[Git][reproducible-builds/reproducible-website][master] 2024-12: Initial draft

Chris Lamb (@lamby) gitlab at salsa.debian.org
Mon Jan 6 17:41:27 UTC 2025 


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
c2982790 by Chris Lamb at 2025-01-06T17:39:32+00:00
2024-12: Initial draft

- - - - -


10 changed files:

- _reports/2024-12.md
- + images/reports/2024-12/debian.png
- + images/reports/2024-12/diffoscope.png
- + images/reports/2024-12/mehdi.png
- + images/reports/2024-12/opensuse.png
- + images/reports/2024-12/reproduce-graph.png
- + images/reports/2024-12/reproducible-builds.png
- + images/reports/2024-12/solana.png
- + images/reports/2024-12/testframework.png
- + images/reports/2024-12/website.png


Changes:

=====================================
_reports/2024-12.md
=====================================
@@ -6,81 +6,248 @@ title: "Reproducible Builds in December 2024"
 draft: true
 ---
 
-* FIXME: on December 3rd reproduce.debian.net was switched to reproduce trixie/amd64 instead of unstable/amd64, which started with 43% of the archive rebuild, with 79.3% reproduced.
-
-* FIXME: on December 8th reproduce.debian.net became a "startpage" and https://amd64.reproduce.debian.net and https://i386.reproduce.debian.net emerged. The first rebuilding arch:amd64 and arch:all, the 2nd is just rebuildering arch:i386.
-  For doing so, infom07-i386.debian.net, kindly sponsored by infomaniak.com, was repurposed: before it had been part of the [Debian reproducible builds CI efforts](https://tests.reproducible-builds.org/debian/unstable/i386/). Many thanks to infomaniak.com!
-
-* [FIXME: since December 15th reproduce.debian.net produces graphs](https://amd64.reproduce.debian.net/stats/rb.png)
-  (this graph should be included in the report as an image too.)
-
-* [FIXME: #1089087 in devscripts: debrebuild: Spurious extra subdir in build path](https://bugs.debian.org/1089087) filed by Gioele Barabucci, fixed in devscripts 2.24.6 by Jochen Sprickerhof.
-  * this bug also caused another: [FIXME: #1089201 in devscripts: debrebuild: Extra zero bytes added to .dynstr when rebuilding CMake projects](https://bugs.debian.org/1089201) filed by Gioele Barabucci.
-
-* [FIXME: #1089088 in devscripts: debrebuild: 1-second offset in some timestamps](https://bugs.debian.org/1089088) filed by Gioele Barabucci and identified by Niko Tyni to be an issue in sbuild, causing this bug in _some_ binNMUs on the Debian buildds. Niko also provided a patch for sbuild.
-
-* [FIXME: #1089197 in dh-r: Recommends/Suggests missing from rebuilt R packages](https://bugs.debian.org/1089197) filed by Gioele Barabucci and then reassigned to dh-r.
-  * highlight that this bug has no patch and thus needs help to make >350 binary packages reproducible in the real world
-
-* [FIXME: Holger uploaded devscripts 2.24.6 fixing the above mentioned #1089087 and merged #1089201.](https://tracker.debian.org/news/1592137/accepted-devscripts-2246-source-into-unstable/)
-
-* [FIXME: Supply Chain Attack Detected in Solana's web3.js Library](https://socket.dev/blog/supply-chain-attack-solana-web3-js-library)
-
-* [FIXME: Santiago Vila <sanvila at debian.org> uploaded dh-buildinfo 0.11+nmu4](https://tracker.debian.org/news/1591701/accepted-dh-buildinfo-011nmu4-source-into-unstable/) to "Address #1068809 partially. In this release dh_buildinfo becomes a no-op. Now it does nothing and just warns the user about the dh-buildinfo package being obsolete, We still want packages to drop their build-depends on dh-buildinfo, but now they will immediately benefit from this change after a simple rebuild (which can be a binNMU)."
-* FIXME: #1068809: "RM: dh-buildinfo" - dh-buildinfo was removed from unstable and trixie \o/
-
-* [FIXME:Jan-Benedict Glaw published the 6th NetBSD Reproducibility Report.](http://toolchain.lug-owl.de/reports/netbsd-reproducibility-overview-6.html) and reported on that on rb-general.
-
-* [FIXME: rust-rebuilderd-worker (NEW) 0.21.0-1 uploaded by kpcyrd](https://tracker.debian.org/news/1594125/accepted-rust-rebuilderd-worker-0210-1-amd64-source-into-unstable/)
-
-* FIXME: https://lists.debian.org/debian-devel/2024/12/msg00356.html
-
-* [FIXME](https://scholar.google.com/scholar_url?url=https://repository.tudelft.nl/file/File_c5a0cf73-e034-4cf5-86e8-06abb2909fe0&hl=en&sa=X&d=6038428547135838622&ei=hzlcZ53LJZPIy9YPg5Df0A4&scisig=AFWwaebupsd5h2hUvroKeoh0AHvK&oi=scholaralrt&hist=oRX1FTwAAAAJ:16530474142032332453:AFWwaebMtCuAIKoB7q0BAy0Ve-N4&html=&pos=0&folt=kw)
-
-* FIXME: The historic Arch Linux CI reproducibility tests at https://tests.reproducible-builds.org/archlinux now redirect to https://reproducible.archlinux.org. (Everything archlinux has now been removed from jenkins.debian.net.git, as those CI tests already had been disabled for a while.)
-
-* FIXME: #1091550 in release.debian.org by Holger Levsen (holger) «several binNMU for reproduce.debian.net». https://bugs.debian.org/1091550
-
-* FIXME: https://android.izzysoft.de/articles/named/review-2024-outlook-2025
-
-* FIXME: https://guix.gnu.org/en/blog/2024/adding-a-fully-bootstrapped-mono/
-
-* Bernhard M. Wiedemann:
-    * [`scons/nst`](https://build.opensuse.org/request/show/1230042) (toolchain, pass-through `SOURCE_DATE_EPOCH`)
-    * [`cargo-packaging/rusty_v8`](https://build.opensuse.org/request/show/1233216) (toolchain)
-    * [`presage`](https://build.opensuse.org/request/show/1233892) (race+corruption-bug)
-    * [`icedtea-web`](https://build.opensuse.org/request/show/1227576) (jar mtime)
-    * [`openwsman`](https://build.opensuse.org/request/show/1228990) (jar mtime)
-    * [`mraa`](https://build.opensuse.org/request/show/1229658) (jar mtime)
-    * [`portmidi`](https://build.opensuse.org/request/show/1230001) (jar mtime)
-    * [`opa-fmgui`](https://build.opensuse.org/request/show/1230004) (jar mtime)
-    * [`collectd`](https://build.opensuse.org/request/show/1231851) (jar mtime)
-    * [`vtk`](https://build.opensuse.org/request/show/1231633) (jar mtime)
-    * [`java-atk-wrapper`](https://build.opensuse.org/request/show/1230638) (jar mtime)
-    * [`deepin-daemon`](https://build.opensuse.org/request/show/1230049) (tar mtime)
-    * [`deepin-file-manager`](https://build.opensuse.org/request/show/1230061) (tar mtime)
-    * [`swtpm`](https://build.opensuse.org/request/show/1229015) (nocheck)
-    * [`ollama`](https://build.opensuse.org/request/show/1230608) (gzip mtime)
-    * [`static-initrd`](https://build.opensuse.org/request/show/1232164) (random tmpdir + mtime + [date+host+CPU](https://bugzilla.opensuse.org/show_bug.cgi?id=1234709)
-    * [`patterns-microos`](https://build.opensuse.org/request/show/1233574) (mis-parsed changelog)
-    * [`kompare`](https://build.opensuse.org/request/show/1233852) (mis-parsed changelog)
-    * [`kdenetwork-filesharing`](https://build.opensuse.org/request/show/1233853) (mis-parsed changelog)
-    * [`yast`](https://github.com/yast/yast-storage-ng/pull/1397) (mis-parsed changelog)
-    * [`lincity-ng`](https://build.opensuse.org/request/show/1233633) (.ogg serial)
-    * [`librespeed-cli`](https://build.opensuse.org/request/show/1233732) (date)
-    * [`xdg-desktop-portal`](https://build.opensuse.org/request/show/1234111) (drop Sphinx doctrees)
-    * [`openmpi4:gnu-hpc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234014) (rpm toolchain, CPU: missing provides)
-    * [`esbuild`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234374) (random go tmp path)
-    * [`kicad`](https://gitlab.com/kicad/code/kicad/-/merge_requests/2087) (tar)
-    * [`suse-hpc`](https://github.com/openSUSE/hpc/pull/12) (suse-hpc/papi toolchain, gzip mtime)
-    * [`opencryptoki`](https://github.com/opencryptoki/opencryptoki/pull/828) (date/copyright)
-    * [`opencryptoki`](https://github.com/opencryptoki/opencryptoki/pull/832) (date)
-    * [`hyperkitty`](https://gitlab.com/mailman/hyperkitty/-/merge_requests/656) (https://gitlab.com/mailman/hyperkitty/-/issues/527 toolchain issue, mtime)
-    * [`sad`](https://github.com/ms-jpq/sad/issues/359) (random UUID)
-    * [`tiny`](https://github.com/osa1/tiny/issues/437) (rust HashMap order)
-    * [`sendmail`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234629) (uname -r)
-    * [`grpc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234751) (uname -r)
-    * [`cockpit`](https://github.com/cockpit-project/cockpit/pull/21460) (readdir)
-    * [`procps`](https://gitlab.com/procps-ng/procps/-/issues/362) (FTBFS-2038)
-
-* [openSUSE monthly](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/BKMFGPNWUCNLKZOWPA7GGKBERJBS4WN6/)
+[![]({{ "/images/reports/2024-12/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+**Welcome to the December 2024 report from the [Reproducible Builds]({{ "/" | relative_url }}) project!**
+
+Our monthly reports outline what we've been up to over the past month and highlight items of news from elsewhere in the world of software supply-chain security when relevant. As ever, however, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
+
+<!--
+
+**Table of contents:**
+
+-->
+
+---
+
+### [*reproduce.debian.net*](https://reproduce.debian.net/)
+
+[![]({{ "/images/reports/2024-12/reproduce-graph.png#right" | relative_url }})](https://reproduce.debian.net)
+
+Last month saw the introduction of [*reproduce.debian.net*](https://reproduce.debian.net). Announced at the recent [Debian MiniDebConf in Toulouse](https://toulouse2024.mini.debconf.org/), *reproduce.debian.net* is an instance of [*rebuilderd*](https://github.com/kpcyrd/rebuilderd) operated by the Reproducible Builds project. *rebuilderd* is our server designed monitor the official package repositories of Linux distributions and attempts to reproduce the observed results there.
+
+This month, however, we are pleased to announce that not only does the service [now produce graphs](https://amd64.reproduce.debian.net/stats/rb.png), the [reproduce.debian.net](https://reproduce.debian.net/) homepage itself has become a "start page" of sorts, and the [*amd64.reproduce.debian.net*](https://amd64.reproduce.debian.net) and [*i386.reproduce.debian.net*](https://i386.reproduce.debian.net) pages have emerged. The first of these rebuilds the `amd64` architecture, naturally, but it also is building Debian packages that are marked with the 'no architecture' label, `all`. The second builder is, however, only rebuilding the `i386` architecture.
+
+Both of these services were also switched to reproduce the Debian *trixie* distribution instead of *unstable*, which started with 43% of the archive rebuild, with 79.3% reproduced successfully.
+
+Lastly, both hosts are very sponsored by [infomaniak.com](https://www.infomaniak.com/en) — thank you!
+
+<br>
+
+### On our mailing list
+
+On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
+
+* Bernhard M. Wiedemann wrote a [detailed post](https://lists.reproducible-builds.org/pipermail/rb-general/2024-December/003612.html) on his "long journey towards a bit-reproducible [Emacs](https://www.gnu.org/software/emacs/) package." In his interesting message, Bernhard goes into depth about the tools that they used and the lower-level technical details of, for instance, compatibility with the version for [`glibc`](https://www.gnu.org/software/libc/) within openSUSE.
+
+* [Shivanand Kunijadar posed a question](https://lists.reproducible-builds.org/pipermail/rb-general/2024-December/003613.html) pertaining to the reproducibility issues with encrypted images. Shivanand explains that they must "use a random IV for encryption with AES CBC. The resulting artifact is not reproducible due to the random IV used." The message resulted in a [handful of replies](https://lists.reproducible-builds.org/pipermail/rb-general/2024-December/thread.html#3613), hopefully helpful!
+
+* User *Danilo* posted an in interesting question related to their [attempts in trying to achieve reproducible builds](https://lists.reproducible-builds.org/pipermail/rb-general/2024-December/003592.html) for [Threema Desktop 2.0](https://three.ma/md). The question resulted in a number of replies attempting to find the right combination of compiler and linker flags ([for example](https://htmlpreview.github.io/?https://raw.githubusercontent.com/openjdk/jdk/master/doc/building.html#cross-compiling-the-easy-way)).
+
+* Longstanding contributor [David A. Wheeler](https://dwheeler.com) wrote to our list announcing the release of the "[Census III of Free and Open Source Software: Application Libraries](https://www.linuxfoundation.org/research/census-iii)" report written by Frank Nagle, Kate Powell, Richie Zitomer and David himself. As [David writes in his message](https://lists.reproducible-builds.org/pipermail/rb-general/2024-December/003604.html), the report attempts to "answer the question 'what is the most popular Free and Open Source Software (FOSS)?'".
+
+* Lastly, `kpcyrd` followed-up to [a post from September 2024](https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003530.html) which mentioned their desire for "someone" to implement of a "feature would be a hashset of allowed module hashes that is generated during the kernel build and then embedded in the kernel image", thus enabling a deterministic and reproducible build. However, they are now reporting that "somebody implemented the hash-based allow list feature and [submitted it to the Linux kernel mailing list](https://lore.kernel.org/lkml/20241225-module-hashes-v1-0-d710ce7a3fd1@weissschuh.net/)". Like, `kpcyrd`, we hope it gets merged.
+
+<br>
+
+### *Enhancing the Security of Software Supply Chains: Methods and Practices*
+
+[![]({{ "/images/reports/2024-12/mehdi.png#right" | relative_url }})](https://research.tudelft.nl/en/publications/enhancing-the-security-of-software-supply-chains-methods-and-prac)
+
+Mehdi Keshani of the [Delft University of Technology](https://www.tudelft.nl/en/) in the Netherlands has published their thesis on "Enhancing the Security of Software Supply Chains: Methods and Practices". Their introductory summary first begins with an outline of software supply chains and the importance of the [Maven](https://maven.apache.org/) ecosystem before outlining the issues that it faces "that threaten its security and effectiveness". To address these:
+
+> First, we propose an automated approach for library reproducibility to enhance library security during the deployment phase. We then develop a scalable call graph generation technique to support various use cases, such as method-level vulnerability analysis and change impact analysis, which help mitigate security challenges within the ecosystem. Utilizing the generated call graphs, we explore the impact of libraries on their users. Finally, through empirical research and mining techniques, we investigate the current state of the Maven ecosystem, identify harmful practices, and propose recommendations to address them.
+
+A PDF of [Mehdi's entire thesis](https://research.tudelft.nl/files/221939594/mehdi-keshani-thesis-24092024.pdf) is available to download.
+
+<br>
+
+### [*diffoscope*](https://diffoscope.org)
+
+[![]({{ "/images/reports/2024-12/diffoscope.png#right" | relative_url }})](https://diffoscope.org/)
+
+[diffoscope](https://diffoscope.org) is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made the following changes, including preparing and uploading versions `283` and `284` to Debian:
+
+* Update copyright years. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d6868b26)]
+* Update tests to support file 5.46. (Closes: reproducible-builds/diffoscope#395). [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/06f00adc)]
+* Simplify tests_quines.py::test_{differences,differences_deb} to simply use assert_diff and not mangle the test fixture. [[…](https://salsa.debian.org/reproducible-builds/diffoscope/commit/fef20236)]
+
+<br>
+
+### Supply-chain attack in the Solana ecosystem
+
+[![]({{ "/images/reports/2024-12/solana.png#right" | relative_url }})](https://socket.dev/blog/supply-chain-attack-solana-web3-js-library)
+
+A significant supply-chain attack impacted [Solana](https://solana.com/), an ecosystem for decentralised applications running on a blockchain.
+
+Hackers targeted the [@solana/web3.js](https://solana-labs.github.io/solana-web3.js/) JavaScript library and embedded malicious code that extracted private keys and drained funds from cryptocurrency wallets. According to some reports, about [$160,000 worth of assets](https://solscan.io/account/FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx#portfolio) were stolen, not including including SOL tokens and other crypto assets.
+
+<br>
+
+### Website updates
+
+[![]({{ "/images/reports/2024-11/website.png#right" | relative_url }})]({{ "/" | relative_url }})
+
+Similar to last month, there was a large number of changes made to our website this month, including:
+
+* Chris Lamb:
+
+    * Make the landing page hero look nicer when the vertical height component of the viewport is restricted, not just the horizontal widith.
+    * Rename the "Buy-in" page to "Why Reproducible Builds?" [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/00394872)]
+    * Removing the top black border. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/506f967a)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/67afffed)]
+
+* Holger Levsen:
+
+    * Fixed a number of issues on the [2024 Summit page]({{ "/events/hamburg2024/" | relative_url }}), including fixing the path to a sponsor logo [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c6779ee3)] but also added the event documentation from Aspiration [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c9ceae8a)].
+    * Check and cleanup a presentation formerly linked from the "[About](https://wiki.debian.org/ReproducibleBuilds/About)" page on the [Debian wiki](https://wiki.debian.org). [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/05b582a5)]
+    * Link to [reproduce.debian.net](https://reproduce.debian.net) on the [*Involved Projects*]({{ "/who/projects/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8bc208f1)]
+    * Fix a number of links on the [*Talks & Resources*]({{ "/resources/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dc9d316e)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1102a72b)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a5a3c78)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8d13c232)]
+
+* *hulkoba*:
+
+    * Remove the sidebar-type layout and move to a static navigation element. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/eb1e683d)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0278825e)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7b7f171c)][[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1cd28b2e)]
+    * Create and merge a new [*Success stories*]({{ "/success-stories/" | relative_url }}) page, which "highlights the success stories of Reproducible Builds, showcasing real-world examples of projects shipping with verifiable, reproducible builds. These stories aim to enhance the technical resilience of the initiative by encouraging community involvement and inspiring new contributions.". [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/de89a0ee)]
+    * Further changes to the [homepage]({{ "/" | relative_url }}). [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8a9ebfee)]
+    * Remove the translation icon from the navigation bar. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f5858eb3)]
+    * Remove unused CSS styles pertaining to the sidebar. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2d83cdd7)]
+    * Add sponsors to the global footer. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c34d2a27)]
+    * Add extra space on large screens on the [*Who*]({{ "/who/" | relative_url }}) page. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6cb760ce)]
+    * Hide the side navigation on small screens on the [*Documentation*]({{ "/docs/" | relative_url }}) pages. [[…](https://salsa.debian.org/reproducible-builds/reproducible-website/commit/867f51dd)]
+
+<br>
+
+### Debian changes
+
+[![]({{ "/images/reports/2024-12/debian.png#right" | relative_url }})](https://debian.org/)
+
+There were a significant number of reproducibility-related changes within [Debian](https://www.debian.org/) this month, including:
+
+* Santiago Vila [uploaded version `0.11+nmu4` of the `dh-buildinfo`](https://tracker.debian.org/news/1591701/accepted-dh-buildinfo-011nmu4-source-into-unstable/) package. In this release, the `dh_buildinfo` becomes a no-op — ie. it no longer does anything beyond warning the developer that the `dh-buildinfo` package is now obsolete. In his upload, Santiago wrote that "We still want packages to drop their [dependency] on `dh-buildinfo`, but now they will immediately benefit from this change after a simple rebuild."
+
+* Holger Levsen filed Debian bug [#1091550](https://bugs.debian.org/1091550) requesting a rebuild of a number of packages that were built with a "very old version" of `dpkg`.
+*
+* Fay Stegerman contributed to an extensive thread on the [`debian-devel`](https://lists.debian.org/debian-devel/) development mailing list on the [topic of "Supporting alternative zlib implementations"](https://lists.debian.org/debian-devel/2024/12/msg00356.html). In particular, Fay wrote about her results experimenting whether [`zlib-ng`](https://github.com/zlib-ng/zlib-ng) produces identical results or not.
+
+* *kpcyrd* uploaded a new [`rust-rebuilderd-worker`](https://tracker.debian.org/pkg/rust-rebuilderd-worker) to Debian, which passed successfully through the so-called [NEW queue](https://wiki.debian.org/NewQueue).
+
+* Gioele Barabucci filed a number of bugs against the `debrebuild` component/script of the [`devscripts`](https://tracker.debian.org/pkg/devscripts) package, including:
+
+    * [#1089087](https://bugs.debian.org/1089087): Address a spurious extra subdirectory in the build path.
+    * [#1089201](https://bugs.debian.org/1089201): Extra zero bytes added to `.dynstr` when rebuilding [CMake](https://cmake.org/) projects.
+    * [#1089088](https://bugs.debian.org/1089088): Some binNMUs have a 1-second offset in some timestamps.
+
+* Gioele Barabucci *also* filed a bug against the [`dh-r`](https://tracker.debian.org/pkg/dh-r) package to report that the `Recommends` and `Suggests` fields are missing from rebuilt R packages. At the time of writing, this bug has no patch and needs some help to make over 350 binary packages reproducible.
+
+* Lastly, 8 reviews of Debian packages were added, 11 were updated and 11 were removed this month adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
+
+<br>
+
+### Other distributions
+
+In other distribution news:
+
+* Jan-Benedict Glaw published the [6th **NetBSD** Reproducibility Report](http://toolchain.lug-owl.de/reports/netbsd-reproducibility-overview-6.html) and [reported on our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/2024-December/003606.html) as well.
+
+* Developer *unmush* wrote a long post on the [**GNU Guix** blog](https://guix.gnu.org/en/blog/) on the topic of "[*Adding a fully-bootstrapped Mono*](https://guix.gnu.org/en/blog/2024/adding-a-fully-bootstrapped-mono/)" to the distribution.
+
+* The [IzzyOnDroid](https://android.izzysoft.de/) **Android** application website published an extensive "[*Review of 2024 and Outlook for 2025*](https://android.izzysoft.de/articles/named/review-2024-outlook-2025)" which includes statistics and future plans related to reproducible builds.
+
+* The historic [**Arch Linux**](https://archlinux.org/) reproducibility tests that were hosted at `tests.reproducible-builds.org/archlinux` now redirect to [reproducible.archlinux.org](https://reproducible.archlinux.org/) instead. In fact, everything Arch-related has now been removed from the `jenkins.debian.net.git` repository, as those continuous integration tests have been disabled for some time.
+
+[![]({{ "/images/reports/2024-12/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
+
+* Lastly, in [**openSUSE**](https://www.opensuse.org/), Bernhard M. Wiedemann [published another report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/BKMFGPNWUCNLKZOWPA7GGKBERJBS4WN6/) for the distribution.
+
+<br>
+
+### Upstream patches
+
+The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
+
+* Bernhard M. Wiedemann: [`cargo-packaging/rusty_v8`](https://build.opensuse.org/request/show/1233216), [`cockpit`](https://github.com/cockpit-project/cockpit/pull/21460), [`collectd`](https://build.opensuse.org/request/show/1231851), [`deepin-daemon`](https://build.opensuse.org/request/show/1230049), [`deepin-file-manager`](https://build.opensuse.org/request/show/1230061), [`esbuild`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234374), [`grpc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234751), [`hyperkitty`](https://gitlab.com/mailman/hyperkitty/-/merge_requests/656), [`icedtea-web`](https://build.opensuse.org/request/show/1227576), [`java-atk-wrapper`](https://build.opensuse.org/request/show/1230638), [`kdenetwork-filesharing`](https://build.opensuse.org/request/show/1233853), [`kicad`](https://gitlab.com/kicad/code/kicad/-/merge_requests/2087), [`kompare`](https://build.opensuse.org/request/show/1233852), [`librespeed-cli`](https://build.opensuse.org/request/show/1233732), [`lincity-ng`](https://build.opensuse.org/request/show/1233633), [`mraa`](https://build.opensuse.org/request/show/1229658), [`ollama`](https://build.opensuse.org/request/show/1230608), [`opa-fmgui`](https://build.opensuse.org/request/show/1230004), [`opencryptoki`](https://github.com/opencryptoki/opencryptoki/pull/828), [`opencryptoki`](https://github.com/opencryptoki/opencryptoki/pull/832), [`openmpi4:gnu-hpc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234014), [`openwsman`](https://build.opensuse.org/request/show/1228990), [`patterns-microos`](https://build.opensuse.org/request/show/1233574), [`portmidi`](https://build.opensuse.org/request/show/1230001), [`presage`](https://build.opensuse.org/request/show/1233892), [`procps`](https://gitlab.com/procps-ng/procps/-/issues/362), [`sad`](https://github.com/ms-jpq/sad/issues/359), [`scons/nst`](https://build.opensuse.org/request/show/1230042), [`sendmail`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234629), [`static-initrd`](https://build.opensuse.org/request/show/1232164), [`suse-hpc`](https://github.com/openSUSE/hpc/pull/12), [`swtpm`](https://build.opensuse.org/request/show/1229015), [`tiny`](https://github.com/osa1/tiny/issues/437), [`vtk`](https://build.opensuse.org/request/show/1231633), [`xdg-desktop-portal`](https://build.opensuse.org/request/show/1234111) & [`yast`](https://github.com/yast/yast-storage-ng/pull/1397).
+
+* Chris Lamb:
+
+    * [#1089011](https://bugs.debian.org/1089011) filed against [`pyorbital`](https://tracker.debian.org/pkg/pyorbital).
+    * [#1089095](https://bugs.debian.org/1089095) filed against [`python-pbcore`](https://tracker.debian.org/pkg/python-pbcore).
+
+* Gioele Barabucci:
+
+    * [#1089088](https://bugs.debian.org/1089088) filed against [`sbuild`](https://tracker.debian.org/pkg/sbuild).
+
+* James Addison:
+
+    * [#1090395](https://bugs.debian.org/1090395) filed against [`binutils`](https://tracker.debian.org/pkg/binutils).
+
+* Johannes Schauer Marin Rodrigues:
+
+    * [#1089092](https://bugs.debian.org/1089092) filed against [`hurd`](https://tracker.debian.org/pkg/hurd).
+
+* Moritz Schlarb:
+
+    * [#1090078](https://bugs.debian.org/1090078) filed against [`firehol`](https://tracker.debian.org/pkg/firehol).
+
+* Roland Clobus:
+
+    * [#1090981](https://bugs.debian.org/1090981) filed against [`dictionaries-common`](https://tracker.debian.org/pkg/dictionaries-common).
+
+<br>
+
+### reprotest
+
+reprotest version `0.7.29` was [uploaded to Debian unstable](https://tracker.debian.org/news/1597407/accepted-reprotest-0729-source-into-unstable/) by Vagrant Cascadian. It [included contributions already covered in previous months](https://salsa.debian.org/reproducible-builds/reprotest/commits/debian/0.7.29) as well as new ones from Rebecca N. Palmer in particular, such as:
+
+* as_file is not a method. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/8e3b98a)]
+* Stop using pkg_resources. (Closes: #1083743). [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/ef549aa)]
+* tests: use a non-constant-address object to test address capture. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/690daaf)]
+
+<br>
+
+### Reproducibility testing framework
+
+[![]({{ "/images/reports/2024-12/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)
+
+The Reproducible Builds project operates a comprehensive testing framework running primarily at [*tests.reproducible-builds.org*](https://tests.reproducible-builds.org) in order to check packages and other artifacts for reproducibility. In November, a number of changes were made by Holger Levsen, including:
+
+* [reproduce.debian.net](https://reproduce.debian.net)-related:
+
+    * Add a new `i386.reproduce.debian.net` rebuilder. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c93a67baf)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f3a95c16d)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f86d327c5)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4dd9e2436)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6b931c382)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/980d9cd27)]
+    * Make a number of updates to the documentation. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e9599f791)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ab79a01e4)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/da2401fa7)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a85e23463)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7384ce3af)]
+    * Run `i386.reproduce.debian.net` run on a public port to allow external workers. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/44c310c48)]
+    * Add a link to the `/api/v0/pkgs/list` endpoint. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/2f9a12a3f)]
+    * Add support for a [statistics](https://amd64.reproduce.debian.net/stats/) page. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/51944feb3)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/ad640d318)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/0f575d45f)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/364a247b3)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/cb0948b13)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/360f38e59)]
+    * Limit build logs to 20 MiB and *diffoscope* output to 10 MiB. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/90fe5f690)]
+    * Improve the [frontpage](https://amd64.reproduce.debian.net/). [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/96050e1d6)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/06b546d65)]
+    * Explain that we're testing `arch:any` and `arch:all` on the `amd64` architecture, but only `arch:any` on `i386`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e87f6d3ab)]
+
+* Misc:
+
+    * Remove code for testing Arch Linux, which has moved to [*reproduce.archlinux.org*](https://reproducible.archlinux.org). [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f74d5cc65)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/6e0853fc2)]
+    * Don't install [`dstat`](https://tracker.debian.org/pkg/dstat) on Jenkins nodes anymore as its been removed from Debian *trixie*. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a60fff3e9)]
+    * Prepare the `infom08-i386` node to become another rebuilder. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7326d0824)]
+    * Add debug date output for benchmarking the `reproducible_pool_buildinfos.sh` script. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a3c525594)]
+    * Install [`installation-birthday`](https://tracker.debian.org/pkg/installation-birthday) everywhere. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/af8cf9022)]
+    * Temporarely disable automatic updates of pool links on [*buildinfos.debian.net*](https://buildinfos.debian.net/). [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/65f6c496b)]
+    * Install `Recommends` by default on Jenkins nodes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/5137ed27f)]
+    * Rename `rebuilder_stats.py` to `rebuilderd_stats.py`. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/d4346cc75)]
+    * r.d.n/stats: minor formatting changes. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/68362c7c3)]
+    * Install files under `/etc/cron.d/` with the correct permissions. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/15e85eb0e)]
+
+… and Jochen Sprickerhof made the following changes:
+
+* Always prefer official `.buildinfo` on [*buildinfos.debian.net*](https://buildinfos.debian.net/) files. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/c5bd2cdd5)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/f3996505a)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e3fa9e786)]
+* Add a `rebuilder_stats.py` scripts. [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/a4bf4abbf)]
+
+Lastly, Gioele Barabucci also classified packages affected by 1-second offset issue filed as Debian bug [#1089088](https://bugs.debian.org/1089088) [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/560abcc06)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/7ecb50252)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4ec0ce172)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/deac53d9e)], Chris Hofstaedtler updated the URL for [Grml](https://grml.org)'s [`dpkg.selections`](https://grml.org/files/grml-full-latest-amd64/dpkg.selections) file  [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/18f5518ea)], Roland Clobus updated the [Jenkins log parser](https://plugins.jenkins.io/log-parser/) to parse warnings from [*diffoscope*](https://diffoscope.org/) [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/e6d4a3a14)] and Mattia Rizzolo banned a number of bots and crawlers from the service [[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/eac87a506)][[…](https://salsa.debian.org/qa/jenkins.debian.net/commit/4a2733e4f)].
+
+<br>
+
+If you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website. However, you can get in touch with us via:
+
+ * IRC: `#reproducible-builds` on `irc.oftc.net`.
+
+ * Mastodon: [@reproducible_builds at fosstodon.org](https://fosstodon.org/@reproducible_builds)
+
+ * Mailing list: [`rb-general at lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
+
+ * Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)


=====================================
images/reports/2024-12/debian.png
=====================================
Binary files /dev/null and b/images/reports/2024-12/debian.png differ


=====================================
images/reports/2024-12/diffoscope.png
=====================================
Binary files /dev/null and b/images/reports/2024-12/diffoscope.png differ


=====================================
images/reports/2024-12/mehdi.png
=====================================
Binary files /dev/null and b/images/reports/2024-12/mehdi.png differ


=====================================
images/reports/2024-12/opensuse.png
=====================================
Binary files /dev/null and b/images/reports/2024-12/opensuse.png differ


=====================================
images/reports/2024-12/reproduce-graph.png
=====================================
Binary files /dev/null and b/images/reports/2024-12/reproduce-graph.png differ


=====================================
images/reports/2024-12/reproducible-builds.png
=====================================
Binary files /dev/null and b/images/reports/2024-12/reproducible-builds.png differ


=====================================
images/reports/2024-12/solana.png
=====================================
Binary files /dev/null and b/images/reports/2024-12/solana.png differ


=====================================
images/reports/2024-12/testframework.png
=====================================
Binary files /dev/null and b/images/reports/2024-12/testframework.png differ


=====================================
images/reports/2024-12/website.png
=====================================
Binary files /dev/null and b/images/reports/2024-12/website.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/c2982790bb0040797e4f9053b9789b85fa1580cd

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/c2982790bb0040797e4f9053b9789b85fa1580cd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250106/78a0827d/attachment.htm>

More information about the rb-commits mailing list