[Git][reproducible-builds/reproducible-website][master] 2 commits: 2024-05: Misc changes prior to publication
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Sat Jun 8 10:30:23 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
18cc593b by Chris Lamb at 2024-06-08T11:29:55+01:00
2024-05: Misc changes prior to publication
- - - - -
86a2e9f6 by Chris Lamb at 2024-06-08T11:30:00+01:00
published as https://reproducible-builds.org/reports/2024-05/
- - - - -
4 changed files:
- _reports/2024-05.md
- images/reports/2024-05/hal-04582287.png
- images/reports/2024-05/hal-04586520.png
- + images/reports/2024-05/homebrew.png
Changes:
=====================================
_reports/2024-05.md
=====================================
@@ -3,20 +3,25 @@ layout: report
year: "2024"
month: "05"
title: "Reproducible Builds in May 2024"
-draft: true
+draft: false
+date: 2024-06-08 10:30:00
---
[![]({{ "/images/reports/2024-05/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
**Welcome to the May 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In these reports, we try to outline what we have been up to over the past month and highlight news items in software supply-chain security more broadly. As ever, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-<!--
-
**Table of contents:**
-*(Generated prior to publication)*
-
--->
+0. [*A peek into build provenance for Homebrew*](#a-peek-into-build-provenance-for-homebrew)
+0. [Distribution news](#distribution-news)
+0. [Mailing list news](#mailing-list-news)
+0. [Miscellaneous news](#miscellaneous-news)
+0. [Two new academic papers](#two-new-academic-papers)
+0. [*diffoscope*](#diffoscope)
+0. [Website updates](#website-updates)
+0. [Upstream patches](#upstream-patches)
+0. [Reproducibility testing framework](#reproducibility-testing-framework)
---
@@ -24,6 +29,8 @@ draft: true
### [*A peek into build provenance for Homebrew*](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/)
+[![]({{ "/images/reports/2024-05/homebrew.png#right" | relative_url }})](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/)
+
Joe Sweeney and William Woodruff on the [Trail of Bits](https://www.trailofbits.com/) blog wrote an [extensive post about build provenance](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/) for [Homebrew](https://brew.sh/), the third-party package manager for MacOS. Their post details how each "bottle" (i.e. each release):
> […] built by Homebrew will come with a cryptographically verifiable statement binding the bottle’s content to the specific workflow and other build-time metadata that produced it. […] In effect, this injects **greater transparency** into the Homebrew build process, and **diminishes the threat** posed by a compromised or malicious insider by making it impossible to trick ordinary users into installing non-CI-built bottles.
@@ -44,20 +51,33 @@ In Debian this month, Johannes Schauer Marin Rodrigues (aka *josch*) noticed tha
In response to this, Holger Levsen performed an analysis of all `.buildinfo` files and found that this needs almost 1,500 [binNMUs](https://wiki.debian.org/NonMaintainerUpload) to fix the fallout from this bug.
+Elsewhere in Debian, Vagrant Cascadian posted about a [Non-Maintainer Upload (NMU) sprint](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003404.html) to take place during early June, and it was announced that there is now a `#debian-snapshot` IRC channel on OFTC to discuss the creation of a new source code archiving service to, perhaps, replace [*snapshot.debian.org*](https://snapshot.debian.org/). Lastly, 11 reviews of Debian packages were added, 15 were updated and 48 were removed this month adding to [our extensive knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issue types have been updated by Chris Lamb as well. [[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5fda7f6e)][[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/cf46a837)]
+
<br>
-Elsewhere in Debian, Vagrant Cascadian posted about a [Non-Maintainer Upload (NMU) sprint](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003404.html) to take place during early June, and it was announced that there is now a `#debian-snapshot` IRC channel on OFTC to discuss the creation of a new source code archiving service to, perhaps, replace [*snapshot.debian.org*](https://snapshot.debian.org/).
+[![]({{ "/images/reports/2024-05/freebsd.png#right" | relative_url }})](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html)
-Lastly, 11 reviews of Debian packages were added, 15 were updated and 48 were removed this month adding to [our extensive knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issue types have been updated by Chris Lamb as well. [[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5fda7f6e)][[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/cf46a837)]
+Elsewhere in the world of distributions, deep within a [larger announcement from Colin Percival about the release of version 14.1-BETA2](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html), it was mentioned that the [FreeBSD](https://www.freebsd.org/) kernels are now built reproducibly.
<br>
-[![]({{ "/images/reports/2024-05/freebsd.png#right" | relative_url }})](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html)
+[![]({{ "/images/reports/2024-05/fedora.png#right" | relative_url }})](https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds)
-Elsewhere in the world of distributions, deep within a [larger announcement from Colin Percival about the release of version 14.1-BETA2](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html), it was mentioned that the [FreeBSD](https://www.freebsd.org/) kernels are now built reproducibly.
+In Fedora, however, the change proposal mentioned in [our report for April 2024]({{ "/reports/2024-04/" | relative_url }}) was approved, so, per the [ReproduciblePackageBuilds](https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds) wiki page, the [*add-determinism*](https://github.com/keszybz/add-determinism) tool is now running in new builds for Fedora 41 ('rawhide'). The *add-determinism* tool is a Rust program which, as its name suggests, adds determinism to files that are given as input by "attempting to standardize metadata contained in binary or source files to ensure consistency and clamping to `$SOURCE_DATE_EPOCH` in all instances". This is essentially the Fedora version of Debian's *strip-nondeterminism*. However, *strip-nondeterminism* is written in Perl, and Fedora did not want to pull Perl in the `buildroot` for every package. The *add-determinism* tool eliminates many causes of non-determinism and work is ongoing to continue the scope of packages it can operate on.
+
+<br>
+
+### Mailing list news
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, regular contributor *kpcyrd* wrote to the list [with an update on their source code indexing project, *whatsrc.org*](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003407.html). The [whatsrc.org](https://whatsrc.org/) project, which was launched last month in response to the [XZ Utils backdoor](https://en.wikipedia.org/wiki/XZ_Utils_backdoor), now contains and indexes almost 250,000 unique source code archives. In their post, *kpcyrd* gives an example of its intended purpose, noting that it shown that whilst "there seems to be consensus about [the] source code for zsh 5.9" in various Linux distributions, it "does not align with the contents of the zsh Git repository".
+
+Holger Levsen also posted to the list with a ['pre-announcement' of sorts for the 2024 Reproducible Builds summit](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003411.html). In particular:
+
+> [Whilst] the dates and location are not fixed yet, however if you don' help us with finding a suitable location *soon*, it is very likely that we'll meet again in **Hamburg in the 2nd half of September 2024** […].
+
+Lastly, Frederic-Emmanuel Picca wrote to the list asking for help understanding the "[non-reproducible status of the Debian `silx` package"](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003393.html) and received replies from both [Vagrant Cascadian](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003394.html) and [Chris Lamb](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003396.html).
<br>
-On the fedora side, the change proposal mentioned in [April 2024](https://reproducible-builds.org/reports/2024-04/)'s report was approved, so per [ReproduciblePackageBuilds](https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds) the [add-determinism](https://github.com/keszybz/add-determinism) tool is now running in new builds for Fedora 41 (rawhide). The add-determinism tool is a Rust program which, as its name suggests, adds determinism to files that are given as input by "attempting to standardize metadata contained in binary or source files to ensure consistency and clamping to `$SOURCE_DATE_EPOCH` in all instances". This is essentially the "Fedora version" of Debian's strip-nondeterminism. strip-nondeterminism is written in perl, and Fedora doesn't want to pull perl in the buildroot for every package. The add-determinism tool eliminates many causes of non-determinism. Work is ongoing to continue the scope of packages it can operate on.
### Miscellaneous news
@@ -85,7 +105,7 @@ Lastly, it was observed that there was a concise and diagrammatic overview of "[
<br>
-### Two new academic papers published
+### Two new academic papers
Two new scholarly papers were published this month.
@@ -109,24 +129,6 @@ Secondly, Ludovic Courtès, Timothy Sample, Simon Tournier and Stefano Zacchirol
<br>
-### Mailing list news
-
-On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
-
-Regular contributor *kpcyrd* wrote to the list [with an update on their source code indexing project, *whatsrc.org*](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003407.html). The [whatsrc.org](https://whatsrc.org/) project, which was launched last month in response to the [XZ Utils backdoor](https://en.wikipedia.org/wiki/XZ_Utils_backdoor), now contains and indexes almost 250,000 unique source code archives. In their post, *kpcyrd* gives an example of its intended purpose, noting that it shown that whilst "there seems to be consensus about [the] source code for zsh 5.9" in various Linux distributions, it "does not align with the contents of the zsh Git repository".
-
-<br>
-
-Holger Levsen posted to the list with a ['pre-announcement' of sorts for the 2024 Reproducible Builds summit](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003411.html). In particular:
-
-> [Whilst] the dates and location are not fixed yet, however if you don' help us with finding a suitable location *soon*, it is very likely that we'll meet again in **Hamburg in the 2nd half of September 2024** […].
-
-<br>
-
-Lastly, Frederic-Emmanuel Picca wrote to the list asking for help understanding the "[non-reproducible status of the Debian `silx` package"](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003393.html) and received replies from both [Vagrant Cascadian](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003394.html) and [Chris Lamb](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003396.html).
-
-<br>
-
### [*diffoscope*](https://diffoscope.org)
=====================================
images/reports/2024-05/hal-04582287.png
=====================================
Binary files a/images/reports/2024-05/hal-04582287.png and b/images/reports/2024-05/hal-04582287.png differ
=====================================
images/reports/2024-05/hal-04586520.png
=====================================
Binary files a/images/reports/2024-05/hal-04586520.png and b/images/reports/2024-05/hal-04586520.png differ
=====================================
images/reports/2024-05/homebrew.png
=====================================
Binary files /dev/null and b/images/reports/2024-05/homebrew.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/b301f05490610cdaa0e7917063cedaeccf85a622...86a2e9f663d533eaf63ac38dd707bd064fe91f7e
--
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/b301f05490610cdaa0e7917063cedaeccf85a622...86a2e9f663d533eaf63ac38dd707bd064fe91f7e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240608/bbaa7752/attachment.htm>
More information about the rb-commits
mailing list