[Git][reproducible-builds/reproducible-website][master] 2024-10: Initial draft
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Thu Nov 7 21:56:43 UTC 2024
Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website
Commits:
7b48c217 by Chris Lamb at 2024-11-07T13:55:45-08:00
2024-10: Initial draft
- - - - -
14 changed files:
- _reports/2024-09.md
- _reports/2024-10.md
- + images/reports/2024-10/OSS-EU-2024.png
- + images/reports/2024-10/archlinux.png
- + images/reports/2024-10/debian.png
- + images/reports/2024-10/diffoscope.png
- + images/reports/2024-10/fedora.png
- + images/reports/2024-10/izzyondroid.png
- + images/reports/2024-10/opensuse.png
- + images/reports/2024-10/paper-2410-08427.png
- + images/reports/2024-10/reproducible-builds.png
- + images/reports/2024-10/seagl.png
- + images/reports/2024-10/testframework.png
- + images/reports/2024-10/website.png
Changes:
=====================================
_reports/2024-09.md
=====================================
@@ -268,7 +268,7 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
### Reproducibility testing framework
-[![]({{ "/images/reports/2024-08/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+[![]({{ "/images/reports/2024-09/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In September, a number of changes were made by Holger Levsen, including:
=====================================
_reports/2024-10.md
=====================================
@@ -6,52 +6,223 @@ title: "Reproducible Builds in October 2024"
draft: true
---
-* [FIXME](https://www.digidow.eu/publications/2024-schwaighofer-scored/Schwaighofer_2024_SCORED24_CloudBuildSystemsTrust.pdf)
+[![]({{ "/images/reports/2024-10/reproducible-builds.png#right" | relative_url }})](https://reproducible-builds.org/)
-* The open source summit EU 2024 covered plenty topics related to supply-chain security:
- * [Public Sector + OpenSSF: Principles for Package Repository Security](https://www.youtube.com/watch?v=EyzFZYeSj5g&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=124)
- * [The Model Openness Framework: Promoting Completeness and Openness for Reproducibility, Transparency and Usability in AI](https://www.youtube.com/watch?v=-GFcUgT77oE&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=114)
- * [Structured Scorecard Results: Tailor Your Own Supply-Chain Security Policies](https://www.youtube.com/watch?v=ZT3XdMF6U5A&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=106)
- * [Lightning Talk: Elephant in the Room: How Supply Chain Security Standards Are Not Standard and What to Do About It](https://www.youtube.com/watch?v=ICrlIlWAiGA&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=103)
- * [Lightning Talk: Charting the Course for Secure Software Supply Chain with Guac-AI-Mole!](https://www.youtube.com/watch?v=mHjsaDDkbKo&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=102)
- * [TPMs, Merkle Trees and TEEs: Enhancing SLSA with Hardware-Assisted Build Environment Verification](https://www.youtube.com/watch?v=Gk0LDi05KRg&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=100)
- * [Accountability Taxonomy for AI Software Bill of Materials](https://www.youtube.com/watch?v=nSQ3rsaqpaQ&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=47)
- * [Securing Your Supply Chain with an Open Source Ecosystem](https://www.youtube.com/watch?v=154gKafXhnc&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=33)
- * [OSS Supply Chain Threats and Why You Need a Holistic Security Strategy](https://www.youtube.com/watch?v=cLPZ7dYndH0&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=30)
- * [A Step Closer to in-Toto’lly Secure: Using in-Toto and OPA Gatekeeper to Verify Artifact Integrity](https://www.youtube.com/watch?v=b_ImE70Vhd8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=28)
- * [Panel Discussion: Improving Supply Chain Integrity with OpenSSF Technologies](https://www.youtube.com/watch?v=6EPROzPfqD8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=26)
- * [Case Study: 10+ Years of Developing an SBOM System and the Dos and Don’ts](https://www.youtube.com/watch?v=1LTqB4czzEs&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=142)
- * [SBOM in SaaS Environments: An Update](https://www.youtube.com/watch?v=4rA9JOESvL8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=182)
- * [Securing Git Repositories with Gittuf](https://www.youtube.com/watch?v=eCSeIEdMbCw&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=179)
+**Welcome to the October 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project.**
-* [FIXME](https://arxiv.org/pdf/2410.08427)
+Our reports attempt to outline what we've been up to over the past month, highlighting news items from elsewhere in tech where they are related. As ever, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
-* [FIXME](https://tech.lgbt/@obfusk/113403959098151861) (NB: this is an update RE https://reproducible-builds.org/reports/2024-09/#android-toolchain-core-count-issue-reported)
+<!--
-* [FIXME: IzzyOnDroid passed 25% RB apps threshold](https://floss.social/@IzzyOnDroid/113350034406251501)
+**Table of contents:**
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/NRT3XWO4ZRSIMAPSHD7HVSD5Z62WQWAA/)
+0. FIXME
+
+-->
+
+---
+
+### Beyond bitwise quality for Reproducible Builds?
+
+[![]({{ "/images/reports/2024-10/paper-2410-08427.png#right" | relative_url }})](https://doi.org/10.48550/arXiv.2410.08427)
+
+Jens Dietrich, Tim White, of Victoria University of Wellington, New Zealand along with Behnaz Hassanshahi and Paddy Krishnan of Oracle Labs Australia published a paper entitled "[*Levels of Binary Equivalence for the Comparison of Binaries from Alternative Builds*](https://doi.org/10.48550/arXiv.2410.08427)":
+
+> The availability of multiple binaries built from the same sources creates new challenges and opportunities, and raises questions such as: “Does build A confirm the integrity of build B?” or “Can build A reveal a compromised build B?”. To answer such questions requires a notion of equivalence between binaries. We demonstrate that **the obvious approach based on bitwise equality has significant shortcomings** in practice, and that there is value in opting for alternative notions. We conceptualise this by introducing levels of equivalence, inspired by clone detection types.
+
+A [PDF](https://arxiv.org/pdf/2410.08427v1) of the paper is freely available.
+
+<br>
+
+### '*Two Ways to Trustworthy*' at [SeaGL](https://seagl.org/) 2024
+
+[![]({{ "/images/reports/2023-11/seagl.png#right" | relative_url }})](https://pretalx.seagl.org/2024/talk/W73ACM/)
+
+On Friday 8th November, Vagrant Cascadian will present a talk entitled [*Two Ways to Trustworthy*](https://pretalx.seagl.org/2024/talk/W73ACM/) at [SeaGL](https://seagl.org/) in Seattle, WA.
+
+Founded in 2013, SeaGL is a free, grassroots technical summit dedicated to spreading awareness and knowledge about free source software, hardware and culture. Vagrant's talk:
+
+> […] delves into how two project[s] approaches fundamental security features through Reproducible Builds, Bootstrappable Builds, code auditability, etc. to improve trustworthiness, allowing independent verification; trustworthy projects require little to no trust.
+>
+> Exploring the challenges that each project faces due to very different technical architectures, but also contextually relevant social structure, adoption patterns, and organizational history should provide a good backdrop to understand how different approaches to security might evolve, with real-world merits and downsides.
+
+<br>
+
+### [Android `.dex`](https://source.android.com/docs/core/runtime/dex-format) bytecode output depends on number of CPU cores
+
+Fay Stegerman [reported a "fun" compiler bug](https://tech.lgbt/@obfusk/113403959098151861) in which:
+
+> the D8 Java to DEX compiler (part of the Android toolchain) eliminated a redundant field load if running the class's static initialiser was known to be free of side effects, which ended up accidentally depending on the sharding of the input, which is dependent on the number of CPU cores used during the build.
+
+Fay [reported this bug to the Android issue tracker](https://issuetracker.google.com/issues/366412380) but she also made a [small example](https://gist.github.com/obfusk/83822140509dad4148b14bba41adf008) to illustrate when and why this optimisation is valid. This is an update to a bug [previously-reported in these reports]({{ "/reports/2024-09/#android-toolchain-core-count-issue-reported" | relative_url }}).
+
+<br>
+
+### On our mailing list…
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Following-up to previous work, James Addison informed the list that the recently-released [Sphinx](https://www.sphinx-doc.org/en/master/) documentation generator includes [improvements to the next copyright notice substitutions](https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003562.html).
+
+* Pol Dellaiera wrote to the list in order to [seek advice around introducing the concept of reproducibility](https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003560.html) to computer science Masters students at the [University of Mons, Belgium](https://web.umons.ac.be/).
+
+* James Addison also followed-up to a [previous thread on "`CONFIG_MODULE_SIG` and the unreproducible Linux Kernel"](https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003530.html) to add: "I wonder whether it would be possible to use the Linux kernel's [Integrity Policy Enforcement](https://docs.kernel.org/admin-guide/LSM/ipe.html) to deploy a policy that would prevent loading of anything except a set of expected kernel modules." [[…](https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003553.html)]
+
+* There was also two informative replies from [David Wheeler](https://dwheeler.com/) to a broad-based discussion on Reproducible Builds being defined in various standards. [[…](https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003550.html)][[…](https://lists.reproducible-builds.org/pipermail/rb-general/2024-October/003551.html)]
+
+<br>
+
+### [*diffoscope*](https://diffoscope.org)
+
+[![]({{ "/images/reports/2024-10/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions `279`, `280`, `281` and `282` to Debian:
+
+* Ignore errors when listing `.ar` archives ([`#1085257`](https://bugs.debian.org/1085257)). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/e0e10c41)]
+* Don't try and test with `systemd-ukify` in the Debian stable distribution. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0736b361)]
+* Drop `Depends` on the deprecated `python3-pkg-resources` ([`#1083362`](https://bugs.debian.org/1083362)). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/997c6adb)]
+
+In addition, Jelle van der Waa added support for [Unified Kernel Image](https://wiki.archlinux.org/title/Unified_kernel_image) (UKI) files. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/9d5b5d32)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2d7f54bf)][[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/153d6185)] Furthermore, Vagrant Cascadian updated *diffoscope* in [GNU Guix](https://guix.gnu.org/) to version 282. [[…](https://debbugs.gnu.org/74072)][[…](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=d6f775c30c6f47e174f6110d1089edc6315600e4)]
+
+<br>
+
+### [IzzyOnDroid](https://codeberg.org/IzzyOnDroid/rbtlog) has passed 25% reproducible
+
+[![]({{ "/images/reports/2024-10/izzyondroid.png#right" | relative_url }})](https://floss.social/@IzzyOnDroid/113350034406251501)
+
+The [IzzyOnDroid](https://codeberg.org/IzzyOnDroid/rbtlog) project which provides transparency log for Android `.apk` files has reached a good milestone by reaching 25% of their ~1,200 projects being reproducible. [[…](https://floss.social/@IzzyOnDroid/113350034406251501)]
+
+<br>
+
+### Distribution work
+
+[![]({{ "/images/reports/2024-10/debian.png#right" | relative_url }})](https://debian.org/)
+
+In Debian this month:
+
+* Holger [uploaded `devscripts` version 2.24.2](https://tracker.debian.org/news/1581399/accepted-devscripts-2242-source-into-unstable/), including many changes to the `debootsnap`, `debrebuild` and `reproducible-check` scripts. This is the first time that `debrebuild` actually works (using `sbuild`'s `unshare` backend). As part of this, Holger Levsen also fixed an issue in the `reproducible-check` script where a typo in the code led to incorrect results [[…](https://salsa.debian.org/debian/devscripts/-/commit/4b3cf6bfbb3940700aab407879bf411c58b97847)]
+
+* Holger Levsen also fixed an issue in the `reproducible-check` script shipped in the `devscripts` script, where a typo in the code led to incorrect results [[…](https://salsa.debian.org/debian/devscripts/-/commit/4b3cf6bfbb3940700aab407879bf411c58b97847)]
+
+* Recently, a news entry was added to [*snapshot.debian.org*](http://snapshot.debian.org/)'s homepage, describing the recent changes that made the system stable again:
+
+ > The new server has no problems keeping up with importing the full archives on every update, as each run finishes comfortably in time before it's time to run again. [While] the new server is the one doing all the importing of updated archives, the [HTTP interface](https://snapshot.debian.org/) is being served by both the new server and one of the VM's at [LeaseWeb](https://www.leaseweb.com/).
+
+ The entry list a number of specific updates surrounding the API endpoints and rate limiting.
+
+* Lastly, 12 reviews of Debian packages were added, 3 were updated and 18 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+[![]({{ "/images/reports/2024-10/fedora.png#right" | relative_url }})](https://fedoraproject.org/)
+
+Elsewhere in distribution news, Zbigniew Jędrzejewski-Szmek performed another rebuild of [Fedora](https://fedoraproject.org) 42 packages, with the headline result being that [91% of the packages are reproducible](https://in.waw.pl/~zbyszek/fedora/builds-f42-with-add-det-4.x.summary.txt). Zbigniew also [reported a reproducibility problem with QImage](https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/67ICWGGE3TUPG5RH32GZAXICO4T5BXFG/).
+
+[![]({{ "/images/reports/2024-10/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+Finally, in openSUSE, Bernhard M. Wiedemann [published another report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/NRT3XWO4ZRSIMAPSHD7HVSD5Z62WQWAA/) for that distribution.
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2024-10/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+There were an *enormous* number of improvements made to our website this month, including:
+
+* Alba Herrerias:
+
+ * Improve consistency across distribution-specific guides. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/12826f09)]
+ * Fix a number of links on the *Contribute* page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1274584d)]
+
+* Chris Lamb:
+
+ * Correct the name of [Civil Infrastructure Platform](https://www.cip-project.org/) name and update image on the [*Projects*](https://reproducible-builds.org/who/projects/) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e53ecbc7)]
+ * Update broken link on the [*Value Initialization*](https://reproducible-builds.org/docs/value-initialization/) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/56f708d7)]
+ * Try and make pipeline/branch builds of the website easier to browse. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8bff7574)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/df01bf5f)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a3faf5be)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0c735ea6)]
+
+* `hulkoba`
+
+ * Contribute to the new '[Success stories]({{ "/success-stories/" | relative_url }})' page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4ca4e410)]
+
+* James Addison:
+
+ * Huge and significant work on a (as-yet-merged) quickstart guide to be linked from the homepage [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/30d226e0)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6ccad0f4)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/aeb73a4a)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5ee3ac46)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8e8f7d55)]
+ * On the [homepage]({{ "/" | relative_url }}), link directly to the [Projects]({{ "/who/projects" | relative_url }}) subpage. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ca047d2e)]
+ * Relocate "dependency-drift" notes to the [Volatile inputs]({{ "/docs/volatile-inputs/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/63d58e09)]
+
+* Ninette Adhikari:
+
+ * Add a brand new '[Success stories]({{ "/success-stories/" | relative_url }})' page that "highlights the success stories of Reproducible Builds, showcasing real-world examples of projects shipping with verifiable, reproducible builds". [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/12f4df01)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ddc6df7c)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6b3dba82)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/19a17974)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/28d82a04)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/115ed658)]
+
+* Pol Dellaiera:
+
+ * Update the website's `README` page for building the website under [NixOS](https://nixos.org/). [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5428366d)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f90aba5c)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/13a338ab)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b9e51c38)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/39598567)]
+ * Add a new academic paper citation. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/62aa449b)]
+
+Lastly, Holger Levsen filed an extensive issue detailing a request to [create an overview of recommendations and standards](https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/59) in relation to reproducible builds.
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2024-10/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In October, a number of changes were made by Holger Levsen, including:
+
+* Add a basic `index.html` for `rebuilderd`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2fdfe56c1)]
+* Update the `nginx.conf` configuration file for `rebuilderd`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e43de52e2)]
+* Document how to use a rescue system for Infomaniak's OpenStack cloud. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/254f86399)]
+* Update usage info for two particular nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/fbf8d89a4)]
+* Fix up a version skew check to fix the name of the `riscv64` architecture. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/8eae72e56)]
+* Update the `rebuilderd`-related TODO. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6a383397b)]
+
+In addition, Mattia Rizzolo added a new IP address for the `inos5` node [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5cea8f4a8)] and Vagrant Cascadian brought 4 `virt` nodes back online [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/114838df4)].
+
+<br>
+
+### Supply-chain security at [Open Source Summit EU](https://events.linuxfoundation.org/open-source-summit-europe/)
+
+[![]({{ "/images/reports/2024-10/OSS-EU-2024.png#right" | relative_url }})](https://events.linuxfoundation.org/open-source-summit-europe/)
+
+The [Open Source Summit EU](https://events.linuxfoundation.org/open-source-summit-europe/) took place recently, and covered plenty of topics related to supply-chain security, including:
+
+* [Public Sector & OpenSSF: Principles for Package Repository Security](https://www.youtube.com/watch?v=EyzFZYeSj5g&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=124)
+* [The Model Openness Framework: Promoting Completeness and Openness for Reproducibility, Transparency and Usability in AI](https://www.youtube.com/watch?v=-GFcUgT77oE&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=114)
+* [Structured Scorecard Results: Tailor Your Own Supply-Chain Security Policies](https://www.youtube.com/watch?v=ZT3XdMF6U5A&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=106)
+* [Lightning Talk: Elephant in the Room: How Supply Chain Security Standards Are Not Standard and What to Do About It](https://www.youtube.com/watch?v=ICrlIlWAiGA&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=103)
+* [Lightning Talk: Charting the Course for Secure Software Supply Chain with Guac-AI-Mole!](https://www.youtube.com/watch?v=mHjsaDDkbKo&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=102)
+* [TPMs, Merkle Trees and TEEs: Enhancing SLSA with Hardware-Assisted Build Environment Verification](https://www.youtube.com/watch?v=Gk0LDi05KRg&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=100)
+* [Accountability Taxonomy for AI Software Bill of Materials](https://www.youtube.com/watch?v=nSQ3rsaqpaQ&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=47)
+* [Securing Your Supply Chain with an Open Source Ecosystem](https://www.youtube.com/watch?v=154gKafXhnc&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=33)
+* [OSS Supply Chain Threats and Why You Need a Holistic Security Strategy](https://www.youtube.com/watch?v=cLPZ7dYndH0&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=30)
+* [A Step Closer to in-Toto’lly Secure: Using in-Toto and OPA Gatekeeper to Verify Artifact Integrity](https://www.youtube.com/watch?v=b_ImE70Vhd8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=28)
+* [Panel Discussion: Improving Supply Chain Integrity with OpenSSF Technologies](https://www.youtube.com/watch?v=6EPROzPfqD8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=26)
+* [Case Study: 10+ Years of Developing an SBOM System and the Dos and Don’ts](https://www.youtube.com/watch?v=1LTqB4czzEs&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=142)
+* [SBOM in SaaS Environments: An Update](https://www.youtube.com/watch?v=4rA9JOESvL8&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=182)
+* [Securing Git Repositories with Gittuf](https://www.youtube.com/watch?v=eCSeIEdMbCw&list=PLbzoR-pLrL6poagnac0dQuTXcmNvUHVOj&index=179)
+
+<br>
### Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
* Bernhard M. Wiedemann
- * [`apache-ivy`](https://build.opensuse.org/request/show/1206032) (zip mtime)
- * [`ccache`](https://github.com/ccache/ccache/pull/1525) (FTBFS-2038)
+
+ * [`apache-ivy`](https://build.opensuse.org/request/show/1206032) (`.zip` modification time)
+ * [`ccache`](https://github.com/ccache/ccache/pull/1525) (build failure)
* [`colord`](https://github.com/hughsie/colord/issues/174) (CPU)
* [`efivar`](https://bugzilla.opensuse.org/show_bug.cgi?id=1231368) (CPU/march=native)
- * [`gsl`](https://build.opensuse.org/request/show/1206278) (nocheck)
+ * [`gsl`](https://build.opensuse.org/request/show/1206278) (no check)
* [`libcamera`](https://lists.libcamera.org/pipermail/libcamera-devel/2024-October/045731.html) (date/copyright year)
* [`libreoffice`](https://bugzilla.opensuse.org/show_bug.cgi?id=1231580) (possible rpm/build toolchain corruption bug)
- * [`moto`](https://github.com/getmoto/moto/pull/8218) (gzip mtime)
- * [`openssl-1_1`](https://bugzilla.opensuse.org/show_bug.cgi?id=1231667) (date(copyright year))
+ * [`moto`](https://github.com/getmoto/moto/pull/8218) (`.gz` modification time)
+ * [`openssl-1_1`](https://bugzilla.opensuse.org/show_bug.cgi?id=1231667) (date-related issue)
* [`python-pygraphviz`](https://github.com/pygraphviz/pygraphviz/pull/544) (benchmark)
- * [`sphinx/python-pygraphviz`](https://github.com/sphinx-gallery/sphinx-gallery/pull/1385) (toolchain, benchmark)
- * [`python-panel`](https://bugzilla.opensuse.org/show_bug.cgi?id=1231254) (package.lock has random port)
- * [`python-propcache`](https://build.opensuse.org/request/show/1207574) (random tmp path)
- * [`python314`](https://github.com/python/cpython/pull/125261) (gzip mtime, toolchain)
- * [`rusty_v8`](https://bugzilla.opensuse.org/show_bug.cgi?id=1231548) (rust random .o files)
+ * [`sphinx/python-pygraphviz`](https://github.com/sphinx-gallery/sphinx-gallery/pull/1385) (benchmark)
+ * [`python-panel`](https://bugzilla.opensuse.org/show_bug.cgi?id=1231254) (`package.lock` has random port)
+ * [`python-propcache`](https://build.opensuse.org/request/show/1207574) (random temporary path)
+ * [`python314`](https://github.com/python/cpython/pull/125261) (`.gz`-related modification time)
+ * [`rusty_v8`](https://bugzilla.opensuse.org/show_bug.cgi?id=1231548) (random `.o` files)
* [`scapy`](https://build.opensuse.org/request/show/1205217) (date)
* [`wine`](https://bugzilla.opensuse.org/show_bug.cgi?id=1231620) (parallelism)
* [`ibmtss`](https://github.com/kgoldman/ibmtss/commit/3a17ac01bea73d3568272d61b895a16a0bd85440) ([FTBFS-2026](https://sourceforge.net/p/ibmtpm20tss/tickets/49/))
@@ -64,33 +235,32 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
* [`util`](https://github.com/util-linux/util-linux/issues/3259) (random test failure)
* [`ceph`](https://tracker.ceph.com/issues/68778) (year-2038 variation from embedded boost)
+* Chris Lamb:
+
+ * [#1085097](https://bugs.debian.org/1085097) filed against [`python-roborock`](https://tracker.debian.org/pkg/python-roborock).
+ * [#1085280](https://bugs.debian.org/1085280) filed against [`pywayland`](https://tracker.debian.org/pkg/pywayland).
+ * [#1085283](https://bugs.debian.org/1085283) filed against [`readsb`](https://tracker.debian.org/pkg/readsb).
+ * [#1085381](https://bugs.debian.org/1085381) filed against [`xraylarch`](https://tracker.debian.org/pkg/xraylarch).
+
* James Addison:
* [#1085112](https://bugs.debian.org/1085112) filed against [`distro-info`](https://tracker.debian.org/pkg/distro-info).
* Zbigniew Jędrzejewski-Szmek:
- * [`calibre`](https://github.com/kovidgoyal/calibre/pull/2483) (sort issue)
- * [`calibre`](https://github.com/kovidgoyal/calibre/pull/2484) (sort issue)
-* Recently a news entry was added to [FIXME](http://snapshot.debian.org/) describing the recent changes that made the system usable again. Quote: <i>
-The new server has no problems keeping up with importing the full archives on every update as each run finishes comfortably in time before it's time to run again. For example, the 'debian' archive which is updated every six hours takes on average 11 minutes to import. While the new server is the one doing all the importing of updated archives, the HTTP interface (https://snapshot.debian.org/) is being served by both the new server and one of the VM's at LeaseWeb. Snapshot is currently holding 172TB of data.
+ * [`calibre`](https://github.com/kovidgoyal/calibre) (two sort issues) [[…](https://github.com/kovidgoyal/calibre/pull/2483)][[…](https://github.com/kovidgoyal/calibre/pull/2484)]
-Other recent changes include
+<br>
- A new API endpoint for listing all timestamps grouped by archives (/mr/timestamp/) was added in August 2024.
- The Netfilter rate limiting has been disabled. It will be replaced by rate limiting on the HTTP layer, which should be easier for clients to deal with.
-</i> Endquote. And <i>Replacing SHA-1 with SHA-256 for file identities is planned. Old URLs with SHA-1 strings will keep working.</i>
-
-* [FIXME: create overview of recommendations and standards requesting r-b](https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/59)
+---
-* [FIXME: src/devscripts: scripts/reproducible-check: fix typo, leading to incorrect results. thanks to Oejet](https://salsa.debian.org/debian/devscripts/-/commit/4b3cf6bfbb3940700aab407879bf411c58b97847)
+Finally, If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
-* [FIXME Zbigniew Jędrzejewski-Szmek rebuild all Fedora 42 packages again, 91% reproducible](https://in.waw.pl/~zbyszek/fedora/builds-f42-with-add-det-4.x.summary.txt)
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
-* [FIXME Zbigniew Jędrzejewski-Szmek reports about a reproducibility problem with QImage and resizing images resulting in subtile shading differences](https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/67ICWGGE3TUPG5RH32GZAXICO4T5BXFG/)
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
-* FIXME: Holger [uploaded devscripts 2.24.2](https://tracker.debian.org/news/1581399/accepted-devscripts-2242-source-into-unstable/) including many changes to debootsnap, debrebuild and reproducible-check. this is the first time debrebuild works (using sbuild's unshare backend), when using everything from the devscripts and sbuild packages in unstable without any further patching.
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
-* Vagrant Cascadian updated diffoscope in guix to version 282 https://debbugs.gnu.org/74072 https://git.savannah.gnu.org/cgit/guix.git/commit/?id=d6f775c30c6f47e174f6110d1089edc6315600e4
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
-* Vagrant Cascadian will be presenting "Two Ways to Trustworthy" at SeaGL 2024 https://pretalx.seagl.org/2024/talk/W73ACM/
=====================================
images/reports/2024-10/OSS-EU-2024.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/OSS-EU-2024.png differ
=====================================
images/reports/2024-10/archlinux.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/archlinux.png differ
=====================================
images/reports/2024-10/debian.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/debian.png differ
=====================================
images/reports/2024-10/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/diffoscope.png differ
=====================================
images/reports/2024-10/fedora.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/fedora.png differ
=====================================
images/reports/2024-10/izzyondroid.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/izzyondroid.png differ
=====================================
images/reports/2024-10/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/opensuse.png differ
=====================================
images/reports/2024-10/paper-2410-08427.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/paper-2410-08427.png differ
=====================================
images/reports/2024-10/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/reproducible-builds.png differ
=====================================
images/reports/2024-10/seagl.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/seagl.png differ
=====================================
images/reports/2024-10/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/testframework.png differ
=====================================
images/reports/2024-10/website.png
=====================================
Binary files /dev/null and b/images/reports/2024-10/website.png differ
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/7b48c2173b446bf23e89269053ea3e51216b41e6
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/7b48c2173b446bf23e89269053ea3e51216b41e6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20241107/84007191/attachment.htm>
More information about the rb-commits
mailing list