[Git][reproducible-builds/reproducible-website][master] 2024-11: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Mon Dec 2 17:11:28 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
d21189ad by Chris Lamb at 2024-12-02T17:10:58+00:00
2024-11: Initial draft
- - - - -
13 changed files:
- _reports/2024-11.md
- − images/reports/2024-11/PXL_20241121_163421299.MV.jpg
- + images/reports/2024-11/debian.png
- + images/reports/2024-11/diffoscope.png
- + images/reports/2024-11/lunar.jpg
- + images/reports/2024-11/maven.png
- + images/reports/2024-11/opensuse.png
- + images/reports/2024-11/pypi.png
- + images/reports/2024-11/reproducible-builds.png
- + images/reports/2024-11/testframework.png
- + images/reports/2024-11/toulouse.png
- + images/reports/2024-11/website.png
- + images/reports/2024-11/zig.png
Changes:
=====================================
_reports/2024-11.md
=====================================
@@ -6,78 +6,294 @@ title: "Reproducible Builds in November 2024"
draft: true
---
-https://github.com/sethmlarson/sboms-for-python-packages
-https://discuss.python.org/t/sboms-for-python-packages-project/70261
+[![]({{ "/images/reports/2024-11/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* FIXME: dependencies for rebuilderd:
- * [rust-rebuilderd-common 0.20.0-1 packaged by kpcyrd uploaded by Holger Levsen](https://tracker.debian.org/rust-rebuilderd-common)
- * [rust-rust-lzma 0.6.0-1 packaged by kpcyrd uploaded by Holger Levsen](https://tracker.debian.org/rust-rust-lzma)
- * Holger submitted a bunch of issues to rebuilderd too:
- * [155](https://github.com/kpcyrd/rebuilderd/issues/155)(#155: rebuildctl should be more verbose when encountering issues) which kpcyrd fixed with fc09259d7 by not ignoring Extra-Source-Only packages.
- * [152](https://github.com/kpcyrd/rebuilderd/issues/152)(#152: add an option to use randomized queues \(or make that the default\))
- * [151](https://github.com/kpcyrd/rebuilderd/issues/151)(#151: update rebuilder-debian.sh for current debrebuild from devscripts) for which Holger also supplied an MR which got merged by now.
- * [150](https://github.com/kpcyrd/rebuilderd/issues/150)(#150: \(re\)scheduling many packages at once)
- * Jochen also submitted one:
- * [154](https://github.com/kpcyrd/rebuilderd/issues/154)(#154: Debian: download source package in addition to buildinfo)
- * kpcyrd also submitted one and fixed it:
- * [153](https://github.com/kpcyrd/rebuilderd/issues/153)(#153: Update dependencies, clarify license)
-
-FIXME: https://bugs.debian.org/901307
+**Welcome to the November 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
+Our monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the world of software supply-chain security where relevant. As ever, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
+
+---
+
+### Reproducible Builds mourns the passing of Lunar
+
+[![]({{ "/images/reports/2024-11/lunar.jpg#right" | relative_url }})]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }})
+
+The Reproducible Builds community [sadly announced it has lost its founding member]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }}). Jérémy Bobbio *aka* 'Lunar' passed away on Friday November 8th in palliative care in Rennes, France.
+
+Lunar was instrumental in starting the Reproducible Builds project in 2013 as a loose initiative within the [Debian](https://debian.org/) project. Many of [our earliest status reports](https://lists.debian.org/debian-devel-announce/2015/02/msg00007.html) were written by him, and many of our [key tools in use today](https://diffoscope.org/) are based on his designs. Lunar's creativity, insight and kindness were often noted. He will be greatly missed.
+
+You can view our [full tribute]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }}) elsewhere on our website.
+
+<br>
+
+### Zig programming language demonstrated reproducible
+
+[![]({{ "/images/reports/2024-11/zig.png#right" | relative_url }})](https://ziglang.org)
+
+Motiejus Jakšty posted an [interesting and practical blog post](https://jakstys.lt/2024/zig-reproduced-without-binaries/) on his successful attempt to reproduce the [Zig programming language](https://ziglang.org/) *without* using the [pre-compiled binaries checked into the repository](https://github.com/ziglang/zig/blob/0.13.0/stage1/zig1.wasm), and despite the circular dependency inherent in its bootstrapping process.
+
+As a summary, Motiejus concludes that:
+
+> I can now confidently say (and you can also check, you don’t need to trust me) that there is nothing hiding in `zig1.wasm` [the checked-in binary] that hasn't been checked-in as a source file.
+
+The full post is full of practical details, and includes a [few open questions](https://jakstys.lt/2024/zig-reproduced-without-binaries/#conclusions-and-open-questions).
+
+<br>
+
+### SBOMs for Python packages
+
+The [Python Software Foundation](https://www.python.org/psf-landing/) has [announced](https://discuss.python.org/t/sboms-for-python-packages-project/70261) a new "cross-functional project for SBOMs and Python packages". Seth Michael Larson writes that the project is "specifically looking to solve these issues":
+
+> * Enable Python users that require SBOM documents (likely due to regulations like [CRA](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act) or [SSDF](https://csrc.nist.gov/Projects/ssdf)) to self-serve using existing SBOM generation tools.
+> * Solve the "[phantom dependency](https://github.com/sethmlarson/sboms-for-python-packages?tab=readme-ov-file#phantom-dependencies)" problem, where non-Python software is bundled in Python packages but not recorded in any metadata. This makes the job of software composition analysis (SCA) tools difficult or impossible.
+> * Make the adoption work by relevant projects such as build backends, auditwheel-esque tools, as minimal as possible. Empower users who are interested in having better SBOM data for the Python projects they are using to be able to contribute engineering time towards that goal.
+
+A [GitHub repository](https://github.com/sethmlarson/sboms-for-python-packages) for the initiative is available, and there are a number of queries, comments and remarks on [Seth's Discourse forum post](https://discuss.python.org/t/sboms-for-python-packages-project/70261/2).
+
+<br>
+
+### [Reproducible builds by default in Maven 4](https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003565.html)
+
+[![]({{ "/images/reports/2024-11/maven.png#right" | relative_url }})](https://maven.apache.org/)
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Hervé Boutemy reported the latest release of Maven (`4.0.0-beta-5`) has [reproducible builds enabled by default](https://issues.apache.org/jira/browse/MNG-8258). In [his mailing list post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003565.html), Hervé mentions that this "story started during our [Reproducible Builds summit in Hamburg]({{ "/events/hamburg2024/" | relative_url }}), where he created the [upstream issue](https://issues.apache.org/jira/browse/MNG-8258) that builds on a "multi-year" effort to have Maven builds configured for reproducibility.
+
+<br>
+
+### PyPI now supports digital attestations
+
+[![]({{ "/images/reports/2024-11/pypi.png#right" | relative_url }})](https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/)
+
+Elsewhere in the Python ecosystem and as [reported on LWN](https://lwn.net/Articles/998215/) and elsewhere, the [Python Package Index](https://pypi.org/) (PyPI) has [announced](https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/) that it has finalised support for [PEP 740](https://peps.python.org/pep-0740/) ("Index support for digital attestations").
+
+[Trail of Bits](https://www.trailofbits.com/), who performed much of the development work, has an [in-depth blog post](https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/) about the work and its adoption, as well as what is left undone:
+
+> One thing is notably missing from all of this work: **downstream verification**. […]
+>
+> This isn't an acceptable end state (cryptographic attestations have defensive properties only insofar as they're *actually verified*), so we're looking into ways to bring verification to individual installing clients. In particular, we're currently working on a [plugin architecture for `pip`](https://github.com/pypa/pip/issues/12766) that will enable users to [load verification logic](https://github.com/trailofbits/pip-plugin-pep740) directly into their `pip install` flows.
+
+There was an in-depth discussion on [LWN's announcement page](https://lwn.net/Articles/998215/), as well as [on Hacker News](https://news.ycombinator.com/item?id=42136375).
+
+<br>
+
+### Debian updates
+
+[![]({{ "/images/reports/2024-11/debian.png#right" | relative_url }})](https://debian.org/)
+
+There was significant development within [Debian](https://debian.org) this month. Firstly, at the recent [MiniDebConf in Toulouse](https://toulouse2024.mini.debconf.org/), France, Holger Levsen gave a [Debian-specific talk on rebuilding packages distributed from `ftp.debian.org`](https://toulouse2024.mini.debconf.org/talks/4-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg/) — that is to say, how to reproduce the results from the official Debian build servers:
+
+[![]({{ "/images/reports/2024-11/toulouse.png" | relative_url }})](https://meetings-archive.debian.net/pub/debian-meetings/2024/MiniDebConf-Toulouse/toulouse2024-2-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg.webm)
+
+Holger described the talk as follows:
+
+> For more than ten years, the Reproducible Builds project has worked towards reproducible builds of many projects, and for ten years now we have build Debian packages twice—with maximal variations applied—to see if they can be build reproducible still.
+>
+> Since about a month, we've also been rebuilding trying to exactly match the builds being distributed via `ftp.debian.org`. This talk will describe the setup and the lessons learned so far, and why the results currently are what they are (spoiler: they are less than 30% reproducible), and what we can do to fix that.
+
+Holger's [slides](https://reproducible-builds.org/_lfs/presentations/2024-11-16-R-B-rebuilding-what-is-distributed-from-ftp.debian.org/) and [video](https://meetings-archive.debian.net/pub/debian-meetings/2024/MiniDebConf-Toulouse/toulouse2024-2-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg.webm) in `.webm` format are available.
+
+<br>
+
+Next, [*rebuilderd*](https://github.com/kpcyrd/rebuilderd) is the server to monitor package repositories of Linux distributions and attempt to reproduce the observed results. This month, there has been significant work to get the `rebuilderd` package into the Debian archive. In particular, both [`rust-rebuilderd-common`](https://tracker.debian.org/rust-rebuilderd-common) version `0.20.0-1` and [`rust-rust-lzma`](https://tracker.debian.org/rust-rust-lzma) version `0.6.0-1` were packaged by *kpcyrd* and uploaded by Holger Levsen.
+
+Related to this, Holger Levsen submitted four issues against *rebuilderd* as well:
+
+* `rebuildctl` should be more verbose when encountering issues. [[…](https://github.com/kpcyrd/rebuilderd/issues/155)]
+* Please add an option to used randomised queues. [[…](https://github.com/kpcyrd/rebuilderd/issues/152)]
+* `rebuilder-debian.sh` should be updated for latest `debrebuild` version. [[…](https://github.com/kpcyrd/rebuilderd/issues/151)]
+* Scheduling and re-scheduling multiple packages at once. [[…](https://github.com/kpcyrd/rebuilderd/issues/150)]
+
+… and lastly, Jochen Sprickerhof submitted one an issue requested that *rebuilderd* downloads the source package in addition to the `.buildinfo` file [[…](https://github.com/kpcyrd/rebuilderd/issues/154)] and *kpcyrd* also submitted and fixed an issue surrounding dependencies and clarifying the license [[…](https://github.com/kpcyrd/rebuilderd/issues/153)]
+
+<br>
+
+Separate to this, back in 2018, Chris Lamb [filed a bug report against the `sphinx-gallery` package](https://bugs.debian.org/901307) as it generates unreproducible content in various ways. This month, however, Dmitry Shachnev finally closed the bug, [listing the multiple sub-issues that were part of the problem](https://bugs.debian.org/901307#59) and how they were resolved.
+
+<br>
+
+Elsewhere, Roland Clobus posted to [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, [asking for input on a bug](https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003571.html) in Debian's `ca-certificates-java` package. The issue is that the Java key management tools embed timestamps in its output, and this output ends up in the `/etc/ssl/certs/java/cacerts` file on the generated ISO images. A [discussion resulted from Roland's post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/thread.html#3571) suggesting some short- and medium-term solutions to the problem.
+
+<br>
+
+Holger Levsen uploaded some packages with reproducibility-related changes:
+
+* `devscripts` versions [2.24.3](https://tracker.debian.org/news/1584660/accepted-devscripts-2243-source-into-unstable/), [2.24.4](https://tracker.debian.org/news/1587480/accepted-devscripts-2244-source-into-unstable/) and [2.24.5](https://tracker.debian.org/news/1588953/accepted-devscripts-2245-source-into-unstable/) were uploaded, including several fixes for the `debrebuild` and `debootsnap` and scripts.
+
+* `cdbs` [version 0.4.167 uploaded](https://tracker.debian.org/news/1587868/accepted-cdbs-04167-source-into-unstable/) in order to [drop `dh_buildinfo` support](https://bugs.debian.org/1088144), as `dpkg` has generated `.buildinfo` files since 2016 and the results of `dh_buildinfo` are typically unreproducible. Related to this a mass bug filing by Helmut Grohne intended to [remove the obsolete and deprecated `dh-buildinfo` package from the archive](https://bugs.debian.org/1068809). At the time of writing, this still affects 311 packages in Debian *unstable*.
+
+<br>
+
+Lastly, 12 reviews of Debian packages were added, 5 were updated and 21 were removed this month adding to [our knowledge about identified issues in Debian](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+<br>
-* [FIXME zig bootstrapped reproducible](https://jakstys.lt/2024/zig-reproduced-without-binaries/)
-* [FIXME Holger uploaded `devscripts` version 2.24.3](https://tracker.debian.org/news/1584660/accepted-devscripts-2243-source-into-unstable/) including several fixes for debrebuild and debootsnap.
+### "[Dependency Challenges in OSS Package Registries](https://arxiv.org/abs/2409.18884)"
-* [FIXME Holger uploaded `devscripts` version 2.24.4](https://tracker.debian.org/news/1587480/accepted-devscripts-2244-source-into-unstable/) including several fixes for debrebuild and debootsnap.
+[![]({{ "/images/reports/2024-11/PXL_20241121_163421299.MV.small.jpg#right" | relative_url }})](https://doi.org/10.48550/arXiv.2409.18884)
-* [FIXME Holger uploaded `devscripts` version 2.24.5](https://tracker.debian.org/news/1588953/accepted-devscripts-2245-source-into-unstable/) including a fix for debrebuild.
+At the dent [Belgium-Netherlands Software Evolution](https://benevol2024.github.io/) (BENEVOL) workshop in Namur, Belgium, Tom Mens and Alexandre Decan presented their paper, "[*An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries*](https://arxiv.org/abs/2409.18884)".
-* [FIXME] Toulouse: add talk description etc
- A few days after his talk in Toulouse it occured to Holger, that we might leap a step forward,
- from reproducible builds, to reproduced builds or some such. Reproducible builds are an option,
- something that should work. Reproduced builds are ones that are actually proven reproducible.
- maybeeeee :) "I also had this thought thinking about how Lunar envisioned this, how he was
- so far ahead, that those builds should indeed become reproducible, but the world was so far
- behind that, that noone could come up with the distinction between reproducible and reproduced
- builds back then." Holger says. Maybe "reproducible builds" should be the term for CI builds,
- and "reproduced builds" for the "real ones." Mayyyyybe. Changing terms is always hard. :)
+The abstract of their paper is as follows:
-* [LWN](https://lwn.net/Articles/998215/) [ycombinator](https://news.ycombinator.com/item?id=42136375) [attestations](https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/) [pypi](https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/)
+> While open-source software has enabled significant levels of reuse to speed up software development, it has also given rise to the dreadful [dependency hell](https://en.wikipedia.org/wiki/Dependency_hell) that all software practitioners face on a regular basis. This article **provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries**. The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges. [[…](https://arxiv.org/abs/2409.18884)]
+A [PDF of the paper](https://arxiv.org/pdf/2409.18884) is available online.
-* [FIXME] Benevol2024
- * Presentation of the paper [https://doi.org/10.48550/arXiv.2409.18884](https://doi.org/10.48550/arXiv.2409.18884) from Tom Mens and Alexandre Decan.
- * [reproducible-builds.org](reproducible-builds.org) has been mentioned during the presentation
- * I took a picture at the right moment: [![]({{ "/images/reports/2024-11/PXL_20241121_163421299.MV.small.jpg#right" | relative_url }})](https://reproducible-builds.org/images/reports/2024-11/PXL_20241121_163421299.MV.jpg) (I got the permission to publish it by email)
+<br>
-* [FIXME: cdbs 0.4.167 uploaded to unstable by Holger](https://tracker.debian.org/news/1587868/accepted-cdbs-04167-source-into-unstable/)
- * Drop dh_buildinfo support, dpkg since 2016 produces .buildinfo files.
- Thanks to James Addison. Closes: #1088144. Also see #1068809.
- which made [FIXME: #1068809](https://bugs.debian.org/1068809) see a sudden burst of actvity and many bugs were filed, currently #1088382 up until #1088395...
- Currently this still affects 311 packages in unstable. (reverse-depends -l -b dh-buildinfo |wc -l)
+### Website updates
+
+[![]({{ "/images/reports/2024-11/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+Yet again, there were an enormous number of chages made to our website this month, including:
+
+* Alex Feyerke and Mariano Giménez:
+
+ * Dramatically overhaul the [website's landing page]({{ "/" | relative_url }}") with new "benefit" cards tailored to the expected visitors to our website and a reworking of the visual hierarchy and design. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9678ab2d)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/02cf3048)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c3a62234)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2ff18799)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f4fa3475)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2af4d245)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fb1cb173)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/22598fe6)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/05d7e49b)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7ae9adbe)]
* Bernhard M. Wiedemann:
- * [`python-moto`](https://build.opensuse.org/request/show/1221758) (gzip-mtime)
- * [`python-pyhanko-certvalidator`](https://build.opensuse.org/request/show/1223844) (FTBFS-2030)
- * [`shadowsocks-rust`](https://build.opensuse.org/request/show/1223845) (date)
- * [`perl-Time-modules`](https://build.opensuse.org/request/show/1224308) (FTBFS-2033)
- * [`python-bson`](https://build.opensuse.org/request/show/1224307) (FTBFS-2038)
- * [`emacs-auctex`](https://build.opensuse.org/request/show/1225609) (gzip-mtime)
+
+ * Update the "[System images]({{ "/docs/system-images/" | relative_url }})" page to document the `e2fsprogs` approach. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2351df56)]
+
+* Chris Lamb:
+
+ * Cachebust every CSS file per-release. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0c422b97)]
+ * Replace some inline markdown with HTML. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/73c4a2e0)]
+ * Use spaces on the "[Publications]({{ "/docs/publications/" | relative_url }})" page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8409fe10)]
+ * Add a [news article about the passing of Lunar]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }}). [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9c281efc)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/64760bfb)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8cc1d5f6)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dcf87a43)]
+ * Add a black memorial band to the top of the page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ba8d1c99)]
+
+* FC (Fay) Stegerman:
+
+ * Replace more inline markdown with HTML on the "[Success stories]({{ "/success-stories/" | relative_url }})" page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2bdd804a)]
+ * Add some links, fix some other links and correct some spelling errors on the "[Tools]({{ "/tools/" | relative_url }})" page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5b33e71c)]
+
+* Holger Levsen:
+
+ * Add a historical presentation ("*Reproducible builds everywhere eg. in Debian, OpenWrt and LEDE*") from October 2016. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7ba24171)]
+ * Add `jochensp` and `Oejet` to the list of known contributors. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e1fb63e5)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1a6cb1b3)]
+
+* Julia Krüger:
+
+ * Add a new "[Stripping of unreproducible information]({{ "/docs/stripping-unreproducible-information/" | relative_url }}) page to the documentation. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/452f4dd1)]
+
+* Ninette Adhikari & hulkoba:
+
+ * Add/rework the list of success stories into a [new page]({{ "/success-stories/" | relative_url }}) that clearly shows milestones in Reproducible Builds. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dfde9f40)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f3c3820b)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dd2af698)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dd87423a)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d260a21b)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f52f352f)]
+
+* Philip Rinn:
+
+ * Import 47 historical weekly reports. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/94e38848)]
+
+* *hulkoba*:
+
+ * Add `alt` text to almost all images (!). [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ed1e0592)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/33b31ecc)]
+ * Fix a number of links on the "[Talks]({{ "/docs/resources/" | relative_url }})". [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/234e4a44)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/db0dfe45)]
+ * Avoid so-called 'ghost' buttons by not using `<button>` elements as links, as the affordance of a `<button>` implies an action with (potentially) a side effect. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1189c219)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/bbb5528d)]
+ * Center the sponsor logos on the [homepage]({{ "/" | relative_url }}). [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3c24a612)]
+ * Move publications and generate them instead from a `data.yml` file with an improved layout. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/806381da)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6cb170a2)]
+
+ * Make a large number of small but impactful stylisting changes. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/261b1ffa)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c5f9f7e7)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c02c15e0)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5722bf65)]
+
+ * Expand the "[Tools]({{ "/tools/" | relative_url }})" to include a number of missing tools, fix some styling issues and fix a number of stale/broken links. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4aeeeb8e)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/23d5a30b)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f0fdcb24)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/422486ef)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c06d452d)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/845fe625)]
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+
+* Bernhard M. Wiedemann:
+
+ * [`clisp`](https://sourceforge.net/p/clisp/feature-requests/59/) (fix contributed by Bruno Haible)
+ * [`conky`](https://github.com/brndnmtthws/conky/pull/2096) (date-related issue)
+ * [`emacs-auctex`](https://build.opensuse.org/request/show/1225609) (date-related `gzip` issue)
+ * [`javadoc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1233384) (filesystem ordering issue)
+ * [`jboss-websocket-1.0-api`](https://bugzilla.opensuse.org/show_bug.cgi?id=1233352) (embeds `uname -r`)
+ * [`lcms2`](https://github.com/mm2/Little-CMS/issues/465) (CPU issue)
+ * [`LiE`](https://build.opensuse.org/request/show/1225975) ([ASLR](https://en.wikipedia.org/wiki/Address_space_layout_randomization)-related issue)
+ * [`make_ext4fs`](https://build.opensuse.org/request/show/1225978) (toolchain-related issue for for VM images)
+ * [`obs-build`](https://github.com/openSUSE/obs-build/pull/1037) (issue when running builds with certain CPU types or core numbers)
+ * [`perl-Time-modules`](https://build.opensuse.org/request/show/1224308) (fails to build far in the future)
+ * [`python-bson`](https://build.opensuse.org/request/show/1224307) (fails to build far in the future)
+ * [`python-exiv2`](https://github.com/jim-easterbrook/python-exiv2/issues/44) (fails to build far in the future)
+ * [`python-moto`](https://build.opensuse.org/request/show/1221758) (date-related `gzip` issue)
+ * [`python-pyhanko-certvalidator`](https://build.opensuse.org/request/show/1223844) (fails to build far in the future)
+ * [`python-python-gvm`](https://bugzilla.opensuse.org/show_bug.cgi?id=1233398) (concurrency-related issue)
+ * [`python310`](https://bugzilla.opensuse.org/show_bug.cgi?id=1232750) (fails to build far in the future)
+ * [`python313`](https://bugzilla.opensuse.org/show_bug.cgi?id=1232920) (fails to build far in the future)
* [`reproducible-faketools`](https://build.opensuse.org/request/show/1225622) (toolchain for emacs)
- * [`LiE`](https://build.opensuse.org/request/show/1225975) (ASLR)
- * [`make_ext4fs`](https://build.opensuse.org/request/show/1225978) (toolchain for VM images)
- * [`python310`](https://bugzilla.opensuse.org/show_bug.cgi?id=1232750) (FTBFS-j1)
- * [`python313`](https://bugzilla.opensuse.org/show_bug.cgi?id=1232920) (FTBFS-j1)
- * [`clisp`](https://sourceforge.net/p/clisp/feature-requests/59/) (got a fix by Bruno Haible)
- * [`jboss-websocket-1.0-api`](https://bugzilla.opensuse.org/show_bug.cgi?id=1233352) (uname -r)
- * [`javadoc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1233384) (toolchain readdir)
- * [`python-python-gvm`](https://bugzilla.opensuse.org/show_bug.cgi?id=1233398) (FTBFS-j1)
- * [`obs-build`](https://github.com/openSUSE/obs-build/pull/1037) (toolchain - allow to run builds with certain CPU types/core-numbers)
- * [`lcms2`](https://github.com/mm2/Little-CMS/issues/465) (CPU, toolchain)
- * [`swipl`](https://github.com/SWI-Prolog/swipl/pull/32) (FTBFS-2029)
- * [`conky`](https://github.com/brndnmtthws/conky/pull/2096) (date)
- * [`python-exiv2`](https://github.com/jim-easterbrook/python-exiv2/issues/44) (FTBFS-2038)
-
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/KPKVE3L3MDNIMCLN5DE255UKICSHB7IB/)
+ * [`shadowsocks-rust`](https://build.opensuse.org/request/show/1223845) (date-related issue)
+ * [`swipl`](https://github.com/SWI-Prolog/swipl/pull/32) (fails to build far in the future)
+
+* Chris Lamb:
+
+ * [#1087330](https://bugs.debian.org/1087330) filed against [`python-pydash`](https://tracker.debian.org/pkg/python-pydash).
+ * [#1087485](https://bugs.debian.org/1087485) filed against [`fritzconnection`](https://tracker.debian.org/pkg/fritzconnection).
+ * [#1087486](https://bugs.debian.org/1087486) filed against [`tracy`](https://tracker.debian.org/pkg/tracy).
+ * [#1088238](https://bugs.debian.org/1088238) filed against [`rust-broot`](https://tracker.debian.org/pkg/rust-broot).
+ * [#1088353](https://bugs.debian.org/1088353) filed against [`python-aiovlc`](https://tracker.debian.org/pkg/python-aiovlc).
+ * [#1088742](https://bugs.debian.org/1088742) filed against [`python-aiohomekit`](https://tracker.debian.org/pkg/python-aiohomekit).
+
+* James Addison:
+
+ * [#1088144](https://bugs.debian.org/1088144) filed against [`cdbs`](https://tracker.debian.org/pkg/cdbs).
+
+<br>
+
+### Misc development news
+
+[![]({{ "/images/reports/2024-11/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+* Bernhard M. Wiedemann [published another report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/KPKVE3L3MDNIMCLN5DE255UKICSHB7IB/) for the openSUSE distribution.
+
+* Martin Abente Lahaye updated [*diffoscope*](https://diffoscope.org) to fix a crash when `objdump` is missing. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/534fc2aa)]
+
+* On our mailing list, [Jan-Benedict Glaw announced](https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003576.html) the publication of the [fifth NetBSD Reproducibility Report](http://toolchain.lug-owl.de/reports/netbsd-reproducibility-overview-5.html)
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2024-11/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In November, a number of changes were made by Holger Levsen, including:
+
+* [*reproducible.debian.net*](https://reproduce.debian.net)-related changes:
+
+ * Create and introduce a new [*reproducible.debian.net*](https://reproduce.debian.net) service and subdomain [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/db9f344b5)]
+ * Make a large number of documentation changes relevant to `rebuilderd`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4860d6639)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/415e2c4e2)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3c9ed32ba)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/1956909a0)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/183c1f58b)]
+ * Explain a temporary workaround for a [specific issue in `rebuilderd`](https://github.com/kpcyrd/rebuilderd/issues/152). [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/de2960ef9)]
+ * Setup another `rebuilderd` instance on the `o4` node and update installation documentation to match. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5bfdbaa33)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3ccd0edb7)]
+ * Make a number of helpful/cosmetic changes to the interface, such as clarifying terms and adding links. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f7eaedea9)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ff770822b)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/598e9b753)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/8a3d5b093)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9bdb3d724)]
+ * Deploy configuration to the `/opt` and `/var` directories. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/bfd9dd073)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5c592224b)]
+ * Add an infancy (or 'alpha') disclaimer. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/1b92fe1a0)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0ceedce38)]
+ * Add more notes to the temporary `rebuilderd` documentation. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f1c51eecf)]
+ * Commit an [nginx](https://nginx.org/) configuration file for [*reproducible.debian.net*](https://reproduce.debian.net)'s "[Stats](https://reproduce.debian.net/stats/)" page. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e3183f093)]
+ * Commit a `rebuilder-worker.conf` configuration for the `o5` node. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0e1c87a07)]
+
+* Debian-related changes:
+
+ * Grant `jspricke` and `jochensp` access to the `o5` node. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4db56f46a)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3d4c9e811)]
+ * Build the `qemu` package with the `nocheck` build flag. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/cadc58f40)]
+
+* Misc changes:
+
+ * Adapt the `update_jdn.sh` script for new Debian *trixie* systems. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9eca0f1f9)]
+ * Stop installing the [PostgreSQL](https://www.postgresql.org/) database engine on the `o4` and `o5` nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3ab8c5c04)]
+ * Prevent accidental reboots of the `o4` node because of a long-running job owned by `josch`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d44b4ed73)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/957914bdc)]
+
+In addition, Mattia Rizzolo addressed a number of issues with [*reproducible.debian.net*](https://reproduce.debian.net) [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b1da67cca)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/998bf3cc9)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/95c5bb9d0)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3390622f0)]. And lastly, both Holger Levsen [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5df3bd8ee)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f3083d2cf)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f0ee4a697)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0ae51eb54)] and Vagrant Cascadian [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4e0812df6)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/edb43bc85)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/32c7a74d1)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/54aa3b389)] performed node maintenance.
+
+<br>
+
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
=====================================
images/reports/2024-11/PXL_20241121_163421299.MV.jpg deleted
=====================================
Binary files a/images/reports/2024-11/PXL_20241121_163421299.MV.jpg and /dev/null differ
=====================================
images/reports/2024-11/debian.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/debian.png differ
=====================================
images/reports/2024-11/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/diffoscope.png differ
=====================================
images/reports/2024-11/lunar.jpg
=====================================
Binary files /dev/null and b/images/reports/2024-11/lunar.jpg differ
=====================================
images/reports/2024-11/maven.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/maven.png differ
=====================================
images/reports/2024-11/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/opensuse.png differ
=====================================
images/reports/2024-11/pypi.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/pypi.png differ
=====================================
images/reports/2024-11/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/reproducible-builds.png differ
=====================================
images/reports/2024-11/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/testframework.png differ
=====================================
images/reports/2024-11/toulouse.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/toulouse.png differ
=====================================
images/reports/2024-11/website.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/website.png differ
=====================================
images/reports/2024-11/zig.png
=====================================
Binary files /dev/null and b/images/reports/2024-11/zig.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d21189ad0d7b459e09ff9af502e679e82b894387
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/d21189ad0d7b459e09ff9af502e679e82b894387
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20241202/acbcc40d/attachment.htm>
More information about the rb-commits
mailing list