[Git][reproducible-builds/reproducible-website][master] 2023-12: Misc cosmetic changes; adding missing images etc.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Thu Jan 11 11:20:34 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
32598b00 by Chris Lamb at 2024-01-11T11:20:05+00:00
2023-12: Misc cosmetic changes; adding missing images etc.
- - - - -
6 changed files:
- _reports/2023-12.md
- images/reports/2023-12/2303.11102.png
- images/reports/2023-12/ieee-paper.jpg
- + images/reports/2023-12/libxlst.png
- images/reports/2023-12/releaseteam.png
- images/reports/2023-12/website.png
Changes:
=====================================
_reports/2023-12.md
=====================================
@@ -12,15 +12,13 @@ draft: true
---
-### Speranza: "Usable, privacy-friendly software signing"
-
-[![]({{ "/images/reports/2023-12/2305.06463.png#right" | relative_url }})](https://arxiv.org/abs/2305.06463)
+### *Reproducible Builds: Increasing the Integrity of Software Supply Chains* awarded IEEE Software "Best Paper" award
-Kelsey Merrill, Karen Sollins, Santiago Torres-Arias and Zachary Newman have developed a new system called Speranza, which is aimed at reassuring software consumers that the product they are getting has not been tampered with and is coming directly from a source they trust. A [write-up on TechXplore.com](https://techxplore.com/news/2023-12-boosting-faith-authenticity-source-software.html) goes into some more details:
+[![]({{ "/images/reports/2023-12/ieee-paper.jpg#right" | relative_url }})](https://ieeexplore.ieee.org/abstract/document/9403390)
-> "What we have done," explains Sollins, "is to develop, prove correct, and demonstrate the viability of an approach that allows the [software] maintainers to remain anonymous." Preserving anonymity is obviously important, given that almost everyone—software developers included—value their confidentiality. This new approach, Sollins adds, "simultaneously allows [software] users to have confidence that the maintainers are, in fact, legitimate maintainers and, furthermore, that the code being downloaded is, in fact, the correct code of that maintainer." [[...](https://techxplore.com/news/2023-12-boosting-faith-authenticity-source-software.html)]
+In February 2022, [we announced in these reports]({{ "/reports/2023-02/" | relative_url }}) that a paper written by paper [Chris Lamb](https://chris-lamb.co.uk) and [Stefano Zacchiroli](https://upsilon.cc/~zack/) was now available in the [March/April 2022 issue of IEEE Software](https://ieeexplore.ieee.org/abstract/document/9403390). Titled [*Reproducible Builds: Increasing the Integrity of Software Supply Chains*](https://arxiv.org/abs/2104.06020) ([PDF](https://arxiv.org/pdf/2104.06020)).
-[The corresponding paper](https://arxiv.org/abs/2305.06463) is published on the [arXiv](https://arxiv.org/) preprint server in various formats, and the announcement has also been [covered in MIT News](https://news.mit.edu/2023/speranza-boosting-faith-authenticity-open-source-software-1211).
+This month, however, [IEEE Software](https://www.computer.org/csdl/magazine/so) announced [that this paper has won their Best Paper award](https://twitter.com/ieeesoftware/status/1736684911690436868) for 2022.
<br>
@@ -34,39 +32,15 @@ In a post summarising the activities of the [Debian Release Team](https://wiki.d
<br>
-### Community updates
-
-[![]({{ "/images/reports/2023-12/website.png#right" | relative_url }})]({{ "/" | relative_url }})
-
-There were made a number of improvements to our website, including Chris Lamb fixing the `generate-draft` script to not blow up if the input files have been corrupted today or even in the past [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/40c10ab9)], Holger Levsen updated the [Hamburg 2023 summit]({{ "/events/hamburg2023/" | relative_url }}) to add a link to farewell post [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a17754a)] & to add a picture of a Post-It note. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d6f3fa6e)], and Pol Dellaiera updated paragraph about `tar` and the `--clamp-mtime` flag [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/37e7878f)].
-
-On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Bernhard M. Wiedemann posted an interesting summary on some of the reasons [why packages are still not reproducible](https://lists.reproducible-builds.org/pipermail/rb-general/2023-December/003215.html) in 2023.
-
-[![]({{ "/images/reports/2023-12/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
-
-[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including processing `objdump` symbol comment filter inputs as Python `byte` (and not `str`) instances [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6d788d7d)] and Vagrant Cascadian extended diffoscope support for [GNU Guix](https://guix.gnu.org/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/f1822463eb39ba673b1037e105a5af59fd04262b)] and updated the version in that distribution to [version 253](https://issues.guix.gnu.org/67980) [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=111d010921fea8c803427dc316086434e748e773)].
-
-<br>
-
-### "Challenges of Producing Software Bill Of Materials for Java"
-
-[![]({{ "/images/reports/2023-12/2303.11102.png#right" | relative_url }})](https://arxiv.org/abs/2303.11102)
-
-Musard Balliu, Benoit Baudry, Sofia Bobadilla, Mathias Ekstedt, Martin Monperrus, Javier Ron, Aman Sharma, Gabriel Skoglund, César Soto-Valero and Martin Wittlinger (!) of the [KTH Royal Institute of Technology](https://www.kth.se/en) in Sweden, have published an article in which they:
-
-> … deep-dive into 6 tools and the accuracy of the [SBOMs](https://about.gitlab.com/blog/2022/10/25/the-ultimate-guide-to-sboms/) they produce for complex open-source Java projects. Our novel insights reveal some hard challenges regarding the accurate production and usage of software bills of materials.
-
-The [paper is available](https://arxiv.org/abs/2303.11102) on [arXiv](https://arxiv.org/).
-
-<br>
+### Speranza: "Usable, privacy-friendly software signing"
-### *Reproducible Builds: Increasing the Integrity of Software Supply Chains* awarded IEEE Software "Best Paper" award
+[![]({{ "/images/reports/2023-12/2305.06463.png#right" | relative_url }})](https://arxiv.org/abs/2305.06463)
-[![]({{ "/images/reports/2023-12/ieee-paper.jpg#right" | relative_url }})](https://ieeexplore.ieee.org/abstract/document/9403390)
+Kelsey Merrill, Karen Sollins, Santiago Torres-Arias and Zachary Newman have developed a new system called Speranza, which is aimed at reassuring software consumers that the product they are getting has not been tampered with and is coming directly from a source they trust. A [write-up on TechXplore.com](https://techxplore.com/news/2023-12-boosting-faith-authenticity-source-software.html) goes into some more details:
-In February 2022, [we announced in these reports]({{ "/reports/2023-02/" | relative_url }}) that a paper written by paper [Chris Lamb](https://chris-lamb.co.uk) and [Stefano Zacchiroli](https://upsilon.cc/~zack/) was now available in the [March/April 2022 issue of IEEE Software](https://ieeexplore.ieee.org/abstract/document/9403390). Titled [*Reproducible Builds: Increasing the Integrity of Software Supply Chains*](https://arxiv.org/abs/2104.06020) ([PDF](https://arxiv.org/pdf/2104.06020)).
+> "What we have done," explains Sollins, "is to develop, prove correct, and demonstrate the viability of an approach that allows the [software] maintainers to remain anonymous." Preserving anonymity is obviously important, given that almost everyone—software developers included—value their confidentiality. This new approach, Sollins adds, "simultaneously allows [software] users to have confidence that the maintainers are, in fact, legitimate maintainers and, furthermore, that the code being downloaded is, in fact, the correct code of that maintainer." [[...](https://techxplore.com/news/2023-12-boosting-faith-authenticity-source-software.html)]
-This month, however, [IEEE Software](https://www.computer.org/csdl/magazine/so) announced [that this paper has won their Best Paper award](https://twitter.com/ieeesoftware/status/1736684911690436868) for 2022.
+[The corresponding paper](https://arxiv.org/abs/2305.06463) is published on the [arXiv](https://arxiv.org/) preprint server in various formats, and the announcement has also been [covered in MIT News](https://news.mit.edu/2023/speranza-boosting-faith-authenticity-open-source-software-1211).
<br>
@@ -84,7 +58,7 @@ Paul goes on to to describe his solution, which involves "forcing git to be sing
### Output from `libxlst` now deterministic
-[![]({{ "/images/reports/2023-12/FIXME.png#right" | relative_url }})](FIXME)
+[![]({{ "/images/reports/2023-12/libxlst.png#right" | relative_url }})](https://gitlab.gnome.org/GNOME/libxslt/-/commit/82f6cbf8ca61b1f9e00dc04aa3b15d563e7bbc6d)
*libxslt* is the [XSLT](https://en.wikipedia.org/wiki/XSLT) C library developed for the [GNOME project](https://www.gnome.org/), where XSLT itself is an XML language to define transformations for XML files. This month, it was revealed that the [result of the `generate-id()` XSLT function is now deterministic across multiple transformations](https://gitlab.gnome.org/GNOME/libxslt/-/blob/d679f4470df2c79443ff54dbc6bd95afaf4cd876/NEWS#L47-48), fixing many issues with reproducible builds. As the [Git commit](https://gitlab.gnome.org/GNOME/libxslt/-/commit/82f6cbf8ca61b1f9e00dc04aa3b15d563e7bbc6d) by Nick Wellnhofer describes:
@@ -109,9 +83,35 @@ together with the hex-encoded namespace prefix.
<br>
-### Debian Non-Maintainer Uploads and Quality Assurance
+### Community updates
+
+[![]({{ "/images/reports/2023-12/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+There were made a number of improvements to our website, including Chris Lamb fixing the `generate-draft` script to not blow up if the input files have been corrupted today or even in the past [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/40c10ab9)], Holger Levsen updated the [Hamburg 2023 summit]({{ "/events/hamburg2023/" | relative_url }}) to add a link to farewell post [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a17754a)] & to add a picture of a Post-It note. [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d6f3fa6e)], and Pol Dellaiera updated paragraph about `tar` and the `--clamp-mtime` flag [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/37e7878f)].
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, Bernhard M. Wiedemann posted an interesting summary on some of the reasons [why packages are still not reproducible](https://lists.reproducible-builds.org/pipermail/rb-general/2023-December/003215.html) in 2023.
+
+[![]({{ "/images/reports/2023-12/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes, including processing `objdump` symbol comment filter inputs as Python `byte` (and not `str`) instances [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6d788d7d)] and Vagrant Cascadian extended diffoscope support for [GNU Guix](https://guix.gnu.org/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/f1822463eb39ba673b1037e105a5af59fd04262b)] and updated the version in that distribution to [version 253](https://issues.guix.gnu.org/67980) [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=111d010921fea8c803427dc316086434e748e773)].
+
+<br>
+
+### "Challenges of Producing Software Bill Of Materials for Java"
+
+[![]({{ "/images/reports/2023-12/2303.11102.png#right" | relative_url }})](https://arxiv.org/abs/2303.11102)
+
+Musard Balliu, Benoit Baudry, Sofia Bobadilla, Mathias Ekstedt, Martin Monperrus, Javier Ron, Aman Sharma, Gabriel Skoglund, César Soto-Valero and Martin Wittlinger (!) of the [KTH Royal Institute of Technology](https://www.kth.se/en) in Sweden, have published an article in which they:
+
+> … deep-dive into 6 tools and the accuracy of the [SBOMs](https://about.gitlab.com/blog/2022/10/25/the-ultimate-guide-to-sboms/) they produce for complex open-source Java projects. Our novel insights reveal some hard challenges regarding the accurate production and usage of software bills of materials.
+
+The [paper is available](https://arxiv.org/abs/2303.11102) on [arXiv](https://arxiv.org/).
+
+<br>
+
+### Debian Non-Maintainer campaign
-[![]({{ "/images/reports/2023-12/FIXME.png#right" | relative_url }})](FIXME)
+[![]({{ "/images/reports/2023-12/debian.png#right" | relative_url }})](https://debian.org/)
As mentioned in [previous]({{ "/reports/2023-01/" | relative_url }}) [reports]({{ "/reports/2022-12/" | relative_url }}), the Reproducible Builds team within Debian has been organising a series of online and offline sprints in order to clear the huge backlog of reproducible builds patches submitted by performing so-called NMUs ([Non-Maintainer Uploads](https://wiki.debian.org/NonMaintainerUpload)).
=====================================
images/reports/2023-12/2303.11102.png
=====================================
Binary files a/images/reports/2023-12/2303.11102.png and b/images/reports/2023-12/2303.11102.png differ
=====================================
images/reports/2023-12/ieee-paper.jpg
=====================================
Binary files a/images/reports/2023-12/ieee-paper.jpg and b/images/reports/2023-12/ieee-paper.jpg differ
=====================================
images/reports/2023-12/libxlst.png
=====================================
Binary files /dev/null and b/images/reports/2023-12/libxlst.png differ
=====================================
images/reports/2023-12/releaseteam.png
=====================================
Binary files a/images/reports/2023-12/releaseteam.png and b/images/reports/2023-12/releaseteam.png differ
=====================================
images/reports/2023-12/website.png
=====================================
Binary files a/images/reports/2023-12/website.png and b/images/reports/2023-12/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/32598b009c480f540afc775a67956f49353cfc58
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/32598b009c480f540afc775a67956f49353cfc58
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240111/72f24c70/attachment.htm>
More information about the rb-commits
mailing list