[Git][reproducible-builds/reproducible-website][master] 2024-01: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Mon Feb 5 19:48:49 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
0022f4c5 by Chris Lamb at 2024-02-05T11:48:11-08:00
2024-01: Initial draft
- - - - -
9 changed files:
- _reports/2024-01.md
- + images/reports/2024-01/archlinux-userland-fs-cmp.png
- + images/reports/2024-01/debian.png
- + images/reports/2024-01/diffoscope.png
- + images/reports/2024-01/fosdem.jpeg
- + images/reports/2024-01/opensuse.png
- + images/reports/2024-01/reproducible-builds.png
- + images/reports/2024-01/testframework.png
- + images/reports/2024-01/website.png
Changes:
=====================================
_reports/2024-01.md
=====================================
@@ -6,44 +6,168 @@ title: "Reproducible Builds in January 2024"
draft: true
---
-* Upstream fixes:
- * [`luajit`](https://github.com/LuaJIT/LuaJIT/issues/1008) (new 'd' option for deterministic bytecode)
+[![]({{ "/images/reports/2024-01/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+**Welcome to the January 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project.** In these reports we outline the most important things that we have been up to over the past month. If you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
+
+---
+
+### Upcoming presentation at FOSDEM 2024
+
+[![]({{ "/images/reports/2024-01/fosdem.jpeg#right" | relative_url }})](https://fosdem.org/2024/schedule/event/fosdem-2024-3353-reproducible-builds-the-first-ten-years/)
+
+Core Reproducible Builds developer Holger Levsen presented at the main track at [FOSDEM](https://fosdem.org/2024/) on Saturday 3rd February on the topic of ***Reproducible Builds: The First Ten Years***:
+
+> In this talk Holger Levsen will give an overview about Reproducible Builds: How it started with a small BoF at DebConf13 (and before), how it grew from being a Debian effort to something many projects work on together, until in 2021 it was mentioned in an Executive Order of the President of the United States. And of course, the talk will not end there, but rather outline where we are today and where we still need to be going, until Debian stable (and other distros!) will be 100% reproducible, verified by many.
+>
+> And while this talk will have a Debian focus, reproducible builds in several other distributions will be featured as well. Holger Levsen has been involved in reproducible builds since 2014 and has worked on reproducing Fedora, Arch Linux, NetBSD, coreboot and others.
+
+More information can be found [on FOSDEM's page for the talk](https://fosdem.org/2024/schedule/event/fosdem-2024-3353-reproducible-builds-the-first-ten-years/).
+
+<br>
+
+### "How we executed a critical supply chain attack on PyTorch"
+
+[John Stawinski](https://johnstawinski.com/) and [Adnan Khan](https://adnanthekhan.com/) published a lengthy blog post detailing [how they executed a supply-chain attack](https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/) against PyTorch](https://pytorch.org/), a machine learning platform "used by titans like Google, Meta, Boeing, and Lockheed Martin":
+
+> Our exploit path resulted in the ability to upload malicious [PyTorch](https://pytorch.org/) releases to GitHub, upload releases to [Amazon Web Services], potentially add code to the main repository branch, backdoor PyTorch dependencies – the list goes on. **In short, it was bad. Quite bad.**
+
+The attack pivoted on PyTorch's use of "[self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)" as well as submitting a pull request to address a trivial typo in the project's `README` file to gain access to repository secrets and API keys that could subsequently be used for malicious purposes.
+
+<br>
+
+### New Arch Linux forensic filesystem tool
+
+[![]({{ "/images/reports/2024-01/archlinux-userland-fs-cmp.png#right" | relative_url }})](https://github.com/kpcyrd/archlinux-userland-fs-cmp)
+
+On our [mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month, long-time Reproducible Builds developer *kpcyrd* [announced a new tool](https://lists.reproducible-builds.org/pipermail/rb-general/2024-January/003232.html) designed to forensically analyse [Arch Linux](https://archlinux.org/) filesystem images.
+
+Called [`archlinux-userland-fs-cmp`](https://github.com/kpcyrd/archlinux-userland-fs-cmp), the tool is "supposed to be used from a rescue image (any Linux) with an Arch install mounted to, [for example], `/mnt`." Crucially, however, "at no point is any file from the mounted filesystem eval'd or otherwise executed. Parsers are written in a memory safe language."
+
+More information about the tool can be found [on their announcement message](https://lists.reproducible-builds.org/pipermail/rb-general/2024-January/003232.html), as well as on the [tool's homepage](https://github.com/kpcyrd/archlinux-userland-fs-cmp). Also available is a [GIF of the tool in action](https://asciinema.org/a/MFefYEdvU2O5LlIzseQnyBky5).
+
+<br>
+
+### Issues with our `SOURCE_DATE_EPOCH` code?
+
+Chris Lamb [started a thread on our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2024-January/003225.html) summarising some potential problems with the source code snippet the Reproducible Builds project has been using to parse the [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) environment variable:
+
+> I'm not 100% sure who originally wrote this code, but it was probably sometime in the ~2015 era, and it must be in a huge number of codebases by now.
+>
+> Anyway, Alejandro Colomar was working on the shadow security tool and pinged me regarding some potential issues with the code. You can see this conversation [here](https://github.com/shadow-maint/shadow/commit/cb610d54b47ea2fc3da5a1b7c5a71274ada91371#r136407772).
+
+Chris ends his message with a request that those with intimate or low-level knowledge of `time_t`, C types, overflows and the various parsing libraries in the C standard library (etc.) contribute with further info.
+
+<br>
+
+### Distribution updates
+
+[![]({{ "/images/reports/2024-01/debian.png#right" | relative_url }})](https://debian.org/)
+
+In Debian this month, Roland Clobus posted another [detailed update of the status of reproducible ISO images](https://lists.reproducible-builds.org/pipermail/rb-general/2024-January/003217.html) on our mailing list. In particular, Roland helpfully summarised that "all major desktops build reproducibly with *bullseye*, *bookworm*, *trixie* and *sid* provided they are built for a second time within the same DAK run (i.e. [within] 6 hours)".
+
+In addition to this, three reviews of Debian packages were added, 17 were updated and 15 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+[![]({{ "/images/reports/2024-01/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Elsewhere, Bernhard posted another [monthly update](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/4AOWVPBX2OYQEUXTN3ORS6PJMUBAEWHS/) for his work elsewhere in openSUSE.
+
+<br>
+
+### Community updates
+
+[![]({{ "/images/reports/2024-01/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+There were made a number of improvements to our website, including Bernhard M. Wiedemann fixing a number of typos of the term 'nondeterministic'. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/281bea1b)] and Jan Zerebecki adding a substantial and highly welcome section to our page about [`SOURCE_DATE_EPOCH`]({{ "/docs/source-date-epoch/" | relative_url }}) to document its interaction with distribution rebuilds. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3a3988bf)].
+
+<br>
+
+[![]({{ "/images/reports/2024-01/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes such as uploading versions `245` and `255` to Debian but focusing on triaging and/or merging code from other contributors. This included adding support for comparing [eXtensible ARchive' (.XAR/.PKG)](https://en.wikipedia.org/wiki/Xar_(archiver)) files courtesy of Seth Michael Larson [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/241c92af)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/aca62e60)], as well considerable work from Vekhir in order to fix compatibility between various and subtle incompatible versions of the progressbar libraries in Python [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1fae3be4)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/61394cc4)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/168f927c)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/828a33ab)]. Thanks!
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2024-01/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework (available at [tests.reproducible-builds.org](https://tests.reproducible-builds.org)) in order to check packages and other artifacts for reproducibility. In January, a number of changes were made by Holger Levsen:
+
+* [Debian](https://debian.org/)-related changes:
+
+ * Reduce the number of `arm64` architecture workers from 24 to 16. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/79bf35a6d)]
+ * Use [diffoscope](https://diffoscope.org/) from the Debian release being tested again. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/57fccefcf)]
+ * Improve the handling when killing unwanted processes [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/95cf719fd)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4e278f7ce)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2328587ab)] and be more verbose about it, too [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1c4f6ffdf)].
+ * Don't mark a job as 'failed' if process marked as 'to-be-killed' is already gone. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/63b812a1b)]
+ * Display the architecture of builds that have been running for more than 48 hours. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/55a86760f)]
+ * Reboot `arm64` nodes when they hit an OOM (out of memory) state. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d3f61eacd)]
+
+* Package rescheduling changes:
+
+ * Reduce IRC notifications to '1' when rescheduling due to package status changes. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5dcf67e88)]
+ * Correctly set `SUDO_USER` when rescheduling packages. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dd1f4b129)]
+ * Automatically reschedule packages regressing to FTBFS (build failure) or FTBR (build success, but unreproducible). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8d145dc96)]
+
+* [OpenWrt](https://openwrt.org/)-related changes:
+
+ * Install the `python3-dev` and `python3-pyelftools` packages as they are now needed for the `sunxi` target. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/010155f3b)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7f4c47059)]
+ * Also install the `libpam0g-dev` which is needed by some OpenWrt hardware targets. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c7efc35d4)]
+
+* Misc:
+
+ * As it's January, set the `real_year` variable to 2024 [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/2f59edd10)] and bump various copyright years as well [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/ad04d1fab)].
+ * Fix a large (!) number of spelling mistakes in various scripts. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/e7bde6d9a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4cafbc58a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3fbd6ed7e)]
+ * Prevent [Squid](https://www.squid-cache.org/) and [Systemd](https://systemd.io/) processes from being killed by the [kernel's OOM killer](https://www.kernel.org/doc/gorman/html/understand/understand016.html). [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9efe90485)]
+ * Install the `iptables` tool everywhere, else our custom `rc.local` script fails. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/481caed35)]
+ * Cleanup the `/srv/workspace/pbuilder` directory on boot. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9b564c446)]
+ * Automatically restart [Squid](https://www.squid-cache.org/) if it fails. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/b408fbd38)]
+ * Limit the execution of `chroot-installation` jobs to a maximum of 4 concurrent runs. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/71642c11d)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d3afa6d4c)]
+
+Significant amounts of node maintenance was performed by Holger Levsen (eg. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f618266a0)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/11dc79d53)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/d1cc288bd)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/715eda5ec)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7a909a1d2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/fd362069e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0f82bda1f)] etc.) and Vagrant Cascadian (eg. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/a06287c62)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3e4b2e507)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/f5625f573)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/5d8c7d32e)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c366d93b5)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1726a5281)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/dee2b8bd2)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3b86797d2)]). Indeed, Vagrant Cascadian handled an extended power outage for the network running the Debian `armhf` architecture test infrastructure. This provided the incentive to replace the UPS batteries and consolidate infrastructure to reduce future UPS load. [[…](https://floss.social/@vagrantc/111853398019782907)]
+
+Elsewhere in our infrastructure, however, Holger Levsen also adjusted the email configuration for `@reproducible-builds.org` to deal with a [new SMTP email attack](https://www.postfix.org/smtp-smuggling.html). [[...](https://salsa.debian.org/reproducible-builds/rb-mailx-ansible/commit/c1ab40a)]
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project tries to detects, dissects and fix as many (currently) unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann:
- * [`SoapySDR`](https://github.com/pothosware/SoapySDR/issues/428) (parallelism)
- * [`cython`](https://github.com/cython/cython/issues/5949) (random path, toolchain, affects python-frozenlist and python-yarl)
- * [`deluge`](https://build.opensuse.org/request/show/1136411) (.egg zip mtime)
- * [`gap-ferret`](https://build.opensuse.org/request/show/1136422) (drop config.log)
- * [`gap-simpcomp`](https://build.opensuse.org/request/show/1136431) (drop config.log)
- * [`gap-semigroups`](https://build.opensuse.org/request/show/1136433) (drop config.log)
- * [`kubernetes1.22`](https://build.opensuse.org/request/show/1137979) (sort)
- * [`kubernetes1.23`](https://build.opensuse.org/request/show/1137980) (sort)
- * [`kubernetes1.24`](https://build.opensuse.org/request/show/1136467) (go -trimpath vs random)
- * [`kubernetes1.25`](https://build.opensuse.org/request/show/1136465) (go -trimpath vs random)
- * [`warewulf`](https://build.opensuse.org/request/show/1137333) (cpio mtime + inode)
+
+ * [`cython`](https://github.com/cython/cython/issues/5949) (nondeterminstic path issue)
+ * [`deluge`](https://build.opensuse.org/request/show/1136411) (issue with modification time of `.egg` file)
+ * [`gap-ferret`](https://build.opensuse.org/request/show/1136422), [`gap-semigroups`](https://build.opensuse.org/request/show/1136433) & [`gap-simpcomp`](https://build.opensuse.org/request/show/1136431) (nondeterministic `config.log` file)
+ * [`grpc`](https://github.com/grpc/grpc/pull/35687) (filesystem ordering issue )
* [`hub`](https://build.opensuse.org/request/show/1137377) (random)
- * [`python-rjsmin`](https://build.opensuse.org/request/show/1137474) (drop gcc instrumentation)
+ * [`kubernetes1.22`](https://build.opensuse.org/request/show/1137979) & [`kubernetes1.23`](https://build.opensuse.org/request/show/1137980) (sort-related issue)
+ * [`kubernetes1.24`](https://build.opensuse.org/request/show/1136467) & [`kubernetes1.25`](https://build.opensuse.org/request/show/1136465) (`go -trimpath` vs random issue)
* [`libjcat`](https://build.opensuse.org/request/show/1138082) (drop test files with random bytes)
- * [`systemd`](https://github.com/systemd/systemd/pull/31080) (sort)
- * [`grpc`](https://github.com/grpc/grpc/pull/35687) (python-grpcio sort filesys)
- * [`meson`](https://github.com/mesonbuild/meson/pull/12788) (toolchain bug (found via filesys readdir non-determinism))
- * [`meson`](https://github.com/mesonbuild/meson/pull/12789) (sort python readdir)
+ * [`luajit`](https://github.com/LuaJIT/LuaJIT/issues/1008) (Use new `d` option for deterministic bytecode output)
+ * `meson` [[…](https://github.com/mesonbuild/meson/pull/12788)][[…](https://github.com/mesonbuild/meson/pull/12789)] (sort the results from Python filesystem call)
+ * [`python-rjsmin`](https://build.opensuse.org/request/show/1137474) (drop [GCC instrumentation](https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html) artifacts)
* [`qt6-virtualkeyboard+others`](https://bugreports.qt.io/browse/QTBUG-121643) (bug parallelism/race)
+ * [`SoapySDR`](https://github.com/pothosware/SoapySDR/issues/428) (parallelism-related issue)
+ * [`systemd`](https://github.com/systemd/systemd/pull/31080) (sorting problem)
+ * [`warewulf`](https://build.opensuse.org/request/show/1137333) ([CPIO](https://www.gnu.org/software/cpio/) modification time issue, etc.)
+
+* Chris Lamb:
+
+ * [#1060254](https://bugs.debian.org/1060254) filed against [`mumble`](https://tracker.debian.org/pkg/mumble).
+
+Separate to this, Vagrant Cascadian followed up with the relevant maintainers when reproducibility fixes were not included in newly-uploaded versions of the `mm-common` package in Debian — this was quickly fixed, however. [[…](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977177#35)]
+
+<br>
+
+---
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/4AOWVPBX2OYQEUXTN3ORS6PJMUBAEWHS/)
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
-* [FIXME](https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/)
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
-Vagrant Cascadian followed up when reproducibility fixes were not
-included in newer version of mm-common was uploaded to Debian, which
-was quickly
-fixed. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977177#35
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
-Vagrant Cascadian handled an extended power outage for the network
-running the Debian armhf test infrastructure. This provided the
-incentive to replace the UPS batteries and consolidate infrastructure
-to reduce future UPS load.
+ * Mastodon: [@reproducible_builds](https://fosstodon.org/@reproducible_builds)
-Vagrant Cascadian worked on getting new virtualized machines up on new
-host hardware for the armhf network
-https://floss.social/@vagrantc/111853398019782907
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
=====================================
images/reports/2024-01/archlinux-userland-fs-cmp.png
=====================================
Binary files /dev/null and b/images/reports/2024-01/archlinux-userland-fs-cmp.png differ
=====================================
images/reports/2024-01/debian.png
=====================================
Binary files /dev/null and b/images/reports/2024-01/debian.png differ
=====================================
images/reports/2024-01/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2024-01/diffoscope.png differ
=====================================
images/reports/2024-01/fosdem.jpeg
=====================================
Binary files /dev/null and b/images/reports/2024-01/fosdem.jpeg differ
=====================================
images/reports/2024-01/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2024-01/opensuse.png differ
=====================================
images/reports/2024-01/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2024-01/reproducible-builds.png differ
=====================================
images/reports/2024-01/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2024-01/testframework.png differ
=====================================
images/reports/2024-01/website.png
=====================================
Binary files /dev/null and b/images/reports/2024-01/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0022f4c587f09ba800e3c73c7f90aeafdb3dfd8e
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0022f4c587f09ba800e3c73c7f90aeafdb3dfd8e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240205/d40603a7/attachment.htm>
More information about the rb-commits
mailing list