[Git][reproducible-builds/reproducible-website][master] 3 commits: Resize actual image; inline width directives will be nommed by a few processes...

Thu Jan 9 12:00:34 UTC 2025


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
80e4cac7 by Chris Lamb at 2025-01-09T11:39:15+00:00
Resize actual image; inline width directives will be nommed by a few processes (eg. CSS readers etc.)

- - - - -
48d0d42c by Chris Lamb at 2025-01-09T12:00:18+00:00
2024-12: Misc changes prior to publication.

- - - - -
6ab3797e by Chris Lamb at 2025-01-09T12:00:20+00:00
published as https://reproducible-builds.org/reports/2024-12/

- - - - -


2 changed files:

- _reports/2024-12.md
- images/reports/2024-12/debian-repro-status.png


Changes:

=====================================
_reports/2024-12.md
=====================================
@@ -3,7 +3,8 @@ layout: report
 year: "2024"
 month: "12"
 title: "Reproducible Builds in December 2024"
-draft: true
+draft: false
+date: 2025-01-09 12:00:20
 ---
 
 [![]({{ "/images/reports/2024-12/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
@@ -12,11 +13,19 @@ draft: true
 
 Our monthly reports outline what we've been up to over the past month and highlight items of news from elsewhere in the world of software supply-chain security when relevant. As ever, however, if you are interested in contributing to the Reproducible Builds project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
 
-<!--
-
 **Table of contents:**
 
--->
+0. [*reproduce.debian.net*](#reproducedebiannet)
+0. [*debian-repro-status*](#debian-repro-status)
+0. [On our mailing list](#on-our-mailing-list)
+0. "[Enhancing the Security of Software Supply Chains](#enhancing-the-security-of-software-supply-chains-methods-and-practices)"
+0. [*diffoscope*](#diffoscope)
+0. [Supply-chain attack in the Solana ecosystem](#supply-chain-attack-in-the-solana-ecosystem)
+0. [Website updates](#website-updates)
+0. [Debian changes](#debian-changes)
+0. [Other development news](#other-development-news)
+0. [Upstream patches](#upstream-patches)
+0. [Reproducibility testing framework](#reproducibility-testing-framework)
 
 ---
 
@@ -28,21 +37,19 @@ Last month saw the introduction of [*reproduce.debian.net*](https://reproduce.de
 
 This month, however, we are pleased to announce that not only does the service [now produce graphs](https://amd64.reproduce.debian.net/stats/rb.png), the [reproduce.debian.net](https://reproduce.debian.net/) homepage itself has become a "start page" of sorts, and the [*amd64.reproduce.debian.net*](https://amd64.reproduce.debian.net) and [*i386.reproduce.debian.net*](https://i386.reproduce.debian.net) pages have emerged. The first of these rebuilds the `amd64` architecture, naturally, but it also is building Debian packages that are marked with the 'no architecture' label, `all`. The second builder is, however, only rebuilding the `i386` architecture.
 
-Both of these services were also switched to reproduce the Debian *trixie* distribution instead of *unstable*, which started with 43% of the archive rebuild, with 79.3% reproduced successfully.
-
-Nota bene: both i386 hosts are very sponsored by [infomaniak.com](https://www.infomaniak.com/en), while the amd64 node is sponsored by [OSUOSL](https://osuosl.org) - thank you!
+Both of these services were also switched to reproduce the Debian *trixie* distribution instead of *unstable*, which started with 43% of the archive rebuild with 79.3% reproduced successfully. This is very much a work in progress, and we'll start reproducing Debian *unstable* soon.
 
-Lastly, this is all very much work in progress, eg. we'll start reproducing *unstable* soon as well as we are looking for more workers for more Debian architectures! Please contact us!
+Our `i386` hosts are very kindly sponsored by [Infomaniak](https://www.infomaniak.com/en) whilst the `amd64` node is sponsored by [OSUOSL](https://osuosl.org) — thank you! Indeed, we are looking for more workers for more Debian architectures; please contact us if you are able to help.
 
 <br>
 
-### debian-repro-status
+### *debian-repro-status*
 
-[![]({{ "/images/reports/2024-12/debian-repro-status.png#right" | relative_url }}){: width="350" }]({{ "/images/reports/2024-12/debian-repro-status.png" | relative_url }})
+[![]({{ "/images/reports/2024-12/debian-repro-status.png#right" | relative_url }})](https://github.com/kpcyrd/debian-repro-status)
 
-Reproducible builds developer *kpcyrd* has [published](https://github.com/kpcyrd/debian-repro-status) a client program for *reproduce.debian.net* that queries the status of the locally installed packages and rates the system with a percentage score. This tool works analogous to [arch-repro-status](https://gitlab.archlinux.org/archlinux/arch-repro-status) for the Arch Linux Reproducible Builds setup.
+Reproducible builds developer *kpcyrd* has published a [client program for *reproduce.debian.net*](https://github.com/kpcyrd/debian-repro-status) that queries the status of the locally installed packages and rates the system with a percentage score. This tool works analogous to [*arch-repro-status*](https://gitlab.archlinux.org/archlinux/arch-repro-status) for the [Arch Linux](https://archlinux.org/) Reproducible Builds setup.
 
-The tool was packaged for Debian, is currently available in [trixie/testing](https://packages.debian.org/trixie/debian-repro-status) and can be installed with `apt-get install debian-repro-status`.
+The tool was packaged for Debian and is currently available in Debian [*trixie*](https://packages.debian.org/trixie/debian-repro-status): it can be installed with `apt install debian-repro-status`.
 
 <br>
 
@@ -168,9 +175,21 @@ In other ecosystem and distribution news:
 
 * The historic [**Arch Linux**](https://archlinux.org/) reproducibility tests that were hosted at `tests.reproducible-builds.org/archlinux` now redirect to [reproducible.archlinux.org](https://reproducible.archlinux.org/) instead. In fact, everything Arch-related has now been removed from the `jenkins.debian.net.git` repository, as those continuous integration tests have been disabled for some time.
 
+* **reprotest** version `0.7.29` was [uploaded to Debian unstable](https://tracker.debian.org/news/1597407/accepted-reprotest-0729-source-into-unstable/) by Vagrant Cascadian. It [included contributions already covered in previous months](https://salsa.debian.org/reproducible-builds/reprotest/commits/debian/0.7.29) as well as new ones from Rebecca N. Palmer, such as:
+
+    * Stop using `pkg_resources`. [[…](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083743)][[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/ef549aa)]
+    * The `as_file` attribute is not a method. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/8e3b98a)]
+    * Use a non-constant object to test memory address capture. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/690daaf)]
+
+* **rebuilderd** was updated as follows by *kpcyrd*:
+
+    * Migrate `diesel` dependency from 1.x to 2.x. [[…](https://github.com/kpcyrd/rebuilderd/commit/970d0187)]
+    * Migrate `clap` dependency from 2 to 4. [[…](https://github.com/kpcyrd/rebuilderd/commit/678ef58b)]
+    * Refactor `reqwest` code, and the replace *openssl* dependency with the memory-safe *rustls*. [[…](https://github.com/kpcyrd/rebuilderd/commit/6ad7c33c)][[…](https://github.com/kpcyrd/rebuilderd/commit/74ec1f3c)]
+
 [![]({{ "/images/reports/2024-12/opensuse.png#right" | relative_url }})](https://www.opensuse.org/)
 
-* Lastly, in [**openSUSE**](https://www.opensuse.org/), Bernhard M. Wiedemann [published another report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/BKMFGPNWUCNLKZOWPA7GGKBERJBS4WN6/) for the distribution. There he reports about the success of building [R-B-OS](https://en.opensuse.org/openSUSE:Reproducible_openSUSE/Part1) - a partial fork of openSUSE with only 100% bit-reproducible packages. This effort was sponsored by the NLNet NGI0 initiative.
+* Lastly, in [**openSUSE**](https://www.opensuse.org/), Bernhard M. Wiedemann [published another report](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/BKMFGPNWUCNLKZOWPA7GGKBERJBS4WN6/) for the distribution. There, Bernhard reports about the success of building '[R-B-OS](https://en.opensuse.org/openSUSE:Reproducible_openSUSE/Part1)', a partial fork of openSUSE with only 100% bit-reproducible packages. This effort was sponsored by the [NLNet NGI0](https://nlnet.nl/NGI0/) initiative.
 
 <br>
 
@@ -178,7 +197,7 @@ In other ecosystem and distribution news:
 
 The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
 
-* Bernhard M. Wiedemann: [`cargo-packaging/rusty_v8`](https://build.opensuse.org/request/show/1233216), [`cockpit`](https://github.com/cockpit-project/cockpit/pull/21460), [`collectd`](https://build.opensuse.org/request/show/1231851), [`deepin-daemon`](https://build.opensuse.org/request/show/1230049), [`deepin-file-manager`](https://build.opensuse.org/request/show/1230061), [`esbuild`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234374), [`grpc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234751), [`hyperkitty`](https://gitlab.com/mailman/hyperkitty/-/merge_requests/656), [`icedtea-web`](https://build.opensuse.org/request/show/1227576), [`java-atk-wrapper`](https://build.opensuse.org/request/show/1230638), [`kdenetwork-filesharing`](https://build.opensuse.org/request/show/1233853), [`kicad`](https://gitlab.com/kicad/code/kicad/-/merge_requests/2087), [`kompare`](https://build.opensuse.org/request/show/1233852), [`librespeed-cli`](https://build.opensuse.org/request/show/1233732), [`lincity-ng`](https://build.opensuse.org/request/show/1233633), [`mraa`](https://build.opensuse.org/request/show/1229658), [`ollama`](https://build.opensuse.org/request/show/1230608), [`opa-fmgui`](https://build.opensuse.org/request/show/1230004), [`opencryptoki`](https://github.com/opencryptoki/opencryptoki/pull/828), [`opencryptoki`](https://github.com/opencryptoki/opencryptoki/pull/832), [`openmpi4:gnu-hpc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234014), [`openwsman`](https://build.opensuse.org/request/show/1228990), [`patterns-microos`](https://build.opensuse.org/request/show/1233574), [`portmidi`](https://build.opensuse.org/request/show/1230001), [`presage`](https://build.opensuse.org/request/show/1233892), [`procps`](https://gitlab.com/procps-ng/procps/-/issues/362), [`sad`](https://github.com/ms-jpq/sad/issues/359), [`scons/nst`](https://build.opensuse.org/request/show/1230042), [`sendmail`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234629), [`static-initrd`](https://build.opensuse.org/request/show/1232164), [`suse-hpc`](https://github.com/openSUSE/hpc/pull/12), [`swtpm`](https://build.opensuse.org/request/show/1229015), [`tiny`](https://github.com/osa1/tiny/issues/437), [`vtk`](https://build.opensuse.org/request/show/1231633), [`xdg-desktop-portal`](https://build.opensuse.org/request/show/1234111) & [`yast`](https://github.com/yast/yast-storage-ng/pull/1397).
+* Bernhard M. Wiedemann: [`cargo-packaging/rusty_v8`](https://build.opensuse.org/request/show/1233216), [`cockpit`](https://github.com/cockpit-project/cockpit/pull/21460), [`collectd`](https://build.opensuse.org/request/show/1231851), [`deepin-daemon`](https://build.opensuse.org/request/show/1230049), [`deepin-file-manager`](https://build.opensuse.org/request/show/1230061), [`esbuild`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234374), [`grpc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234751), [`hyperkitty`](https://gitlab.com/mailman/hyperkitty/-/merge_requests/656), [`icedtea-web`](https://build.opensuse.org/request/show/1227576), [`java-atk-wrapper`](https://build.opensuse.org/request/show/1230638), [`kdenetwork-filesharing`](https://build.opensuse.org/request/show/1233853), [`kicad`](https://gitlab.com/kicad/code/kicad/-/merge_requests/2087), [`kompare`](https://build.opensuse.org/request/show/1233852), [`librespeed-cli`](https://build.opensuse.org/request/show/1233732), [`lincity-ng`](https://build.opensuse.org/request/show/1233633), [`mraa`](https://build.opensuse.org/request/show/1229658), [`ollama`](https://build.opensuse.org/request/show/1230608), [`opa-fmgui`](https://build.opensuse.org/request/show/1230004), [`opencryptoki`](https://github.com/opencryptoki/opencryptoki/pull/828), [`opencryptoki`](https://github.com/opencryptoki/opencryptoki/pull/832), [`openmpi4:gnu-hpc`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234014), [`openwsman`](https://build.opensuse.org/request/show/1228990), [`patterns-microos`](https://build.opensuse.org/request/show/1233574), [`portmidi`](https://build.opensuse.org/request/show/1230001), [`presage`](https://build.opensuse.org/request/show/1233892), [`procps`](https://gitlab.com/procps-ng/procps/-/issues/362), [`sad`](https://github.com/ms-jpq/sad/issues/359), [`scons/nst`](https://build.opensuse.org/request/show/1230042), [`sendmail`](https://bugzilla.opensuse.org/show_bug.cgi?id=1234629), [`static-initrd`](https://build.opensuse.org/request/show/1232164), [`suse-hpc`](https://github.com/openSUSE/hpc/pull/12), [`swtpm`](https://build.opensuse.org/request/show/1229015), [`tiny`](https://github.com/osa1/tiny/issues/437), [`vtk`](https://build.opensuse.org/request/show/1231633), [`xdg-desktop-portal`](https://build.opensuse.org/request/show/1234111) and [`yast`](https://github.com/yast/yast-storage-ng/pull/1397).
 
 * Chris Lamb:
 
@@ -207,24 +226,6 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
 
 <br>
 
-### *reprotest*
-
-reprotest version `0.7.29` was [uploaded to Debian unstable](https://tracker.debian.org/news/1597407/accepted-reprotest-0729-source-into-unstable/) by Vagrant Cascadian. It [included contributions already covered in previous months](https://salsa.debian.org/reproducible-builds/reprotest/commits/debian/0.7.29) as well as new ones from Rebecca N. Palmer in particular, such as:
-
-* as_file is not a method. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/8e3b98a)]
-* Stop using pkg_resources. [[…](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083743)][[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/ef549aa)]
-* tests: use a non-constant-address object to test address capture. [[…](https://salsa.debian.org/reproducible-builds/reprotest/commit/690daaf)]
-
-<br>
-
-### *rebuilderd*
-
-* Migrate *diesel* dependency from 1.x to 2.x. [[…](https://github.com/kpcyrd/rebuilderd/commit/970d0187)]
-* Migrate *clap* dependency from 2 to 4. [[…](https://github.com/kpcyrd/rebuilderd/commit/678ef58b)]
-* Refactor *reqwest* code, replace *openssl* dependency with the memory-safe *rustls*. [[…](https://github.com/kpcyrd/rebuilderd/commit/6ad7c33c)][[…](https://github.com/kpcyrd/rebuilderd/commit/74ec1f3c)]
-
-<br>
-
 ### Reproducibility testing framework
 
 [![]({{ "/images/reports/2024-12/testframework.png#right" | relative_url }})](https://tests.reproducible-builds.org/)


=====================================
images/reports/2024-12/debian-repro-status.png
=====================================
Binary files a/images/reports/2024-12/debian-repro-status.png and b/images/reports/2024-12/debian-repro-status.png differ



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/7a89a5976905be033198e22d20733b77140b51d5...6ab3797ec308b2faaeba5f43c89bb334877bcebd

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/compare/7a89a5976905be033198e22d20733b77140b51d5...6ab3797ec308b2faaeba5f43c89bb334877bcebd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250109/82483c3f/attachment.htm>
