`meson-python`](https://tracker.debian.org/pkg/meson-python).
+ * [#1077479](https://bugs.debian.org/1077479) filed against [`debcraft`](https://tracker.debian.org/pkg/debcraft).
+ * [#1077485](https://bugs.debian.org/1077485) filed against [`pytest`](https://tracker.debian.org/pkg/pytest).
+ * [#1077601](https://bugs.debian.org/1077601) filed against [`setuptools`](https://tracker.debian.org/pkg/setuptools).
* Fridrich Strba:
- * https://build.opensuse.org/package/show/Java:packages/javapackages-tools
- * https://build.opensuse.org/package/show/Java:packages/ant
- * https://build.opensuse.org/package/show/Java:Factory/java-21-openjdk
-* [FIXME](https://www.proquest.com/openview/07eb1454d3e506cd39b43ee0961bdabb/1?pq-origsite=gscholar&cbl=18750&diss=y)
+ * [`javapackages-tools`](https://build.opensuse.org/package/show/Java:packages/javapackages-tools)
+ * [`ant`](https://build.opensuse.org/package/show/Java:packages/ant)
+ * [`java-21-openjdk`](https://build.opensuse.org/package/show/Java:Factory/java-21-openjdk)
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2024-07/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In July, a number of changes were made by Holger Levsen, including:
+
+* Grant `bremner` access to the `ionos7` node. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/bf4a10cc0)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fb5ac9533)]
+* Perform a dummy change to force update of all jobs. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d30ab7185)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/94a1e8367)]
+
+In addition, Vagrant Cascadian performed some necessary node maintenance of the underlying build hosts. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/bc50a42a1)]
+
+<br>
+
+---
+
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
-* [cross-building reproducibility issue on x86 vs. x86_64 in llvm](https://github.com/llvm/llvm-project/issues/99396) [fix](https://github.com/llvm/llvm-project/pull/100165/commits/28997387abf874345e9583c53739d2acbfedf761)
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
-* https://lwn.net/Articles/983340/
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
-* [FIXME](https://lists.reproducible-builds.org/pipermail/rb-general/2024-July/003485.html)
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
=====================================
images/reports/2024-07/10.1145-3643764.png
=====================================
Binary files /dev/null and b/images/reports/2024-07/10.1145-3643764.png differ
=====================================
images/reports/2024-07/31243619.png
=====================================
Binary files /dev/null and b/images/reports/2024-07/31243619.png differ
=====================================
images/reports/2024-07/debian.png
=====================================
Binary files /dev/null and b/images/reports/2024-07/debian.png differ
=====================================
images/reports/2024-07/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2024-07/diffoscope.png differ
=====================================
images/reports/2024-07/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2024-07/reproducible-builds.png differ
=====================================
images/reports/2024-07/summit.jpg
=====================================
Binary files /dev/null and b/images/reports/2024-07/summit.jpg differ
=====================================
images/reports/2024-07/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2024-07/testframework.png differ
=====================================
images/reports/2024-07/website.png
=====================================
Binary files /dev/null and b/images/reports/2024-07/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/5c991ff0daa10d09c9cf0e5940063c27c3c2d81a
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/5c991ff0daa10d09c9cf0e5940063c27c3c2d81a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240806/589f9248/attachment.htm>
More information about the rb-commits
mailing list