[Git][reproducible-builds/reproducible-website][master] 3 commits: Reduce this to 8px.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Thu Dec 5 12:48:08 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
67afffed by Chris Lamb at 2024-12-05T12:25:59+00:00
Reduce this to 8px.
- - - - -
655dbbd2 by Chris Lamb at 2024-12-05T12:46:24+00:00
Misc changes prior to publication.
- - - - -
7903ba2f by Chris Lamb at 2024-12-05T12:47:51+00:00
published as https://reproducible-builds.org/reports/2024-11/
- - - - -
3 changed files:
- _reports/2024-11.md
- assets/styles/layout.scss
- images/reports/2024-11/landing.png
Changes:
=====================================
_reports/2024-11.md
=====================================
@@ -3,14 +3,31 @@ layout: report
year: "2024"
month: "11"
title: "Reproducible Builds in November 2024"
-draft: true
+draft: false
+date: 2024-12-05 12:47:51
---
-[![]({{ "/images/reports/2024-11/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
+[![]({{ "/images/reports/2024-11/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
-**Welcome to the November 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
+**Welcome to the November 2024 report from the [Reproducible Builds]({{ "/" | relative_url }}) project!**
-Our monthly reports outline what we've been up to over the past month, and highlight items of news from elsewhere in the world of software supply-chain security where relevant. As ever, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
+Our monthly reports outline what we've been up to over the past month and highlight items of news from elsewhere in the world of software supply-chain security where relevant. As ever, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
+
+**Table of contents:**
+
+0. [Reproducible Builds mourns the passing of Lunar](#reproducible-builds-mourns-the-passing-of-lunar)
+0. [Introducing *reproduce.debian.net*](#introducing-reproducedebiannet)
+0. [New landing page design](#new-landing-page-design)
+0. [SBOMs for Python packages](#sboms-for-python-packages)
+0. [Debian updates](#debian-updates)
+0. [Reproducible builds by default in Maven 4](#reproducible-builds-by-default-in-maven-4)
+0. [PyPI now supports digital attestations](#pypi-now-supports-digital-attestations)
+0. [“Dependency Challenges in OSS Package Registries”](#dependency-challenges-in-oss-package-registries)
+0. [Zig programming language demonstrated reproducible](#zig-programming-language-demonstrated-reproducible)
+0. [Website updates](#website-updates)
+0. [Upstream patches](#upstream-patches)
+0. [Misc development news](#misc-development-news)
+0. [Reproducibility testing framework](#reproducibility-testing-framework)
---
@@ -18,26 +35,23 @@ Our monthly reports outline what we've been up to over the past month, and highl
[![]({{ "/images/reports/2024-11/lunar.jpg#right" | relative_url }})]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }})
-The Reproducible Builds community [sadly announced it has lost its founding member]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }}). Jérémy Bobbio *aka* 'Lunar' passed away on Friday November 8th in palliative care in Rennes, France.
+The Reproducible Builds community [sadly announced it has lost its founding member]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }}), Lunar. Jérémy Bobbio *aka* 'Lunar' passed away on Friday November 8th in palliative care in Rennes, France.
-Lunar was instrumental in starting the Reproducible Builds project in 2013 as a loose initiative within the [Debian](https://debian.org/) project. Many of [our earliest status reports](https://lists.debian.org/debian-devel-announce/2015/02/msg00007.html) were written by him, and many of our [key tools in use today](https://diffoscope.org/) are based on his designs. Lunar's creativity, insight and kindness were often noted. He will be greatly missed.
+Lunar was instrumental in starting the Reproducible Builds project in 2013 as a loose initiative within the [Debian](https://debian.org/) project. He was the author of [our earliest status reports](https://lists.debian.org/debian-devel-announce/2015/02/msg00007.html) and many of [our key tools in use today](https://diffoscope.org/) are based on his design. Lunar's creativity, insight and kindness were often noted.
-You can view our [full tribute]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }}) elsewhere on our website.
+You can view our [full tribute]({{ "/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/" | relative_url }}) elsewhere on our website. He will be greatly missed.
<br>
-### Introducing [*reproduce.debian.net*](https://reproduce.debian.net)…
+### Introducing [*reproduce.debian.net*](https://reproduce.debian.net)
[![]({{ "/images/reports/2024-11/reproduce.png#right" | relative_url }})](https://reproduce.debian.net)
-FIXME: November then also had happier news...: (or something similar to bridge to the next topic, which is something
-which would have made Lunar quite happy I guess...)
-
-This month saw the introduction of [*reproduce.debian.net*](https://reproduce.debian.net). Announced at the recent [Debian MiniDebConf in Toulouse](https://toulouse2024.mini.debconf.org/) (see below for more information), *reproduce.debian.net* is an instance of [*rebuilderd*](https://github.com/kpcyrd/rebuilderd) operated by the Reproducible Builds project. *rebuilderd* is our server designed monitor package repositories of Linux distributions and attempt to reproduce the actual (i.e. observed) results there.
+In happier news, this month saw the introduction of [*reproduce.debian.net*](https://reproduce.debian.net). Announced at the recent [Debian MiniDebConf in Toulouse](https://toulouse2024.mini.debconf.org/), *reproduce.debian.net* is an instance of [*rebuilderd*](https://github.com/kpcyrd/rebuilderd) operated by the Reproducible Builds project.
-In November, *reproduce.debian.net* was only rebuilding Debian *unstable* on the `amd64` architecture, but throughout the MiniDebConf it had attempted to rebuild 66% of the official archive.
+*rebuilderd* is our server designed monitor the official package repositories of Linux distributions and attempts to reproduce the observed results there.
-However, the results as-of writing, it can be determined that **it is currently possible to bit-for-bit reproduce and corroborate approximately 78% of the actual binaries distributed by Debian** — that is, using the `.buildinfo` files hosted by Debian itself.
+In November, *reproduce.debian.net* began rebuilding Debian *unstable* on the `amd64` architecture, but throughout the MiniDebConf, it had attempted to rebuild 66% of the official archive. From this, it could be determined that **it is currently possible to bit-for-bit reproduce and corroborate approximately 78% of the actual binaries distributed by Debian** — that is, using the `.buildinfo` files hosted by Debian itself.
[*reproduce.debian.net*](https://reproduce.debian.net) also contains instructions how to setup one's own [*rebuilderd*](https://github.com/kpcyrd/rebuilderd) instance, and we very much invite everyone with a machine to spare to setup their own version and to share the results. Whilst *rebuilderd* is still in development, it has been [used to reproduce Arch Linux](https://reproducible.archlinux.org/) since 2019. We are especially looking for installations targeting Debian architectures other than `i386` and `amd64`.
@@ -45,23 +59,11 @@ However, the results as-of writing, it can be determined that **it is currently
### New landing page design
-[![]({{ "/images/reports/2024-11/landing.png#right" | relative_url }})](https://reproducible-builds.org)
-
-FIXME
-
-### Zig programming language demonstrated reproducible
-
-[![]({{ "/images/reports/2024-11/zig.png#right" | relative_url }})](https://ziglang.org)
-
-Motiejus Jakšty posted an [interesting and practical blog post](https://jakstys.lt/2024/zig-reproduced-without-binaries/) on his successful attempt to reproduce the [Zig programming language](https://ziglang.org/) *without* using the [pre-compiled binaries checked into the repository](https://github.com/ziglang/zig/blob/0.13.0/stage1/zig1.wasm), and despite the circular dependency inherent in its bootstrapping process.
-
-As a summary, Motiejus concludes that:
+[![]({{ "/images/reports/2024-11/landing.png#right" | relative_url }})]({{ "/" | relative_url }})
-> I can now confidently say (and you can also check, you don’t need to trust me) that there is nothing hiding in `zig1.wasm` [the checked-in binary] that hasn't been checked-in as a source file.
-
-The full post is full of practical details, and includes a [few open questions](https://jakstys.lt/2024/zig-reproduced-without-binaries/#conclusions-and-open-questions).
+As part of a very productive partnership with [Open Technology Fund](https://www.opentech.fund/)'s [Secure Usability and Accessibility Lab](https://www.opentech.fund/labs/sua-lab/), we are pleased to unveil our [**new homepage/landing page**]({{ "/" | relative_url }}).
-<br>
+The Secure Usability and Accessibility Lab offers secure usability, user-interface assistance and accessibility assessments to internet freedom and digital security tools in order to help them recognise and solve usability and accessibility challenges. We are very happy with our collaboration with the Lab (including many changes not directly related to the website), and look forward to working with them in the future.
### SBOMs for Python packages
@@ -75,30 +77,6 @@ A [GitHub repository](https://github.com/sethmlarson/sboms-for-python-packages)
<br>
-### [Reproducible builds by default in Maven 4](https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003565.html)
-
-[![]({{ "/images/reports/2024-11/maven.png#right" | relative_url }})](https://maven.apache.org/)
-
-On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Hervé Boutemy reported the latest release of Maven (`4.0.0-beta-5`) has [reproducible builds enabled by default](https://issues.apache.org/jira/browse/MNG-8258). In [his mailing list post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003565.html), Hervé mentions that "this story started during our [Reproducible Builds summit in Hamburg]({{ "/events/hamburg2024/" | relative_url }})", where he created the [upstream issue](https://issues.apache.org/jira/browse/MNG-8258) that builds on a "multi-year" effort to have Maven builds configured for reproducibility.
-
-<br>
-
-### PyPI now supports digital attestations
-
-[![]({{ "/images/reports/2024-11/pypi.png#right" | relative_url }})](https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/)
-
-Elsewhere in the Python ecosystem and as [reported on LWN](https://lwn.net/Articles/998215/) and elsewhere, the [Python Package Index](https://pypi.org/) (PyPI) has [announced](https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/) that it has finalised support for [PEP 740](https://peps.python.org/pep-0740/) ("Index support for digital attestations").
-
-[Trail of Bits](https://www.trailofbits.com/), who performed much of the development work, has an [in-depth blog post](https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/) about the work and its adoption, as well as what is left undone:
-
-> One thing is notably missing from all of this work: **downstream verification**. […]
->
-> This isn't an acceptable end state (cryptographic attestations have defensive properties only insofar as they're *actually verified*), so we're looking into ways to bring verification to individual installing clients. In particular, we're currently working on a [plugin architecture for `pip`](https://github.com/pypa/pip/issues/12766) that will enable users to [load verification logic](https://github.com/trailofbits/pip-plugin-pep740) directly into their `pip install` flows.
-
-There was an in-depth discussion on [LWN's announcement page](https://lwn.net/Articles/998215/), as well as [on Hacker News](https://news.ycombinator.com/item?id=42136375).
-
-<br>
-
### Debian updates
[![]({{ "/images/reports/2024-11/debian.png#right" | relative_url }})](https://debian.org/)
@@ -113,9 +91,17 @@ Holger described the talk as follows:
>
> Since about a month, we've also been rebuilding trying to exactly match the builds being distributed via `ftp.debian.org`. This talk will describe the setup and the lessons learned so far, and why the results currently are what they are (spoiler: they are less than 30% reproducible), and what we can do to fix that.
-Holger's [slides](https://reproducible-builds.org/_lfs/presentations/2024-11-16-R-B-rebuilding-what-is-distributed-from-ftp.debian.org/) and [video](https://meetings-archive.debian.net/pub/debian-meetings/2024/MiniDebConf-Toulouse/toulouse2024-2-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg.webm) in `.webm` format are available.
+The Debian Project Leader, Andreas Tille, was present at the talk and remarked later in his [*Bits from the DPL*](https://bits.debian.org/2024/12/bits-from-the-dpl-december.html) update that:
+
+> It might be unfair to single out a specific talk from Toulouse, but I'd like
+> to highlight the one on reproducible builds. Beyond its technical focus, the
+> talk also addressed the recent loss of Lunar, whom we mourn deeply. It served
+> as a tribute to Lunar's contributions and legacy. Personally, I've
+> encountered packages maintained by Lunar and bugs he had filed. I believe
+> that taking over his packages and addressing the bugs he reported is a
+> meaningful way to honor his memory and acknowledge the value of his work.
-FIXME: https://bits.debian.org/2024/12/bits-from-the-dpl-december.html
+Holger's [slides](https://reproducible-builds.org/_lfs/presentations/2024-11-16-R-B-rebuilding-what-is-distributed-from-ftp.debian.org/) and [video](https://meetings-archive.debian.net/pub/debian-meetings/2024/MiniDebConf-Toulouse/toulouse2024-2-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg.webm) in `.webm` format are available.
<br>
@@ -151,6 +137,29 @@ Lastly, 12 reviews of Debian packages were added, 5 were updated and 21 were rem
<br>
+### [Reproducible builds by default in Maven 4](https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003565.html)
+
+[![]({{ "/images/reports/2024-11/maven.png#right" | relative_url }})](https://maven.apache.org/)
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Hervé Boutemy reported the latest release of Maven (`4.0.0-beta-5`) has [reproducible builds enabled by default](https://issues.apache.org/jira/browse/MNG-8258). In [his mailing list post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003565.html), Hervé mentions that "this story started during our [Reproducible Builds summit in Hamburg]({{ "/events/hamburg2024/" | relative_url }})", where he created the [upstream issue](https://issues.apache.org/jira/browse/MNG-8258) that builds on a "multi-year" effort to have Maven builds configured for reproducibility.
+
+<br>
+
+### PyPI now supports digital attestations
+
+[![]({{ "/images/reports/2024-11/pypi.png#right" | relative_url }})](https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/)
+
+Elsewhere in the Python ecosystem and as [reported on LWN](https://lwn.net/Articles/998215/) and elsewhere, the [Python Package Index](https://pypi.org/) (PyPI) has [announced](https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/) that it has finalised support for [PEP 740](https://peps.python.org/pep-0740/) ("Index support for digital attestations").
+
+[Trail of Bits](https://www.trailofbits.com/), who performed much of the development work, has an [in-depth blog post](https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/) about the work and its adoption, as well as what is left undone:
+
+> One thing is notably missing from all of this work: **downstream verification**. […]
+>
+> This isn't an acceptable end state (cryptographic attestations have defensive properties only insofar as they're *actually verified*), so we're looking into ways to bring verification to individual installing clients. In particular, we're currently working on a [plugin architecture for `pip`](https://github.com/pypa/pip/issues/12766) that will enable users to [load verification logic](https://github.com/trailofbits/pip-plugin-pep740) directly into their `pip install` flows.
+
+There was an in-depth discussion on [LWN's announcement page](https://lwn.net/Articles/998215/), as well as [on Hacker News](https://news.ycombinator.com/item?id=42136375).
+
+<br>
### "[Dependency Challenges in OSS Package Registries](https://arxiv.org/abs/2409.18884)"
@@ -160,17 +169,31 @@ At [BENEVOL](https://benevol2024.github.io/), the Belgium-Netherlands Software E
The abstract of their paper is as follows:
-> While open-source software has enabled significant levels of reuse to speed up software development, it has also given rise to the dreadful [dependency hell](https://en.wikipedia.org/wiki/Dependency_hell) that all software practitioners face on a regular basis. This article **provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries**. The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges. [[…](https://arxiv.org/abs/2409.18884)]
+> While open-source software has enabled significant levels of reuse to speed up software development, it has also given rise to the dreadful [dependency hell](https://en.wikipedia.org/wiki/Dependency_hell) that all software practitioners face on a regular basis. This article **provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries**. The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges. [[…](https://arxiv.org/abs/2409.18884)]
A [PDF of the paper](https://arxiv.org/pdf/2409.18884) is available online.
<br>
+### Zig programming language demonstrated reproducible
+
+[![]({{ "/images/reports/2024-11/zig.png#right" | relative_url }})](https://ziglang.org)
+
+Motiejus Jakšty posted an [interesting and practical blog post](https://jakstys.lt/2024/zig-reproduced-without-binaries/) on his successful attempt to reproduce the [Zig programming language](https://ziglang.org/) *without* using the [pre-compiled binaries checked into the repository](https://github.com/ziglang/zig/blob/0.13.0/stage1/zig1.wasm), and despite the circular dependency inherent in its bootstrapping process.
+
+As a summary, Motiejus concludes that:
+
+> I can now confidently say (and you can also check, you don’t need to trust me) that there is nothing hiding in `zig1.wasm` [the checked-in binary] that hasn't been checked-in as a source file.
+
+The full post is full of practical details, and includes a [few open questions](https://jakstys.lt/2024/zig-reproduced-without-binaries/#conclusions-and-open-questions).
+
+<br>
+
### Website updates
[![]({{ "/images/reports/2024-11/website.png#right" | relative_url }})]({{ "/" | relative_url }})
-Yet again, there were an enormous number of chages made to our website this month, including:
+Notwithstanding the significant change to the landing page (screenshot above), there were an enormous number of changes made to our website this month. This included:
* Alex Feyerke and Mariano Giménez:
@@ -312,7 +335,7 @@ In addition, Mattia Rizzolo addressed a number of issues with [*reproduce.debian
<br>
-If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website. However, you can get in touch with us via:
* IRC: `#reproducible-builds` on `irc.oftc.net`.
=====================================
assets/styles/layout.scss
=====================================
@@ -22,7 +22,7 @@
.rb-navbar__top {
background-color: $primary;
padding: 1rem 0;
- border-top: 9px solid black;
+ border-top: 8px solid black;
}
=====================================
images/reports/2024-11/landing.png
=====================================
Binary files a/images/reports/2024-11/landing.png and b/images/reports/2024-11/landing.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/a456281f3dc36e957cb3a24c68c56f3250929976...7903ba2f85e626eb2b4c15b5973e32e3af01e13f
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/a456281f3dc36e957cb3a24c68c56f3250929976...7903ba2f85e626eb2b4c15b5973e32e3af01e13f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20241205/1a353469/attachment.htm>
More information about the rb-commits
mailing list