[Git][reproducible-builds/reproducible-website][master] 2024-05: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Wed Jun 5 12:22:16 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
15cc1a00 by Chris Lamb at 2024-06-05T13:21:22+01:00
2024-05: Initial draft
- - - - -
18 changed files:
- _data/presentations.yml
- _reports/2024-05.md
- + images/reports/2024-05/archlinux.png
- + images/reports/2024-05/debian.png
- + images/reports/2024-05/diffoscope.png
- + images/reports/2024-05/fedora.png
- + images/reports/2024-05/freebsd.png
- + images/reports/2024-05/guix.png
- + images/reports/2024-05/hal-04582287.png
- + images/reports/2024-05/hal-04586520.png
- + images/reports/2024-05/opensuse.png
- + images/reports/2024-05/reproducible-builds.png
- + images/reports/2024-05/signal.png
- + images/reports/2024-05/supply-chain-threats.png
- + images/reports/2024-05/testframework.png
- + images/reports/2024-05/website.png
- + images/reports/hal-04582287.png
- + images/reports/hal-04586520.png
Changes:
=====================================
_data/presentations.yml
=====================================
@@ -1,4 +1,4 @@
-- title: preserving *other* build artifacts
+- title: Preserving other build artifacts
presented_by: Holger Levsen
event:
url: https://berlin2024.mini.debconf.org/talks/15-preserving-other-build-artifacts/
=====================================
_reports/2024-05.md
=====================================
@@ -6,29 +6,218 @@ title: "Reproducible Builds in May 2024"
draft: true
---
+[![]({{ "/images/reports/2024-05/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
+**Welcome to the May 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In these reports, we try to outline what we have been up to over the past month and highlight news items in software supply-chain security more broadly. As ever, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [FIXME](https://scholar.google.com/scholar_url?url=https://hammer.purdue.edu/articles/thesis/Software_Supply_Chain_Security_Attacks_Defenses_and_the_Adoption_of_Signatures/25683681/1/files/45839796.pdf&hl=en&sa=X&d=13805763062521869583&ei=5Q4zZtvRB82KywTkka9g&scisig=AFWwaeaYYSq8W_EEO0DD-uEtdWdm&oi=scholaralrt&hist=oRX1FTwAAAAJ:16530474142032332453:AFWwaebMtCuAIKoB7q0BAy0Ve-N4&html=&pos=0&folt=kw)
+<!--
-* [debian-snapshot IRC channel](.)
+**Table of contents:**
-* [FIXME](https://github.com/signalapp/Signal-Android/issues/13565)
+*(Generated prior to publication)*
-* [FIXME FreeBSD 14.1-BETA2 Kernels are now built reproducibly.](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html)
+-->
-* [FIXME](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/)
+---
+
+<br>
+
+### [*A peek into build provenance for Homebrew*](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/)
+
+Joe Sweeney and William Woodruff on the [Trail of Bits](https://www.trailofbits.com/) blog wrote an [extensive post about build provenance](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/) for [Homebrew](https://brew.sh/), the third-party package manager for MacOS. Their post details how each "bottle" (i.e. each release):
+
+> […] built by Homebrew will come with a cryptographically verifiable statement binding the bottle’s content to the specific workflow and other build-time metadata that produced it. […] In effect, this injects **greater transparency** into the Homebrew build process, and **diminishes the threat** posed by a compromised or malicious insider by making it impossible to trick ordinary users into installing non-CI-built bottles.
+
+The post also briefly touches on future work, including work on source provenance:
+
+> Homebrew’s formulae already hash-pin their source artifacts, but we can go a step further and additionally assert that source artifacts are produced by the repository (or other signing identity) that’s latent in their URL or otherwise embedded into the formula specification.
+
+<br>
+
+### Distribution news
+
+[![]({{ "/images/reports/2024-05/debian.png#right" | relative_url }})](https://debian.org/)
+
+In Debian this month, Johannes Schauer Marin Rodrigues (aka *josch*) noticed that the Debian binary package `bash` version `5.2.15-2+b3` was "[uploaded to the archive twice. Once to *bookworm* and once to *sid* but with differing content.](https://bugs.debian.org/1072205)" This is problem for reproducible builds in Debian due its assumption that the package name, version and architecture triplet is unique. However, *josch* highlighted that
+
+> This example with `bash` is especially problematic since `bash` is `Essential:yes`, so there will now be a large portion of `.buildinfo` files where it is not possible to figure out with which of the two differing bash packages the sources were compiled.
+
+In response to this, Holger Levsen performed an analysis of all `.buildinfo` files and found that this needs almost 1,500 [binNMUs](https://wiki.debian.org/NonMaintainerUpload) to fix the fallout from this bug.
+
+<br>
+
+Elsewhere in Debian, Vagrant Cascadian posted about a [Non-Maintainer Upload (NMU) sprint](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003404.html) to take place during early June, and it was announced that there is now a `#debian-snapshot` IRC channel on OFTC to discuss the creation of a new source code archiving service to, perhaps, replace [*snapshot.debian.org*](https://snapshot.debian.org/).
+
+Lastly, 11 reviews of Debian packages were added, 15 were updated and 48 were removed this month adding to [our extensive knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issue types have been updated by Chris Lamb as well. [[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5fda7f6e)][[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/cf46a837)]
+
+<br>
+
+[![]({{ "/images/reports/2024-05/freebsd.png#right" | relative_url }})](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html)
+
+Elsewhere in the world of distributions, deep within a [larger announcement from Colin Percival about the release of version 14.1-BETA2](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html), it was mentioned that the [FreeBSD](https://www.freebsd.org/) kernels are now built reproducibly.
+
+<br>
+
+### Miscellaneous news
+
+[*strip-nondeterminism*](https://tracker.debian.org/pkg/strip-nondeterminism) is our tool to remove specific non-deterministic results from a completed build. This month *strip-nondeterminism* version `1.14.0-1` was [uploaded to Debian unstable](https://tracker.debian.org/news/1532251/accepted-strip-nondeterminism-1140-1-source-into-unstable/) by Chris Lamb chiefly to incorporate a change from Alex Muntada to avoid a dependency on `Sub::Override` to perform monkey-patching and break circular dependencies related to `debhelper` [[…](https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/4d235a6)]. Elsewhere in our tooling, Jelle van der Waa modified [*reprotest*](https://tracker.debian.org/pkg/strip-nondeterminism) because the [`pipes`](https://docs.python.org/3/library/pipes.html) module will be removed in Python version 3.13 [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/37a13d9)].
+
+<br>
+
+It was also noticed that a new blog post by [Daniel Stenberg](https://daniel.haxx.se/) detailing "[How to verify a Curl release](https://daniel.haxx.se/blog/2024/05/23/how-to-verify-a-curl-release/)" mentions the [`SOURCE_DATE_EPOCH` environment variable]({{ "/docs/source-date-epoch/" | relative_url }}). This is because:
+
+> The [curl] release tools document also contains another key component: the exact time stamp at which the release was done – using integer second resolution. In order to generate a correct tarball clone, you need to also generate the new version using the old version’s timestamp. Because the modification date of all files in the produced tarball will be set to this timestamp.
+
+<br>
+
+[![]({{ "/images/reports/2024-05/signal.png#right" | relative_url }})](https://github.com/signalapp/Signal-Android/issues/13565)
+
+Furthermore, Fay Stegerman [filed a bug](https://github.com/signalapp/Signal-Android/issues/13565) against the [Signal messenger app for Android](https://github.com/signalapp/Signal-Android) to report that their 'reproducible' builds cannot, in fact, be reproduced. However, Fay is quick to note that she has:
+
+> … found zero evidence of any kind of compromise. Some differences are yet unexplained but everything I found seems to be benign. I am disappointed that Reproducible Builds have been broken for months but I have zero reason to doubt Signal's security in any way.
+
+<br>
+
+[![]({{ "/images/reports/2024-05/supply-chain-threats.png#right" | relative_url }})](https://slsa.dev/spec/v1.0/threats-overview)
+
+Lastly, it was observed that there was a concise and diagrammatic overview of "[supply chain threats](https://slsa.dev/spec/v1.0/threats-overview)" on the [SLSA](https://slsa.dev/) website.
+
+<br>
+
+### Two new academic papers published
+
+Two new scholarly papers were published this month.
+
+[![]({{ "/images/reports/2024-05/hal-04582287.png#right" | relative_url }})](https://hal.science/hal-04582287)
+
+Firstly, Mathieu Acher, Benoît Combemale, Georges Aaron Randrianaina and Jean-Marc Jézéquel of [University of Rennes](https://www.univ-rennes.fr/en/welcome-university-rennes) on [*Embracing Deep Variability For Reproducibility & Replicability*](https://hal.science/hal-04582287). The authors describe their approach as follows:
+
+> In this short [vision] paper we delve into the application of software engineering techniques, specifically variability management, to systematically identify and explicit points of variability that may give rise to reproducibility issues (e.g., language, libraries, compiler, virtual machine, OS, environment variables, etc.). The primary objectives are: i) gaining insights into the variability layers and their possible interactions, ii) capturing and documenting configurations for the sake of reproducibility, and iii) exploring diverse configurations to replicate, and hence validate and ensure the robustness of results. By adopting these methodologies, we aim to address the complexities associated with reproducibility and replicability in modern software systems and environments, facilitating a more comprehensive and nuanced perspective on these critical aspects.
+
+([A PDF of this article is available](https://hal.science/hal-04582287/document).)
+
+<br>
+
+[![]({{ "/images/reports/2024-05/hal-04586520.png#right" | relative_url }})](https://hal.science/hal-04586520)
+
+Secondly, Ludovic Courtès, Timothy Sample, Simon Tournier and Stefano Zacchiroli have collaborated to publish a paper on [*Source Code Archiving to the Rescue of Reproducible Deployment*](https://hal.science/hal-04586520). Their paper was motivated because:
+
+> The ability to verify research results and to experiment with methodologies are core tenets of science. As research results are increasingly the outcome of computational processes, software plays a central role. [GNU Guix](https://guix.gnu.org/) is a software deployment tool that supports reproducible software deployment, making it a foundation for computational research workflows. To achieve reproducibility, we must first ensure the source code of software packages Guix deploys remains available.
-* [FIXME](https://slsa.dev/spec/v1.0/threats-overview)
+([A PDF of this article](https://hal.science/hal-04582287/document) is also available.)
-* [FIXME](https://daniel.haxx.se/blog/2024/05/23/how-to-verify-a-curl-release/) - mentions S_D_E
+<br>
+### Mailing list news
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+Regular contributor *kpcyrd* wrote to the list [with an update on their source code indexing project, *whatsrc.org*](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003407.html). The [whatsrc.org](https://whatsrc.org/) project, which was launched last month in response to the [XZ Utils backdoor](https://en.wikipedia.org/wiki/XZ_Utils_backdoor), now contains and indexes almost 250,000 unique source code archives. In their post, *kpcyrd* gives an example of its intended purpose, noting that it shown that whilst "there seems to be consensus about [the] source code for zsh 5.9" in various Linux distributions, it "does not align with the contents of the zsh Git repository".
+
+<br>
+
+Holger Levsen posted to the list with a ['pre-announcement' of sorts for the 2024 Reproducible Builds summit](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003411.html). In particular:
+
+> [Whilst] the dates and location are not fixed yet, however if you don' help us with finding a suitable location *soon*, it is very likely that we'll meet again in **Hamburg in the 2nd half of September 2024** […].
+
+<br>
+
+Lastly, Frederic-Emmanuel Picca wrote to the list asking for help understanding the "[non-reproducible status of the Debian `silx` package"](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003393.html) and received replies from both [Vagrant Cascadian](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003394.html) and [Chris Lamb](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003396.html).
+
+<br>
+
+
+### [*diffoscope*](https://diffoscope.org)
+
+[![]({{ "/images/reports/2024-05/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes such as uploading versions `266`, `267`, `268` **and** `269` to Debian, making the following changes:
+
+* New features:
+
+ * Use `xz --list` to supplement output when comparing .xz archives; essential when metadata differs. ([#1069329](https://bugs.debian.org/1069329))
+ * Include `xz --verbose --verbose` (ie. double) output. ([#1069329](https://bugs.debian.org/1069329))
+ * Strip the first line from the `xz --list` output. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/ac8a5070)]
+ * Only include `xz --list --verbose` output if the `xz` has no other differences. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/52919364)]
+ * Actually append the `xz --list` *after* the container differences, as it simplifies a lot. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2acff705)]
+
+* Testing improvements:
+
+ * Allow Debian *testing* to fail right now. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0a5a5cc3)]
+ * Drop `apktool` from `Build-Depends`; we can still test APK functionality via autopkgtests. ([#1071410](https://bugs.debian.org/1071410))
+ * Add a versioned dependency for at least version 5.4.5 for the `xz` tests as they fail under (at least) version 5.2.8. ([#374](https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/374))
+ * Fix tests for `7zip` 24.05. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/31a6a56a)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/9b421991)]
+ * Fix all tests after additon of `xz --list`. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/a6651ded)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8443cb8c)]
+
+* Misc:
+
+ * Update copyright years. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/1e782e18)]
+
+In addition, James Addison fixed an issue where the HTML output showed only the first difference in a file, while the text output shows all differences [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/4a685bbb)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e976c352)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/067a8d1c)], Sergei Trofimovich amended the `7zip` version test for older 7z versions that include the string "`[64]`" [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2a361d7d)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/614c1b2c)] and Vagrant Cascadian relax versioned dependency to allow version 5.4.1 for the `xz` tests [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/fd7eed75)]. Furthermore, Eli Schwartz updated the [*diffoscope.org* website](https://diffoscope.org/) in order to explain how to install diffoscope on Gentoo [[…](https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/a58b28f)].
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2024-05/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+There were a number of improvements made to our website this month, including Chris Lamb making the "print" CSS stylesheet nicer [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/77b997d1)]. However, Fay Stegerman made a number of updates to the page about the [`SOURCE_DATE_EPOCH` environment variable]({{ "/docs/source-date-epoch/" | relative_url }}) [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/db010718)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c41667e6)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/aa5e9da9)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2e795179)] and Holger Levsen added some of their presentations to the ["Resources" page]({{ "/docs/resources/" | relative_url }}). Furthermore, IOhannes zmölnig stipulated support for `SOURCE_DATE_EPOCH` in [CMake](https://cmake.org/) version 16.0.0+. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7489a013)], Jan Zerebecki expanded the "[Formal definition]({{ "/docs/formal-definition/" | relative_url }})" page and fixed a number of typos on the "[Buy-in]({{ "/docs/buy-in/" | relative_url }})" page [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a5ab5d35)] and Simon Josefsson fixed the link to [Trisquel GNU/Linux](https://trisquel.info/) on the "[Projects]({{ "/who/projects/" | relative_url }})" page [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/438f0ff9)].
+
+<br>
+
+### Upstream patches
+
+This month, we wrote a number of patches to fix specific reproducibility issues, including:
* Bernhard M. Wiedemann:
+
* [`nauty`](https://bugzilla.opensuse.org/show_bug.cgi?id=1225415) (CPU-detection issue)
* [`emacs`](https://mail.gnu.org/archive/html/emacs-devel/2024-05/msg01026.html) (ASLR)
-* [FIXME](https://hal.science/hal-04582287/document)
+* Chris Lamb:
+
+ * [#1070754](https://bugs.debian.org/1070754) filed against [`gensio`](https://tracker.debian.org/pkg/gensio).
+ * [#1071064](https://bugs.debian.org/1071064) filed against [`tkgate`](https://tracker.debian.org/pkg/tkgate).
+ * [#1072094](https://bugs.debian.org/1072094) filed against [`ruby-pgplot`](https://tracker.debian.org/pkg/ruby-pgplot).
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2024-04/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In May, a number of changes were made by Holger Levsen:
+
+* [Debian](https://debian.org/)-related changes:
+
+ * Enable the rebuilder-snapshot API on `osuosl4`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/8cf39a1d7)]
+ * Schedule the `i386` architecture a bit more often. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3af751f20)]
+ * Adapt `cleanup_nodes.sh` to the new way of running our build services. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/127890236)]
+ * Add 8 more workers for the `i386` architecture. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/33d7eca13)]
+ * Update configuration now that the `infom07` and `infom08` nodes have been reinstalled as "real" `i386` systems. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c9ebd1d46)]
+ * Make [*diffoscope*](https://diffoscope.org) timeouts more visible on the `#debian-reproducible-changes` IRC channel. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9f3bcea14)]
+ * Mark the `cbxi4a-armhf` node as down. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2fa8b2402)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a94ec1db5)]
+ * Only install the `hdmi2usb-mode-switch` package only on Debian *bookworm* and earlier [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/14dbf963a)] and only install the `haskell-platform` package on Debian *bullseye* [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/1574a0fdf)].
+
+* Misc:
+
+ * Install the `ntpdate` utility as we need it later. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c1c3e6862)]
+ * Document the progress on the `i386` architecture nodes at [Infomaniak](https://www.infomaniak.com/en). [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d34fd5c04)]
+ * Drop an outdated and unnoticed notice. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/1388c366c)]
+ * Add `live_setup_schroot` to the list of so-called "zombie" jobs. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6c048aa94)]
+
+In addition, Mattia Rizzolo reinstalled the `infom07` and `infom08` nodes [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f79acda69)] and Vagrant Cascadian marked the `cbxi4a` node as online [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/29da0a918)].
+
+<br>
+
+---
+
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
-* [FIXME](https://hal.science/hal-04586520/document)
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
-* [FIXME](https://bugs.debian.org/1072205) - Holger did an analysis of all .buildinfo files and found that this needs almost 1500 binNMUs to fix the fallout from this bug.
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2024-05/archlinux.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/archlinux.png differ
=====================================
images/reports/2024-05/debian.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/debian.png differ
=====================================
images/reports/2024-05/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/diffoscope.png differ
=====================================
images/reports/2024-05/fedora.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/fedora.png differ
=====================================
images/reports/2024-05/freebsd.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/freebsd.png differ
=====================================
images/reports/2024-05/guix.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/guix.png differ
=====================================
images/reports/2024-05/hal-04582287.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/hal-04582287.png differ
=====================================
images/reports/2024-05/hal-04586520.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/hal-04586520.png differ
=====================================
images/reports/2024-05/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/opensuse.png differ
=====================================
images/reports/2024-05/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/reproducible-builds.png differ
=====================================
images/reports/2024-05/signal.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/signal.png differ
=====================================
images/reports/2024-05/supply-chain-threats.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/supply-chain-threats.png differ
=====================================
images/reports/2024-05/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/testframework.png differ
=====================================
images/reports/2024-05/website.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/website.png differ
=====================================
images/reports/hal-04582287.png
=====================================
Binary files /dev/null and b/images/reports/hal-04582287.png differ
=====================================
images/reports/hal-04586520.png
=====================================
Binary files /dev/null and b/images/reports/hal-04586520.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/15cc1a00499102765e2eb29b75d05c29e7881a88
--
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/15cc1a00499102765e2eb29b75d05c29e7881a88
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240605/7bb51234/attachment.htm>
More information about the rb-commits
mailing list