[Git][reproducible-builds/reproducible-website][master] 2 commits: 2024-04: Final changes prior to publication.

Chris Lamb (@lamby) gitlab at salsa.debian.org
Fri May 10 10:05:48 UTC 2024



Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
e3945d13 by Chris Lamb at 2024-05-10T11:04:56+01:00
2024-04: Final changes prior to publication.

- - - - -
c5a283e7 by Chris Lamb at 2024-05-10T11:05:26+01:00
published as https://reproducible-builds.org/reports/2024-04/

- - - - -


2 changed files:

- _reports/2024-04.md
- + images/reports/2024-04/nixos.png


Changes:

=====================================
_reports/2024-04.md
=====================================
@@ -3,18 +3,28 @@ layout: report
 year: "2024"
 month: "04"
 title: "Reproducible Builds in April 2024"
-draft: true
+draft: false
+date: 2024-05-10 10:05:26
 ---
 
 [![]({{ "/images/reports/2024-04/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
 
 **Welcome to the April 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports, we attempt to outline what we have been up to over the past month, as well as mentioning some of the important things happening more generally in software supply-chain security. As ever, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
 
-<!--
 **Table of contents:**
 
-0. FIXME: Populate prior to publication
---->
+0. [New `backseat-signed` tool to validate distributions’ source inputs](#new-backseat-signed-tool-to-validate-distributions-source-inputs)
+0. [‘NixOS is not reproducible’](#nixos-is-not-reproducible)
+0. [Certificate vulnerabilities in F-Droid’s `fdroidserver`](#certificate-vulnerabilities-in-f-droids-fdroidserver)
+0. [Website updates](#website-updates)
+0. [‘Reproducible Builds and Insights from an Independent Verifier for Arch Linux’](#reproducible-builds-and-insights-from-an-independent-verifier-for-arch-linux)
+0. [`libntlm` now releasing ‘minimal source-only tarballs’](#libntlm-now-releasing-minimal-source-only-tarballs)
+0. [Distribution work](#distribution-work)
+0. [Mailing list news](#mailing-list-news)
+0. [diffoscope](#diffoscope)
+0. [Upstream patches](#upstream-patches)
+0. [reprotest](#reprotest)
+0. [Reproducibility testing framework](#reproducibility-testing-framework)
 
 ---
 
@@ -34,6 +44,8 @@ Indeed, many distributions' packages already build from VCS snapshots, and this
 
 ### 'NixOS is not reproducible'
 
+[![]({{ "/images/reports/2024-04/nixos.png#right" | relative_url }})](https://linderud.dev/blog/nixos-is-not-reproducible/)
+
 [Morten Linderud](https://linderud.dev/) posted an post on his blog this month, provocatively titled, "[NixOS is not reproducible](https://linderud.dev/blog/nixos-is-not-reproducible/)". Although quickly admitting that his title is indeed "clickbait", Morten goes on to clarify the precise guarantees and promises that [NixOS](https://nixos.org/) provides its users.
 
 Later in the most, Morten mentions that he was motivated to write the post because:
@@ -60,15 +72,19 @@ There were a number of improvements made to our website this month, including Ch
 
 <br>
 
-### Mailing list news
+### [*Reproducible Builds and Insights from an Independent Verifier for Arch Linux*](https://doi.org/10.18420/sicherheit2024_016)
 
-On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+[![]({{ "/images/reports/2024-04/sicherheit2024_016.png#right" | relative_url }})](https://doi.org/10.18420/sicherheit2024_016)
 
-* Continuing a [thread started in March 2024](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/thread.html#3301) about the [Arch Linux minimal container now being 100% reproducible]({{ "/reports/2024-03/#arch-linux-minimal-container-userland-now-100-reproducible" | relative_url }}), John Gilmore [followed up with a post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/003336.html) about the practical and philosophical distinctions of local vs. remote storage of the various artifacts needed to build packages.
+Joshua Drexel, Esther Hänggi and Iyán Méndez Veiga of the School of Computer Science and Information Technology, Hochschule Luzern (HSLU) in Switzerland published a paper this month entitled [*Reproducible Builds and Insights from an Independent Verifier for Arch Linux*](https://doi.org/10.18420/sicherheit2024_016). The paper establishes the context as follows:
 
-* Chris Lamb asked the list which conferences readers are attending these days: "After peak Covid and other industry-wide changes, conferences are no longer the 'must attend' events they previously were… especially in the area of software supply-chain security. In rough, practical terms, it seems harder to justify conference travel today than it did in mid-2019." The thread generated a [number of responses](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/thread.html#3370) which would be of interest to anyone planning travel in Q3 and Q4 of 2024.
+> Supply chain attacks have emerged as a prominent cybersecurity threat in recent years. Reproducible and bootstrappable builds have the potential to reduce such attacks significantly. In combination with independent, exhaustive and periodic source code audits, these measures can effectively eradicate compromises in the building process. In this paper we introduce both concepts, we analyze the achievements over the last ten years and explain the remaining challenges.
 
-* James Addison wrote to the list about a ["quirk" in Git related to its `core.autocrlf` functionality](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/003385.html), thus helpfully passing on a "slightly off-topic and perhaps not of direct relevance to anyone on the list today" note that might still be "the kind of issue that is useful to be aware of if-and-when puzzling over unexpected git content / checksum issues (situations that I _do_ expect people on this list encounter from time-to-time)".
+What is more, the paper aims to:
+
+> … contribute to the reproducible builds effort by **setting up a rebuilder and verifier instance to test the reproducibility of Arch Linux packages**. Using the results from this instance, we uncover an unnoticed and security-relevant packaging issue affecting 16 packages related to Certbot […].
+
+A [PDF](https://dl.gi.de/server/api/core/bitstreams/f8685808-2e51-4a53-acc0-2b45fa240e3b/content) of the paper is available.
 
 <br>
 
@@ -82,22 +98,6 @@ Simon's [post](https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-so
 
 <br>
 
-### [*Reproducible Builds and Insights from an Independent Verifier for Arch Linux*](https://doi.org/10.18420/sicherheit2024_016)
-
-[![]({{ "/images/reports/2024-04/sicherheit2024_016.png#right" | relative_url }})](https://doi.org/10.18420/sicherheit2024_016)
-
-Joshua Drexel, Esther Hänggi and Iyán Méndez Veiga of the School of Computer Science and Information Technology, Hochschule Luzern (HSLU) in Switzerland published a paper this month entitled [*Reproducible Builds and Insights from an Independent Verifier for Arch Linux*](https://doi.org/10.18420/sicherheit2024_016). The paper establishes the context as follows:
-
-> Supply chain attacks have emerged as a prominent cybersecurity threat in recent years. Reproducible and bootstrappable builds have the potential to reduce such attacks significantly. In combination with independent, exhaustive and periodic source code audits, these measures can effectively eradicate compromises in the building process. In this paper we introduce both concepts, we analyze the achievements over the last ten years and explain the remaining challenges.
-
-What is more, the paper aims to:
-
-> … contribute to the reproducible builds effort by **setting up a rebuilder and verifier instance to test the reproducibility of Arch Linux packages**. Using the results from this instance, we uncover an unnoticed and security-relevant packaging issue affecting 16 packages related to Certbot […].
-
-A [PDF](https://dl.gi.de/server/api/core/bitstreams/f8685808-2e51-4a53-acc0-2b45fa240e3b/content) of the paper is available.
-
-<br>
-
 ### Distribution work
 
 [![]({{ "/images/reports/2024-04/debian.png#right" | relative_url }})](https://debian.org/)
@@ -122,6 +122,18 @@ Lastly, in Fedora, a new wiki page was created to propose a change to the distri
 
 <br>
 
+### Mailing list news
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Continuing a [thread started in March 2024](https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/thread.html#3301) about the [Arch Linux minimal container now being 100% reproducible]({{ "/reports/2024-03/#arch-linux-minimal-container-userland-now-100-reproducible" | relative_url }}), John Gilmore [followed up with a post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/003336.html) about the practical and philosophical distinctions of local vs. remote storage of the various artifacts needed to build packages.
+
+* Chris Lamb asked the list which conferences readers are attending these days: "After peak Covid and other industry-wide changes, conferences are no longer the 'must attend' events they previously were… especially in the area of software supply-chain security. In rough, practical terms, it seems harder to justify conference travel today than it did in mid-2019." The thread generated a [number of responses](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/thread.html#3370) which would be of interest to anyone planning travel in Q3 and Q4 of 2024.
+
+* James Addison wrote to the list about a ["quirk" in Git related to its `core.autocrlf` functionality](https://lists.reproducible-builds.org/pipermail/rb-general/2024-April/003385.html), thus helpfully passing on a "slightly off-topic and perhaps not of direct relevance to anyone on the list today" note that might still be "the kind of issue that is useful to be aware of if-and-when puzzling over unexpected git content / checksum issues (situations that I _do_ expect people on this list encounter from time-to-time)".
+
+<br>
+
 ### [*diffoscope*](https://diffoscope.org)
 
 [![]({{ "/images/reports/2024-04/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)


=====================================
images/reports/2024-04/nixos.png
=====================================
Binary files /dev/null and b/images/reports/2024-04/nixos.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/013d861f30a93f5332fe8a5cbb69edb8cd35b119...c5a283e71658f6776b3240e966cc175adab302a6

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/013d861f30a93f5332fe8a5cbb69edb8cd35b119...c5a283e71658f6776b3240e966cc175adab302a6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240510/225f9bdb/attachment.htm>


More information about the rb-commits mailing list