[Git][reproducible-builds/reproducible-website][master] 2024-04: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Wed May 8 13:01:01 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
743fcc68 by Chris Lamb at 2024-05-08T13:59:46+01:00
2024-04: Initial draft
- - - - -
11 changed files:
- _reports/2024-04.md
- + images/reports/2024-04/archlinux.png
- + images/reports/2024-04/debian.png
- + images/reports/2024-04/diffoscope.png
- + images/reports/2024-04/fedora.png
- + images/reports/2024-04/guix.png
- + images/reports/2024-04/opensuse.png
- + images/reports/2024-04/reproducible-builds.png
- + images/reports/2024-04/sicherheit2024_016.png
- + images/reports/2024-04/testframework.png
- + images/reports/2024-04/website.png
Changes:
=====================================
_reports/2024-04.md
=====================================
@@ -6,40 +6,247 @@ title: "Reproducible Builds in April 2024"
draft: true
---
-* [FIXME](https://blog.josefsson.org/2024/04/01/towards-reproducible-minimal-source-code-tarballs-please-welcome-src-tar-gz/)
+[![]({{ "/images/reports/2024-04/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
-* Typst is an opensource markup-based typesetting system. Starting from version > 0.11.0, it will be reproducible by default, see the issue at https://github.com/typst/typst/issues/3806
+**Welcome to the March 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports, we attempt to outline what we have been up to over the past month, as well as mentioning some of the important things happening more generally in software supply-chain security. As ever, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* NixOS is not reproducible, a blog post: https://linderud.dev/blog/nixos-is-not-reproducible/
+<!--
+**Table of contents:**
-* [FIXME](https://www.openwall.com/lists/oss-security/2024/04/08/8) + [FIXME](https://www.openwall.com/lists/oss-security/2024/04/20/3)
+0. FIXME: Populate prior to publication
+--->
-* [FIXME: Helmut Grohne filed Debian bug #1068809: dh-buildinfo: consider deprecating and removing the package](https://bugs.debian.org/1068809)
+---
+
+### New `backseat-signed` tool to validate distributions' source inputs
+
+*kpcyrd* announced on a new tool called [`backseat-signed`](https://github.com/kpcyrd/backseat-signed), after:
+
+> I figured out a somewhat straight-forward way to check if a given `git archive` output is cryptographically claimed to be the source input of a given binary package in either Arch Linux or Debian (or both).
+
+Elaborating more [in their announcement post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/003337.html), *kpcyrd* writes:
+
+> I believe this to be the "reproducible source tarball" thing some people have been asking about. As explained in the README, I believe reproducing autotools-generated tarballs isn't worth everybody's time and instead a distribution that claims to build from source should operate on VCS snapshots instead of tarballs with 25k lines of pre-generated shell-script.
+
+Indeed, many distributions' packages already build from VCS snapshots, and this trend is likely to accelerate in response to the xz incident. The announcement led to a [lengthy discussion on our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/thread.html#3337), as well as shorter [followup thread from *kpcyrd*](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/003376.html) about bootstrapping [Autotools](https://en.wikipedia.org/wiki/GNU_Autotools) projects.
+
+<br>
+
+### 'NixOS is not reproducible'
+
+[Morten Linderud](https://linderud.dev/) posted an post on his blog this month, provocatively titled, "[NixOS is not reproducible](https://linderud.dev/blog/nixos-is-not-reproducible/)". Although quickly admitting that his title is indeed "clickbait", Morten goes on to clarify the precise guarantees and promises that [NixOS](https://nixos.org/) provides its users.
+
+Later in the most, Morten mentions that he was motivated to write the post because:
+
+> I have heavily invested my free-time on this topic since 2017, and met some of the accomplishments we have had with “Doesn’t NixOS solve this?” for just as long… and I thought it would be of peoples interest to clarify[.]
+
+<br>
+
+### Certificate vulnerabilities in Android's `apksigner`
+
+In early April, Fay Stegerman [announced a certificate pinning bypass vulnerability and Proof of Concept (PoC)](https://www.openwall.com/lists/oss-security/2024/04/08/8) in the Android `apksigner` tool to the [`oss-security`](https://www.openwall.com/lists/oss-security/) mailing list. This tool is crucial to the validity of artifacts in the Android software supply chain.
+
+> We observed that embedding a v1 (JAR) signature file in an APK with `minSdk` >= 24 will be ignored by Android/apksigner, which only checks v2/v3 in that case. However, since fdroidserver checks v1 first, regardless of minSdk, and does not verify the signature, it will accept a "fake" certificate and see an incorrect certificate fingerprint.
+
+Later on in the month, Fay followed up with a second post detailing a script that [could be used to scan for potentially affected `.apk` files](https://www.openwall.com/lists/oss-security/2024/04/20/3) and mentioned that, whilst upstream had acknowledged the vulnerability, they had not yet applied any ameliorating fixes.
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2024-04/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+There were made a number of improvements to our website this month, including Chris Lamb updating the [archive page]({{ "/docs/archive/" | relative_url }}) to recommend `-X` and unzipping with `TZ=UTC` [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d15f76b8)] and added Maven, Gradle, JDK and Groovy examples to the [`SOURCE_DATE_EPOCH` page]({{ "/docs/source-date-epoch/" | relative_url }}) [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/bfcbb9a2)]. In addition Jan Zerebecki added a new [`/contribute/opensuse/`]({{ "/contribute/opensuse/" | relative_url }}) page [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4901c9ae)] and *Sertonix* and fixed the automatic RSS feed detection [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5f311583)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/54c80767)].
+
+<br>
+
+### Mailing list news
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Continuing a [thread started in March 2024](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/thread.html#3301) about the [Arch Linux minimal container now being 100% reproducible]({{ "/reports/2024-03/#arch-linux-minimal-container-userland-now-100-reproducible" | relative_url }}), John Gilmore [followed up with a post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/003336.html) about the practical and philosophical distinctions of local vs. remote storage of the various artifacts needed to build packages.
+
+* Chris Lamb asked the list which conferences readers are attending these days: "After peak Covid and other industry-wide changes, conferences are no longer the 'must attend' events they previously were… especially in the area of software supply-chain security. In rough, practical terms, it seems harder to justify conference travel today than it did in mid-2019." The thread generated a [number of responses](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/thread.html#3370) which would be of interest to anyone planning travel in Q3 and Q4 of 2024.
+
+* James Addison wrote to the list about a ["quirk" in Git related to its `core.autocrlf` functionality](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/003385.html), thus helpfully passing on a "slightly off-topic and perhaps not of direct relevance to anyone on the list today" note that might still be "the kind of issue that is useful to be aware of if-and-when puzzling over unexpected git content / checksum issues (situations that I _do_ expect people on this list encounter from time-to-time).
+
+<br>
+
+### [`libntlm` now releasing 'minimal source-only tarballs'](https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-source-only-tarballs/)
+
+[Simon Josefsson](https://blog.josefsson.org/) wrote on his blog this month that, going forward, the [`libntlm`](https://gitlab.com/gsasl/libntlm/) project will now be releasing what they call "[minimal source-only tarballs](https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-source-only-tarballs/)":
+
+> The [XZUtils incident](https://en.wikipedia.org/wiki/XZ_Utils_backdoor) illustrate that tarballs with files that are not included in the git archive offer an opportunity to disguise malicious backdoors. [The] risk of hiding malware is not the only motivation to publish signed minimal source-only tarballs. With pre-generated content in tarballs, there is a risk that GNU/Linux distributions [ship] generated files coming from the tarball into the binary `*.deb` or `*.rpm` package file. Typically the person packaging the upstream project never realized that some installed artifacts was not re-built[.]"
+
+Simon's [post](https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-source-only-tarballs/) goes into further details how this was achieved, and describes some potential caveats and counters some expected responses as well. A shorter version can be found in the announcement for the [1.8 release of `libntlm`](https://lists.nongnu.org/archive/html/libntlm/2024-04/msg00000.html).
+
+<br>
+
+### [*Reproducible Builds and Insights from an Independent Verifier for Arch Linux*](https://doi.org/10.18420/sicherheit2024_016)
+
+[![]({{ "/images/reports/2024-04/sicherheit2024_016.png#right" | relative_url }})](https://doi.org/10.18420/sicherheit2024_016)
+
+Joshua Drexel1, Esther Hänggi and Iyán Méndez Veiga of the School of Computer Science and Information Technology, Hochschule Luzern (HSLU) in Switzerland published a paper this month entitled [*Reproducible Builds and Insights from an Independent Verifier for Arch Linux*](https://doi.org/10.18420/sicherheit2024_016). The paper establishes the context as follows:
+
+> Supply chain attacks have emerged as a prominent cybersecurity threat in recent years. Reproducible and bootstrappable builds have the potential to reduce such attacks significantly. In combination with independent, exhaustive and periodic source code audits, these measures can effectively eradicate compromises in the building process. In this paper we introduce both concepts, we analyze the achievements over the last ten years and explain the remaining challenges.
+
+What is more, the paper aims to:
+
+> … contribute to the reproducible builds effort by **setting up a rebuilder and verifier instance to test the reproducibility of Arch Linux packages**. Using the results from this instance, we uncover an unnoticed and security-relevant packaging issue affecting 16 packages related to Certbot […].
+
+A [PDF](https://dl.gi.de/server/api/core/bitstreams/f8685808-2e51-4a53-acc0-2b45fa240e3b/content) of the paper is available.
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2024-04/debian.png#right" | relative_url }})](https://debian.org/)
-* [FIXME](https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-source-only-tarballs/)
+In Debian this month, Helmut Grohne [filed a bug](https://bugs.debian.org/1068809) suggesting the removal of `dh-buildinfo`, a tool to generate and distribute `.buildinfo`-like files within binary pakages. Note that this is distinct from the `.buildinfo` generation performed by `dpkg-genbuildinfo`. By contrast, the entirely optional `dh-buildinfo` generated a `debian/buildinfo` file that would be shipped within binary packages as `/usr/share/doc/package/buildinfo_$arch.gz`.
-* Reproducible `make dist' tarball in defiance of Autotools and Gettext https://issues.guix.gnu.org/70169/
+In addition, 21 reviews of Debian packages were added, 22 were updated and 16 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number issue types have been added, such as new [`random_temporary_filenames_embedded_by_mesonpy`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/67f129bc) and [`timestamps_added_by_librime`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/3675debb) toolchain issues.
-* FIXME: proposed: https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds and https://github.com/keszybz/add-determinism
+[![]({{ "/images/reports/2024-04/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
-* Bernhard's work on [a 100% reproducible openSUSE-based distribution](https://nlnet.nl/project/Reproducible-openSUSE/) will be funded by NLnet.
+In openSUSE, it was announced that their Factory distribution [enabled bit-by-bit reproducible builds](https://news.opensuse.org/2024/04/18/factory-bit-reproducible-builds/) for almost all parts of the package. Previously, more parts needed to be ignored when comparing package files, but now only the signature needs to be deleted.
-* https://build.opensuse.org/package/show/home:bmwiedemann:reproducible/theunreproduciblepackage - as a proper rpm package, it allows to better test tools for debugging reproducibility
+In addition, Bernhard M. Wiedemann published [`theunreproduciblepackage`](https://build.opensuse.org/package/show/home:bmwiedemann:reproducible/theunreproduciblepackage) as a proper `.rpm` package which it allows to better test tools intended to debug reproducibility. Furthermore, it was announced that Bernhard's work on a [100% reproducible openSUSE-based distribution](https://nlnet.nl/project/Reproducible-openSUSE/) will be funded by [NLnet](https://nlnet.nl).
-* [FIXME](https://dl.gi.de/server/api/core/bitstreams/f8685808-2e51-4a53-acc0-2b45fa240e3b/content)
+[![]({{ "/images/reports/2024-04/guix.png#right" | relative_url }})](https://www.gnu.org/software/guix/)
-* [openSUSE Factory enabled bit-by-bit reproducible builds, except embedded signature.](https://news.opensuse.org/2024/04/18/factory-bit-reproducible-builds/) Previously more parts needed to be ignored when comparing, now only the signature needs to be deleted.
+In GNU Guix, Janneke Nieuwenhuizen submitted a patch set for creating a reproducible source tarball for Guix. That is to say, ensuring that `make dist' is reproducible when run from Git. [[…](https://issues.guix.gnu.org/70169/)]
+
+[![]({{ "/images/reports/2024-04/fedora.png#right" | relative_url }})](https://fedoraproject.org/)
+
+Lastly, in Fedora, a new wiki page was created to propose a change to the distribution. Titled "[*Changes/ReproduciblePackageBuilds*](https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds)", the page summarises itself as a proposal whereby "A post-build cleanup is integrated into the RPM build process so that common causes of build irreproducibility in packages are removed, making most of Fedora packages reproducible."
+
+<br>
+
+### [*diffoscope*](https://diffoscope.org)
+
+[![]({{ "/images/reports/2024-04/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes such as uploading versions `263`, `264` and `265` to Debian and made the following additional changes:
+
+* Don't crash on invalid `.zip` files, even if we encounter their 'badness' halfway through the file and not at the time of their initial opening. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/9c7e817c)]
+* Prevent `odt2txt` tests from always being skipped due to an (impossibly) new version requirement. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/8e6f778c)]
+* Avoid parens-in-parens in test 'skipping' messages. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/99afaf60)]
+* Ensure that tests with `>=`-style version constraints actually print the tool name. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e52eef5a)]
+
+In addition, Fay Stegerman fixed a crash when there are (invalid) duplicate entries in `.zip` which was originally reported in Debian bug [#1068705](https://bugs.debian.org/1068705)). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/945fd9fa)] Fay also added a user-visible 'note' to a diff when there are duplicate entries in ZIP files [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/607094a5)]. Lastly, Vagrant Cascadian added an external tool pointer for the `zipdetails` tool under [GNU Guix](https://guix.gnu.org/). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/90dd1883)]
+
+<br>
### Upstream patches
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+
+* Chris Lamb:
+
+ * [#1068173](https://bugs.debian.org/1068173) filed against [`pg-gvm`](https://tracker.debian.org/pkg/pg-gvm).
+ * [#1068176](https://bugs.debian.org/1068176) filed against [`goldendict-ng`](https://tracker.debian.org/pkg/goldendict-ng).
+ * [#1068372](https://bugs.debian.org/1068372) filed against [`grokevt`](https://tracker.debian.org/pkg/grokevt).
+ * [#1068374](https://bugs.debian.org/1068374) filed against [`ttconv`](https://tracker.debian.org/pkg/ttconv).
+ * [#1068375](https://bugs.debian.org/1068375) filed against [`ludevit`](https://tracker.debian.org/pkg/ludevit).
+ * [#1068795](https://bugs.debian.org/1068795) filed against [`pympress`](https://tracker.debian.org/pkg/pympress).
+ * [#1069168](https://bugs.debian.org/1069168) filed against [`sagemath-database-conway-polynomials`](https://tracker.debian.org/pkg/sagemath-database-conway-polynomials).
+ * [#1069169](https://bugs.debian.org/1069169) filed against [`gap-polymaking`](https://tracker.debian.org/pkg/gap-polymaking).
+ * [#1069663](https://bugs.debian.org/1069663) filed against [`dub`](https://tracker.debian.org/pkg/dub).
+ * [#1069709](https://bugs.debian.org/1069709) filed against [`dpb`](https://tracker.debian.org/pkg/dpb).
+ * [#1069784](https://bugs.debian.org/1069784) filed against [`python-itemloaders`](https://tracker.debian.org/pkg/python-itemloaders).
+ * [#1069822](https://bugs.debian.org/1069822) filed against [`python-gvm`](https://tracker.debian.org/pkg/python-gvm).
+
* Jan Zerebecki:
- * [rpm](https://github.com/rpm-software-management/rpm/pull/2880) (Support reproducible automatic rebuilds. Fail without changelog. Set mtimes.)
- * [openSUSE-release-tools](https://github.com/openSUSE/openSUSE-release-tools/pull/3064) (Create changelog for generated package sources, for SOURCE_DATE_EPOCH.)
- * [pesign-obs-integration](https://github.com/openSUSE/pesign-obs-integration/pull/48) (Create changelog for generated package sources, for SOURCE_DATE_EPOCH.)
- * [openSUSE post-build-checks](https://github.com/openSUSE/post-build-checks/pull/62) (Set SOURCE_DATE_EPOCH.)
- * [obs-build](https://github.com/openSUSE/obs-build/pull/977) (Fix changelog time zone handling.)
- * [obs-service-tar_scm](https://github.com/openSUSE/obs-service-tar_scm/pull/484) (When generating changelog from git, create the file if it does not exist.)
+ * [rpm](https://github.com/rpm-software-management/rpm/pull/2880) (Support reproducible automatic rebuilds, etc.)
+ * [openSUSE-release-tools](https://github.com/openSUSE/openSUSE-release-tools/pull/3064) (Create changelog for generated package sources for `SOURCE_DATE_EPOCH`)
+ * [pesign-obs-integration](https://github.com/openSUSE/pesign-obs-integration/pull/48) (Create changelog for generated package sources for `SOURCE_DATE_EPOCH`)
+ * [openSUSE post-build-checks](https://github.com/openSUSE/post-build-checks/pull/62) (Set `SOURCE_DATE_EPOCH`)
+ * [obs-build](https://github.com/openSUSE/obs-build/pull/977) (Fix changelog timezone handling)
+ * [obs-service-tar_scm](https://github.com/openSUSE/obs-service-tar_scm/pull/484) (When generating changelog from Git, create the file if it does not exist.)
* Thomas Goirand:
- * [`oslo.messaging`](https://github.com/openstack/oslo.messaging/commit/dc55d64df989bdb5161ca8ad8d74115cc2959174) (hostname)
+
+ * [`oslo.messaging`](https://github.com/openstack/oslo.messaging/commit/dc55d64df989bdb5161ca8ad8d74115cc2959174) (fix a hostname-related issue)
+
+<br>
+
+### [*reprotest*](https://salsa.debian.org/reproducible-builds/reprotest)
+
+[*reprotest*](https://salsa.debian.org/reproducible-builds/reprotest) is our tool for building the same source code twice in different environments and then checking the binaries produced by each build for any differences. This month, *reprotest* version `0.7.27` was uploaded to Debian unstable) by Vagrant Cascadian who made the following additional changes:
+
+* Enable specific number of CPUs using `--vary=num_cpus.cpus=X`. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/cdabc07)]
+* Consistently use 398 days for time variation, rather than choosing randomly each time. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/42a53ed)]
+* Disable builds of `arch:any` packages. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/3270c94)]
+* Update the description for the `build_path.path` option in `README.rst`. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/9235862)]
+* Update escape sequences for compatibility with Python 3.12. ([#1068853](https://bugs.debian.org/1068853)). [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/cf65735)]
+* Remove the generic 'upstream' signing-key [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/7400030)] and update the packages' signing key with the currently active team members [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/d11398f)].
+* Update the packaging `Standards-Version` to 4.7.0. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/82777f9)]
+
+In addition, Holger Levsen fixed some spelling errors detected by the `spellintian` tool. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/96e324a)]
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2024-04/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility.
+
+In April, an enormous number of changes were made by Holger Levsen:
+
+* [Debian](https://debian.org/)-related changes:
+
+ * Adjust for changed internal IP addresses at Codethink. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d202c0449)]
+ * Automatically cleanup failed *diffoscope* user services if there are too many failures. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e829e6e71)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b2401650a)]
+ * Configure two new nodes at infomanik.cloud. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/cc1ed0063)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3709b0f1c)]
+ * Schedule Debian *experimemental* even less. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/73013d6f6)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4b5f4cb09)]
+
+* Breakage detection:
+
+ * Exclude currently building packages from breakage detection. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/92078b002)]
+ * Be more noisy if *diffoscope* crashes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/9997af327)]
+ * Health check: provide clickable URLs in jenkins job log for failed pkg builds due to diffoscope crashes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/386ec0aa4)]
+ * Limit graph to about the last 100 days of breakages only. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c88e08dfd)]
+ * Fix all found files with bad permissions. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6d0c66f1e)]
+ * Prepare dealing with *diffoscope* timeouts. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/98ba4fe38)]
+ * Detect more cases of failure to *debootstrap* base system. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/53865a60c)]
+ * Include timestamps of failed job runs. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/00cca3c93)]
+
+* Documentation updates:
+
+ * Document how to access arm64 nodes at Codethink. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a247125b0)]
+ * Document how to use infomaniak.cloud. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/cd004dd6c)]
+ * Drop notes about long stalled LeMaker HiKey960 boards sponsored by HPE and hosted at ETH. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0a31a1fe9)]
+ * Mention `osuosl4` and `osuosl5` and explain their usage. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/3b390f7e7)]
+ * Mention that some packages are built differently. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d68086a4b)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6067b5612)]
+ * Improve language in a comment. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/77dbf257b)]
+ * Add more notes how to query resource usage from `infomaniak.cloud`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ea1035e7b)]
+
+* Node maintenance:
+
+ * Add `ionos4` and `ionos14` to THANKS. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/be7d08960)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/699b5554c)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2e3bcbada)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/09fccba39)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/da9063ad4)]
+ * Deprecate Squid on `ionos1` and `ionos10`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/674f55d6d)]
+ * Drop obsolete script to powercycle `arm64` architecture nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/b4d37b5b3)]
+ * Update `system_health_check` for new proxy nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/148d252d0)]
+
+* Misc changes:
+
+ * Make the `update_jdn.sh` script more robust. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ef3de23bd)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2c1d7272f)]
+ * Update my SSH public key. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/23ab1af4f)]
+
+In addition, Mattia Rizzolo added some new host details. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/faddf9eaa)]
+
+<br>
+
+---
+
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
=====================================
images/reports/2024-04/archlinux.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/archlinux.png differ
=====================================
images/reports/2024-04/debian.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/debian.png differ
=====================================
images/reports/2024-04/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/diffoscope.png differ
=====================================
images/reports/2024-04/fedora.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/fedora.png differ
=====================================
images/reports/2024-04/guix.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/guix.png differ
=====================================
images/reports/2024-04/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/opensuse.png differ
=====================================
images/reports/2024-04/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/reproducible-builds.png differ
=====================================
images/reports/2024-04/sicherheit2024_016.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/sicherheit2024_016.png differ
=====================================
images/reports/2024-04/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/testframework.png differ
=====================================
images/reports/2024-04/website.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/743fcc689d1a974e0d8b1414da824eca62d4f46b
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/743fcc689d1a974e0d8b1414da824eca62d4f46b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240508/2f19159c/attachment.htm>
More information about the rb-commits
mailing list