[Git][reproducible-builds/reproducible-website][master] 2024-06: Initial draft

Chris Lamb (@lamby) gitlab at salsa.debian.org
Wed Jul 10 11:56:06 UTC 2024



Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
74f268c1 by Chris Lamb at 2024-07-10T12:28:33+01:00
2024-06: Initial draft

- - - - -


13 changed files:

- _reports/2024-06.md
- + images/reports/2024-06/archlinux.png
- + images/reports/2024-06/debian.png
- + images/reports/2024-06/diffoscope.png
- + images/reports/2024-06/guix.png
- + images/reports/2024-06/opensuse.png
- + images/reports/2024-06/paper-2406.08198.png
- + images/reports/2024-06/paper-2406.15596.png
- + images/reports/2024-06/paper-thesis.png
- + images/reports/2024-06/reproducible-builds.png
- + images/reports/2024-06/summit.jpg
- + images/reports/2024-06/testframework.png
- + images/reports/2024-06/website.png


Changes:

=====================================
_reports/2024-06.md
=====================================
@@ -6,17 +6,136 @@ title: "Reproducible Builds in June 2024"
 draft: true
 ---
 
-* [FIXME](https://arxiv.org/pdf/2406.08198)
+[![]({{ "/images/reports/2024-06/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
 
-* [FIXME](https://arxiv.org/pdf/2406.15596)
+**Welcome to the June 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
 
-* Vagrant Cascadian will present an online Reproducible Builds session as part of the monthly [Guix patch review](https://libreplanet.org/wiki/Group:Guix/PatchReviewSessions2024) [July 11th, 17:00 UTC](https://www.meetup.com/guix-london/events/300819830/)
+In our reports, we outline what we've been up to over the past month and highlight news items in software supply-chain security more broadly. As always, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
 
-* Bernhard M. Wiedemann:
-    * [`systemd`](https://bugzilla.opensuse.org/show_bug.cgi?id=1226200) (FTBFS-2038)
-    * [`samba`](https://bugzilla.opensuse.org/show_bug.cgi?id=1225754) (ASLR, was already fixed upstream)
-    * [`qutebrowser`](https://github.com/qutebrowser/qutebrowser/pull/8233) (merged, FTBFS-2036)
+**Table of contents:**
 
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/CDIFFRNRSCI5BBXW7QSQSZVKE45YFTTH/)
+0. [Next Reproducible Builds Summit dates announced](#next-reproducible-builds-summit-dates-announced)
+0. [GNU Guix patch review session for reproducibility](#gnu-guix-patch-review-session-for-reproducibility)
+0. [Three new reproducibility-related academic papers](#three-new-reproducibility-related-academic-papers)
+0. [Website updates](#website-updates)
+0. [Misc development news](#misc-development-news)
+0. [Reproducibility testing framework](#reproducibility-testing-framework)
 
-* [FIXME](https://www.diva-portal.org/smash/get/diva2:1877032/FULLTEXT01.pdf)
+---
+
+<br>
+
+### [Next Reproducible Builds Summit dates announced]({{ "/events/hamburg2024/" | relative_url }})
+
+[![]({{ "/images/reports/2024-06/summit.jpg#right" | relative_url }})]({{ "/events/hamburg2024/" | relative_url }})
+
+**We are very pleased to announce the [upcoming Reproducible Builds Summit]({{ "/events/hamburg2024/" | relative_url }}), set to take place from _September 16th — 19th 2024_ in Hamburg, Germany.**
+
+We are thrilled to host the seventh edition of this exciting event, following the success of previous summits in various iconic locations around the world, including Venice, Marrakesh, Paris, Berlin and Athens. Our summits are a unique gathering that brings together attendees from diverse projects, united by a shared vision of advancing the Reproducible Builds effort. During this enriching event, participants will have the opportunity to engage in discussions, establish connections and exchange ideas to drive progress in this vital field. Our aim is to create an inclusive space that fosters collaboration, innovation and problem-solving.
+
+If you're interesting in joining us this year, please make sure to [read the event page]({{ "/events/hamburg2024/" | relative_url }}) which has more details about the event and location. We are very much looking forward to seeing many readers of these reports there.
+
+<br>
+
+### [GNU Guix patch review session for reproducibility](https://libreplanet.org/wiki/Group:Guix/PatchReviewSessions2024)
+
+[![]({{ "/images/reports/2024-06/guix.png#right" | relative_url }})](https://libreplanet.org/wiki/Group:Guix/PatchReviewSessions2024)
+
+Vagrant Cascadian will [holding a Reproducible Builds session](https://www.meetup.com/guix-london/events/300819830/) as part of the monthly [Guix patch review](https://libreplanet.org/wiki/Group:Guix/PatchReviewSessions2024) series on **July 11th at 17:00 UTC**.
+
+These online events are intended to encourage everyone everyone becoming a patch reviewer and the goal of reviewing patches is to help Guix project accept contributions while maintaining our quality standards and learning how to do patch reviews together in a friendly hacking session.
+
+<br>
+
+### Three new reproducibility-related academic papers
+
+A total of three separate scholarly papers related to Reproducible Builds were published this month:
+
+[![]({{ "/images/reports/2024-06/paper-2406.08198.png#right" | relative_url }})](https://arxiv.org/abs/2406.08198)
+
+[*An Industry Interview Study of Software Signing for Supply Chain Security*](https://arxiv.org/abs/2406.08198) was published by Kelechi G. Kalu, Tanmay Singla, Chinenye Okafor, Santiago Torres-Arias and James C. Davis of Electrical and Computer Engineering department of [Purdue University](https://www.purdue.edu/), Indiana, USA, and is concerned with:
+
+> To understand software signing in practice, we interviewed 18 high-ranking industry practitioners across 13 organizations. We provide possible impacts of experienced software supply chain failures, security standards, and regulations on software signing adoption. We also study the challenges that affect an effective software signing implementation.
+
+<br>
+
+[![]({{ "/images/reports/2024-06/paper-2406.15596.png#right" | relative_url }})](https://arxiv.org/abs/2406.15596)
+
+[*DiVerify: Diversifying Identity Verification in Next-Generation Software Signing*](https://arxiv.org/abs/2406.15596) was written by Chinenye L. Okafor, James C. Davis and Santiago Torres-Arias also of [Purdue University](https://www.purdue.edu/) and is interested in:
+
+> Code signing enables software developers to digitally sign their code using cryptographic keys, thereby associating the code to their identity. This allows users to verify the authenticity and integrity of the software, ensuring it has not been tampered with. Next-generation software signing such as Sigstore and OpenPubKey simplify code signing by providing streamlined mechanisms to verify and link signer identities to the public key. However, their designs have vulnerabilities: reliance on an identity provider introduces a single point of failure, and the failure to follow the principle of least privilege on the client side increases security risks. We introduce Diverse Identity Verification (DiVerify) scheme, which strengthens the security guarantees of nextgeneration software signing by leveraging threshold identity validations and scope mechanisms.
+
+<br>
+
+[![]({{ "/images/reports/2024-06/paper-thesis.png#right" | relative_url }})](https://www.diva-portal.org/smash/get/diva2:1877032/FULLTEXT01.pdf)
+
+Finally, Felix Lagnöhed published their thesis on the [*Integration of Reproducibility Verification with Diffoscope in GNU Make*](https://www.diva-portal.org/smash/get/diva2:1877032/FULLTEXT01.pdf). This work, amongst some other results:
+
+> […] resulted in an extension of GNU make which is called `rmake`, where *diffoscope* — a tool for detecting differences between a large number of file types — was integrated into the workflow of make. rmake was later used to answer the posed research questions for this thesis. We found that different build paths and offsets are a big problem as three out of three tested Free and Open Source Software projects all contained these variations. The results also showed that gcc’s optimisation levels did not affect reproducibility, but link-time optimisation embeds a lot of unreproducible information in build artefacts. Lastly, the results showed that build paths, build ID’s and randomness are the three most common groups of variations encountered in the wild and potential solutions for some variations were proposed.
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2024-06/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+There were a number of improvements made to our website this month, including Akihiro Suda very helpfully made the `<h4>` elements more distinguishable from the `<h3>` level [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a4adc9b)][[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/81e91a45)] as well as added added a guide for `Dockerfile` reproducibility [[...](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/461ab1eb)]. In addition Fay Stegerman added two tools, [`apksigcopier`](https://github.com/obfusk/apksigcopier) and [`reproducible-apk-tools`](https://github.com/obfusk/reproducible-apk-tools) to our [Tools]({{ "/tools/" | relative_url }}}) page.
+
+<br>
+
+### Misc development news
+
+[![]({{ "/images/reports/2024-06/debian.png#right" | relative_url }})](https://debian.org/)
+
+In Debian this month, 4 reviews of Debian packages were added, 11 were updated and 14 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Only one issue types was updated, though, [explaining that we don't vary the build path anymore](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/c0afe1cb).
+
+<br>
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, [Bernhard M. Wiedemann wrote](https://lists.reproducible-builds.org/pipermail/rb-general/2024-June/003436.html) that whilst he had [previously collected issues that *introduce* non-determinism](https://github.com/bmwiedemann/theunreproduciblepackage/) he has now moved on to discuss about "mitigations", in the sense of how can we avoid whole categories of problem "without patching an infinite number of individual packages". In addition, Janneke Nieuwenhuizen announced the release of two versions of GNU Mes. [[...](https://lists.reproducible-builds.org/pipermail/rb-general/2024-June/003426.html)][[...](https://lists.reproducible-builds.org/pipermail/rb-general/2024-June/003441.html)]
+
+<br>
+
+[![]({{ "/images/reports/2024-06/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+In openSUSE news, Bernhard M. Wiedemann [published another report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/CDIFFRNRSCI5BBXW7QSQSZVKE45YFTTH/) for that distribution.
+
+<br>
+
+What's more, we continued to write patches in order to fix specific reproducibility issues, including Bernhard M. Wiedemann writing three patches (for [`qutebrowser`](https://github.com/qutebrowser/qutebrowser/pull/8233), [`samba`](https://bugzilla.opensuse.org/show_bug.cgi?id=1225754) and [`systemd`](https://bugzilla.opensuse.org/show_bug.cgi?id=1226200)) and Chris Lamb filed Debian bug [#1074214](https://bugs.debian.org/1074214) against the [`fastfetch`](https://tracker.debian.org/pkg/fastfetch) package.
+
+<br>
+
+[![]({{ "/images/reports/2024-06/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+Lastly, [diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb uploaded two versions (`270` and `271`) to Debian, and made the following changes as well:
+
+* Drop `Build-Depends` on `liblz4-tool` in order to fix Debian bug [#1072575](https://bugs.debian.org/1072575). [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6a71d08a)]
+* Update tests to support `zipdetails` version `4.004` that is shipped with Perl 5.40. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/9c0ce92f)]
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2024-06/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In June, a number of changes were made by Holger Levsen, including:
+
+* Marking the `virt(32|64)c-armhf` nodes as down. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0c7ad186e)]
+* Granting a developer access to the `osuosl4` node in order to debug a regression on the `ppc64el` architecture. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/70b132f55)]
+* Granting a developer access to the `osuosl4` node. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4c3f6ba51)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/04803bdeb)]
+
+In addition, Mattia Rizzolo re-aligned the `/etc/default/jenkins` file with changes performed upstream [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/9d229b6f9)] and changed how configuration files are handled on the `rb-mail1` host. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/de107d44d)], whilst Vagrant Cascadian documented the failure of the `virt32c` and `virt64c` nodes after initial investigation [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/01f4be05c)].
+
+<br>
+
+---
+
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)


=====================================
images/reports/2024-06/archlinux.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/archlinux.png differ


=====================================
images/reports/2024-06/debian.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/debian.png differ


=====================================
images/reports/2024-06/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/diffoscope.png differ


=====================================
images/reports/2024-06/guix.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/guix.png differ


=====================================
images/reports/2024-06/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/opensuse.png differ


=====================================
images/reports/2024-06/paper-2406.08198.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/paper-2406.08198.png differ


=====================================
images/reports/2024-06/paper-2406.15596.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/paper-2406.15596.png differ


=====================================
images/reports/2024-06/paper-thesis.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/paper-thesis.png differ


=====================================
images/reports/2024-06/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/reproducible-builds.png differ


=====================================
images/reports/2024-06/summit.jpg
=====================================
Binary files /dev/null and b/images/reports/2024-06/summit.jpg differ


=====================================
images/reports/2024-06/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/testframework.png differ


=====================================
images/reports/2024-06/website.png
=====================================
Binary files /dev/null and b/images/reports/2024-06/website.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/74f268c16c6c5b16a60e6f35d5086161a022e921

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/74f268c16c6c5b16a60e6f35d5086161a022e921
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240710/c15be59e/attachment.htm>


More information about the rb-commits mailing list