From dwheeler at dwheeler.com Mon May 3 16:43:30 2021 From: dwheeler at dwheeler.com (David A. Wheeler) Date: Mon, 3 May 2021 12:43:30 -0400 Subject: FYI: Diverse Double-Compiling DDC presentation now on Youtube Message-ID: <9581FBE9-B832-4A4A-A0DB-D8188F0FB18A@dwheeler.com> FYI, my original public defense presentation about "Diverse Double-Compiling? (DDC) is now on Youtube: https://www.youtube.com/watch?v=QYH18NpsRu8 Here?s some quick context: Reproducible builds, as discussed in this mailing list, counters many build attacks by ensuring that the same tools produce the same resulting package. But how do you know the tools are not subverted in *their* build processes? Well, you can use reproducible builds on those tools as well. However, compilers are a special case. Since compilers (and similar tools) compile themselves, they create a ?loop? that?s harder to deal with. (In general, cycles create many problems in computer science.) The attack was originally discussed in the Multics security evaluation of 1974, and popularized by Ken Thompson?s discussion & demonstration of the attack as explained in his 1984 Turing Award presentation ?Reflections on Trusting Trust?. A strong way to counter this ?trusting trust? attack is "Diverse Double-Compiling? (DDC). The video above is my PhD public defense that it works. More details available here: https://dwheeler.com/trusting-trust/ Another countermeasure is to use bootstrappable builds (e.g., GNU Mes). Bootstrappable builds & DDC aren?t really competitors, because they can work well together to even-more-powerfully counter such attacks. The recording is wiggly (it wasn?t professionally recorded), but it should be understandable. Enjoy! --- David A. Wheeler From chris at reproducible-builds.org Fri May 7 10:05:42 2021 From: chris at reproducible-builds.org (Chris Lamb) Date: Fri, 7 May 2021 06:05:42 -0400 (EDT) Subject: =?utf-8?q?diffoscope_174_released_=F0=9F=92=A0?= Message-ID: <162038181819.1076496.15375963416760980005@tinycat.chris-lamb.co.uk> Hi, The diffoscope maintainers are pleased to announce the release of version 174 of diffoscope. diffoscope tries to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable form to compare them. It can compare two tarballs, ISO images, or PDF just as easily. Version 174 includes the following changes: [ Chris Lamb ] * Check that we are parsing an actual Debian .buildinfo file, not just a file with that extension. (Closes: #987994, reproducible-builds/diffoscope#254) * Support signed .buildinfo files again -- file(1) reports them as "PGP signed message". [ Mattia Rizzolo ] * Make the testsuite pass with file(1) version 5.40. * Embed some short test fixtures in the test code itself. * Fix recognition of compressed .xz files with file(1) 5.40. ## Download Version 174 is available from Debian unstable as well as PyPI, and will shortly be available on other platforms surely. More details can be found here: https://diffoscope.org/ ??? but source tarballs may be located here: https://diffoscope.org/archive/ The corresponding Docker image may be run via (for example): $ docker run --rm -t -w $(pwd) -v $(pwd):$(pwd):ro \ registry.salsa.debian.org/reproducible-builds/diffoscope a b ## Contribute diffoscope is developed within the "Reproducible builds" effort. - Git repository https://salsa.debian.org/reproducible-builds/diffoscope - Docker image, eg. registry.salsa.debian.org/reproducible-builds/diffoscope https://salsa.debian.org/reproducible-builds/diffoscope - Issues and feature requests https://salsa.debian.org/reproducible-builds/diffoscope/issues - Contribution instructions (eg. to file an issue) https://reproducible-builds.org/contribute/salsa/ Regards, -- o ??? ??? Chris Lamb o o reproducible-builds.org ???? ??? ??? o From chris at reproducible-builds.org Fri May 7 11:01:13 2021 From: chris at reproducible-builds.org (Chris Lamb) Date: Fri, 07 May 2021 12:01:13 +0100 Subject: Please review the draft for April's report Message-ID: <162038523985.1083998.5388425239774894380@tinycat.chris-lamb.co.uk> Hi all, Sorry about the short delay. Please review the draft for April's Reproducible Builds report: https://reproducible-builds.org/reports/2021-04/?draft ? or, via the Git repository itself: https://salsa.debian.org/reproducible-builds/reproducible-website/blob/master/_reports/2021-04.md I intend to publish it no earlier than: $ date -d 'Sun, 09 May 2021 15:00:00 +0100' https://time.is/compare/1500_09_May_2021_in_BST ? Please feel free and commit/push to drafts without the overhead of sending patches or merge requests. You should make your changes to the "_reports/2021-04.md" file in the "reproducible-website" repository: $ git clone https://salsa.debian.org/reproducible-builds/reproducible-website $ cd reproducible-website $ sensible-editor _reports/2021-04.md I am happy to reword and/or rework additions prior to publishing. If you currently do not have access to the above repository, you can request access by following the instructions at: https://reproducible-builds.org/contribute/salsa/ Regards, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o From holger at layer-acht.org Fri May 7 23:18:15 2021 From: holger at layer-acht.org (Holger Levsen) Date: Fri, 7 May 2021 23:18:15 +0000 Subject: Progress on reproducible Debian Live images In-Reply-To: <90f9b8d1-cc9d-a25d-a9db-e8bc50f24ebb@rclobus.nl> References: <90f9b8d1-cc9d-a25d-a9db-e8bc50f24ebb@rclobus.nl> Message-ID: <20210507231815.GA2667@layer-acht.org> Hi Roland, On Wed, Feb 10, 2021 at 11:13:03PM +0100, Roland Clobus wrote: > I've created a Wiki page that details my progress in creating > reproducible live images, since I wrote to these lists on 2020-11-11. > https://wiki.debian.org/ReproducibleInstalls/LiveImages I'm sorry for the very late reply on this! I've been following your wiki edits on this in the last months though..! > Long summary: > Read the full Wiki page, which contains the command lines, etc. I believe the wiki page is ready to turn this into a jenkins job, to build a live-image twice and feed the results to diffoscope. :) Maybe we could collaborate on this next week? I've also seen Steve's honest reply in https://lists.debian.org/debian-live/2021/04/msg00013.html and then Jonathan's and Raphael's replies and I agree there should a call for help on d-d-a. Because, having live images is something Debian should have. And, obviously, these should be reproducible! So, thank you, Roland, for documenting what needs to be done in https://wiki.debian.org/ReproducibleInstalls/LiveImages ! -- cheers, Holger ??????? ??????? holger@(debian|reproducible-builds|layer-acht).org ??????? OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ??? We live in a world where teenagers get more and more desperate trying to convince adults to behave like grown ups. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From lamby at debian.org Sun May 9 17:09:15 2021 From: lamby at debian.org (Chris Lamb) Date: Sun, 09 May 2021 18:09:15 +0100 Subject: Please review the draft for April's report In-Reply-To: <162038523985.1083998.5388425239774894380@tinycat.chris-lamb.co.uk> References: <162038523985.1083998.5388425239774894380@tinycat.chris-lamb.co.uk> Message-ID: <24223f41-89ff-4209-8d76-aa271d91dcdc@www.fastmail.com> Chris Lamb wrote: > Please review the draft for April's Reproducible Builds report: This has now been published; many thanks to all who contributed. Please share the following URL: https://reproducible-builds.org/reports/2021-04/ Alternatively, if you are into that kind of thing, please consider retweeting: https://twitter.com/ReproBuilds/status/1391439899849592843 Regards, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o From rclobus at rclobus.nl Thu May 13 11:17:53 2021 From: rclobus at rclobus.nl (Roland Clobus) Date: Thu, 13 May 2021 13:17:53 +0200 Subject: Progress on reproducible Debian Live images In-Reply-To: <20210507231815.GA2667@layer-acht.org> References: <90f9b8d1-cc9d-a25d-a9db-e8bc50f24ebb@rclobus.nl> <20210507231815.GA2667@layer-acht.org> Message-ID: Hello Holger and lists, On 08/05/2021 01:18, Holger Levsen wrote: > On Wed, Feb 10, 2021 at 11:13:03PM +0100, Roland Clobus wrote: >> I've created a Wiki page that details my progress in creating >> reproducible live images, since I wrote to these lists on 2020-11-11. >> https://wiki.debian.org/ReproducibleInstalls/LiveImages > > I believe the wiki page is ready to turn this into a jenkins job, to > build a live-image twice and feed the results to diffoscope. :) I like it that Jenkins will take over a lot of the work. Since building the images requires network access, there might be some differences when the image is rebuilt. This can be circumvented by using the local cache that is generated by the first run, a proxy or snapshots.debian.org. It all depends on what you want to achieve with the Jenkins job(s). Let's talk/brainstorm about that in a live chat (e.g. Jitsi) > Maybe we could collaborate on this next week? Sure. This week (with the public holiday) is not so suitable. How about one of these timeslots: 2021-05-17T20:00CEST, 2021-05-20T15:00, 2021-05-20T20:00? Will there be other participants? > I've also seen Steve's honest reply in https://lists.debian.org/debian-live/2021/04/msg00013.html > and then Jonathan's and Raphael's replies and I agree > there should a call for help on d-d-a. I'm still drafting a follow-up mail. I think that the burden of maintenance could be reduced by some automated tests. However, for Debian 11.0 the live images will still be generated with live-wrapper, to reduce the release-stress and not block the release of Bullseye. > Because, having live images is something Debian should have. > And, obviously, these should be reproducible! > > So, thank you, Roland, for documenting what needs to be done in > https://wiki.debian.org/ReproducibleInstalls/LiveImages ! Thanks for the thumbs-up! I hope that a solution can be found to provide official Debian Live Images which are 100% reproducible. With kind regards, Roland Clobus -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From chris at reproducible-builds.org Fri May 14 10:12:39 2021 From: chris at reproducible-builds.org (Chris Lamb) Date: Fri, 14 May 2021 11:12:39 +0100 Subject: =?UTF-8?Q?diffoscope_175_released_=F0=9F=92=A0?= Message-ID: <162098553796.3018605.6761005369178273931@tinycat.chris-lamb.co.uk> Hi, The diffoscope maintainers are pleased to announce the release of version 175 of diffoscope. diffoscope tries to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable form to compare them. It can compare two tarballs, ISO images, or PDF just as easily. Version 175 includes the following changes: * Use the actual filesystem path name (instead of diffoscope's concept of the source name) to correct APK filename filtering when an APK file is in another container -- we need to filter the auto-generated "1.apk" instead of "original-filename.apk". (Closes: reproducible-builds/diffoscope#255) * Don't call os.path.basename twice. * Correct grammar in a fsimage.py debug message. * Add a comment about stripping filenames. ## Download Version 175 is available from Debian unstable as well as PyPI, and will shortly be available on other platforms surely. More details can be found here: https://diffoscope.org/ ? but source tarballs may be located here: https://diffoscope.org/archive/ The corresponding Docker image may be run via (for example): $ docker run --rm -t -w $(pwd) -v $(pwd):$(pwd):ro \ registry.salsa.debian.org/reproducible-builds/diffoscope a b ## Contribute diffoscope is developed within the "Reproducible builds" effort. - Git repository https://salsa.debian.org/reproducible-builds/diffoscope - Docker image, eg. registry.salsa.debian.org/reproducible-builds/diffoscope https://salsa.debian.org/reproducible-builds/diffoscope - Issues and feature requests https://salsa.debian.org/reproducible-builds/diffoscope/issues - Contribution instructions (eg. to file an issue) https://reproducible-builds.org/contribute/salsa/ Regards, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o From flx at obfusk.net Thu May 20 17:16:37 2021 From: flx at obfusk.net (Felix C. Stegerman) Date: Thu, 20 May 2021 19:16:37 +0200 Subject: How can I contribute? Message-ID: Hi! I'd like to contribute to Reproducible Builds (for Debian). I've read [1] and requested access to [2]; unfortunately, [3] is a broken link. - Felix [1] https://reproducible-builds.org/contribute/ [2] http://salsa.debian.org/reproducible-builds [3] https://reproducible-builds.org/contribute/debian/ From baloo at superbaloo.net Thu May 20 21:27:57 2021 From: baloo at superbaloo.net (Arthur Gautier) Date: Thu, 20 May 2021 21:27:57 +0000 Subject: Reproducibility problems with rubygems Message-ID: Hello everyone, When investigating reproducibility problems with rubygems over at NixOS, we found this issue: https://github.com/rubygems/rubygems/pull/4610 Not sure this is the place to post this (let me know if there is a better place to), but I thought it might benefit other distributions as well. If I read git history correctly, all versions of rubygems since v2.5.2 have been affected. Best, -- Arthur From rclobus at rclobus.nl Sat May 22 11:00:35 2021 From: rclobus at rclobus.nl (Roland Clobus) Date: Sat, 22 May 2021 13:00:35 +0200 Subject: How can I contribute? -> broken URL fixed In-Reply-To: References: Message-ID: <70d2fd61-ca7d-c399-dadf-490bf4ae5596@rclobus.nl> Hello Felix, list, I've fixed the website, you should now be able to read the Debian-specific instructions again. With kind regards, Roland Clobus git hash: 884ceefd5fc8bdd0de73c2022b4dd390ed9b6510 On 20/05/2021 19:16, Felix C. Stegerman wrote: > Hi! > > I'd like to contribute to Reproducible Builds (for Debian). > > I've read [1] and requested access to [2]; unfortunately, [3] is a > broken link. > > - Felix > > [1] https://reproducible-builds.org/contribute/ > [2] http://salsa.debian.org/reproducible-builds > [3] https://reproducible-builds.org/contribute/debian/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From chris at reproducible-builds.org Sat May 22 11:26:43 2021 From: chris at reproducible-builds.org (Chris Lamb) Date: Sat, 22 May 2021 12:26:43 +0100 Subject: Reproducibility problems with rubygems In-Reply-To: References: Message-ID: <8517af98-47da-4993-a3ee-99267a9a0b8f@www.fastmail.com> Hey Arthur, > When investigating reproducibility problems with rubygems over at > NixOS, we found this issue: > https://github.com/rubygems/rubygems/pull/4610 > > Not sure this is the place to post this (let me know if there is a > better place to), but I thought it might benefit other distributions > as well. I hadn't seen this myself (I don't tend to track Ruby stuff generally), so thank you for passing it on. :) Best wishes, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o From holger at layer-acht.org Mon May 24 10:22:13 2021 From: holger at layer-acht.org (Holger Levsen) Date: Mon, 24 May 2021 10:22:13 +0000 Subject: How can I contribute? -> broken URL fixed In-Reply-To: <70d2fd61-ca7d-c399-dadf-490bf4ae5596@rclobus.nl> References: <70d2fd61-ca7d-c399-dadf-490bf4ae5596@rclobus.nl> Message-ID: <20210524102213.GA1916@layer-acht.org> On Sat, May 22, 2021 at 01:00:35PM +0200, Roland Clobus wrote: > I've fixed the website, you should now be able to read the > Debian-specific instructions again. thank you, Roland! And Felix for reporting here too! That said, the page about contributing to Debian is a bit outdated and the other contribute-pages even more. Patches very much welcome! :) -- cheers, Holger ??????? ??????? holger@(debian|reproducible-builds|layer-acht).org ??????? OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ??? The corona crisis is peanuts compared to the global climate disaster. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From ludo at gnu.org Wed May 26 09:49:45 2021 From: ludo at gnu.org (=?UTF-8?q?Ludovic=20Court=C3=A8s?=) Date: Wed, 26 May 2021 11:49:45 +0200 Subject: [PATCH] Explain how to contribute to reproducible builds in Guix. Message-ID: <20210526094945.19885-1-ludo@gnu.org> --- contribute/guix.md | 47 +++++++++++++++++++++++++++++++++++++++++++++ contribute/index.md | 4 ++++ 2 files changed, 51 insertions(+) create mode 100644 contribute/guix.md Hello! I thought it could be useful to have pointers to help out on reproducible builds in Guix, so here we go. Let me know what you think! Ludo'. diff --git a/contribute/guix.md b/contribute/guix.md new file mode 100644 index 0000000..719cd65 --- /dev/null +++ b/contribute/guix.md @@ -0,0 +1,47 @@ +--- +layout: default +title: Contribute to reproducible builds in GNU?Guix +permalink: /contribute/guix/ +--- + +This page explains how you can contribute to reproducible builds in +[GNU?Guix](https://guix.gnu.org). + +## Finding reproducibility issues + +You can monitor reproducibility issues by running [`guix +challenge`](https://guix.gnu.org/manual/en/html_node/Invoking-guix-challenge.html). +To further investigate, you can specify one or more packages on the +command line, and ask it to invoke Diffoscope upon failure: + +``` +guix challenge git \ + --diff=diffoscope \ + --substitute-urls="https://ci.guix.gnu.org https://guix.example.org" +``` + +Another option is to rebuild packages locally. For example, assuming +you already installed Git on your machine, you can force a rebuild [with +`--check`](https://guix.gnu.org/manual/en/html_node/Additional-Build-Options.html#build_002dcheck): + +``` +guix build git --check --no-grafts --keep-failed +``` + +If the new build result differs from the one that was already in store, +the failed build is kept as `/gnu/store/?-git-1.2.3-check`, allowing you +to compare it with the original one (without the `-check` suffix). + +## Reporting issues + +Please report issues by sending email to `bug-guix at gnu.org`. Each +message opens a new issues visible in the [bug +tracker](https://issues.guix.gnu.org). + +When investigating, be sure to check [Debian?s reproducibility issue +inventory](https://tests.reproducible-builds.org/debian/index_issues.html) +for known problems and solutions. + +You can also discuss these issues with other developers on [the Guix +development mailing list and on the IRC +channel](https://guix.gnu.org/en/contact). diff --git a/contribute/index.md b/contribute/index.md index af63915..e1b8af4 100644 --- a/contribute/index.md +++ b/contribute/index.md @@ -42,6 +42,10 @@ Reproducible Builds is distro agnostic, which means we care about all the distri [Suggestions how to contribute to Reproducible Debian](/contribute/debian/) +## Contribute to reproducible builds in GNU?Guix + +[Suggestions on how to contribute to reproducible builds in GNU?Guix](/contribute/guix) + ## Donate Another way to help is to financially support our project. We welcome any -- 2.31.1 From holger at layer-acht.org Wed May 26 10:15:59 2021 From: holger at layer-acht.org (Holger Levsen) Date: Wed, 26 May 2021 10:15:59 +0000 Subject: [PATCH] Explain how to contribute to reproducible builds in Guix. In-Reply-To: <20210526094945.19885-1-ludo@gnu.org> References: <20210526094945.19885-1-ludo@gnu.org> Message-ID: <20210526101559.GC31366@layer-acht.org> Hi Ludo, On Wed, May 26, 2021 at 11:49:45AM +0200, Ludovic Court?s wrote: > I thought it could be useful to have pointers to help out on reproducible > builds in Guix, so here we go. Let me know what you think! yay! already commited by Arnout it seems! \o/ -- cheers, Holger ??????? ??????? holger@(debian|reproducible-builds|layer-acht).org ??????? OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ??? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From ludo at gnu.org Wed May 26 20:16:35 2021 From: ludo at gnu.org (=?utf-8?Q?Ludovic_Court=C3=A8s?=) Date: Wed, 26 May 2021 22:16:35 +0200 Subject: [PATCH] Explain how to contribute to reproducible builds in Guix. In-Reply-To: <20210526101559.GC31366@layer-acht.org> (Holger Levsen's message of "Wed, 26 May 2021 10:15:59 +0000") References: <20210526094945.19885-1-ludo@gnu.org> <20210526101559.GC31366@layer-acht.org> Message-ID: <87fsy9s124.fsf@gnu.org> Holger Levsen skribis: > On Wed, May 26, 2021 at 11:49:45AM +0200, Ludovic Court?s wrote: >> I thought it could be useful to have pointers to help out on reproducible >> builds in Guix, so here we go. Let me know what you think! > > yay! already commited by Arnout it seems! \o/ Awesome, thanks! Ludo?. From chris at reproducible-builds.org Fri May 28 11:51:29 2021 From: chris at reproducible-builds.org (Chris Lamb) Date: Fri, 28 May 2021 12:51:29 +0100 Subject: =?UTF-8?Q?diffoscope_176_released_=F0=9F=92=A0?= Message-ID: <162219566387.516739.16521029900355404890@tinycat.chris-lamb.co.uk> Hi, The diffoscope maintainers are pleased to announce the release of version 176 of diffoscope. diffoscope tries to get to the bottom of what makes files or directories different. It will recursively unpack archives of many kinds and transform various binary formats into more human-readable form to compare them. It can compare two tarballs, ISO images, or PDF just as easily. Version 176 includes the following changes: * Update ffmpeg tests to work with ffmpeg 4.4. (Closes: reproducible-builds/diffoscope#258) ## Download Version 176 is available from Debian unstable as well as PyPI, and will shortly be available on other platforms surely. More details can be found here: https://diffoscope.org/ ? but source tarballs may be located here: https://diffoscope.org/archive/ The corresponding Docker image may be run via (for example): $ docker run --rm -t -w $(pwd) -v $(pwd):$(pwd):ro \ registry.salsa.debian.org/reproducible-builds/diffoscope a b ## Contribute diffoscope is developed within the "Reproducible builds" effort. - Git repository https://salsa.debian.org/reproducible-builds/diffoscope - Docker image, eg. registry.salsa.debian.org/reproducible-builds/diffoscope https://salsa.debian.org/reproducible-builds/diffoscope - Issues and feature requests https://salsa.debian.org/reproducible-builds/diffoscope/issues - Contribution instructions (eg. to file an issue) https://reproducible-builds.org/contribute/salsa/ Regards, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o From bubu at bubu1.eu Sat May 29 12:30:50 2021 From: bubu at bubu1.eu (Marcus Hoffmann) Date: Sat, 29 May 2021 14:30:50 +0200 Subject: apk/dex differences, diffoscope can't really tell what's going on. Any ideas? Message-ID: Hi, we're trying to hunt down an unreproducible apk build. We currently have a diff between two dex files which diffoscope can't really tell us anything about: https://bubu1.eu/diffoscope_dex.html Anyone got any idea what's going on here? (File are https://bubu1.eu/classes.dex and https://bubu1.eu/classes_fynn.dex) Marcus From bernhardout at lsmod.de Sat May 29 15:45:15 2021 From: bernhardout at lsmod.de (Bernhard M. Wiedemann) Date: Sat, 29 May 2021 17:45:15 +0200 Subject: apk/dex differences, diffoscope can't really tell what's going on. Any ideas? In-Reply-To: References: Message-ID: On 29/05/2021 14.30, Marcus Hoffmann via rb-general wrote: > we're trying to hunt down an unreproducible apk build. > > We currently have a diff between two dex files which diffoscope can't > really tell us anything about: > https://bubu1.eu/diffoscope_dex.html > > Anyone got any idea what's going on here? > > (File are https://bubu1.eu/classes.dex and > https://bubu1.eu/classes_fynn.dex) They differ in "pg-map-id":"xxxxxxx" and the 24 differing bytes starting at offset 8 could be a 192 bit checksum over the remaining content. If in doubt, check the code creating it for "pg-map-id" and for what goes after the dex\n035\000 magic header. https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40085 seems related. https://speakerdeck.com/jakewharton/diffusing-changes-in-your-apks-droidcon-toronto-2019 also has something. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From bubu at bubu1.eu Sat May 29 16:05:08 2021 From: bubu at bubu1.eu (Marcus Hoffmann) Date: Sat, 29 May 2021 18:05:08 +0200 Subject: apk/dex differences, diffoscope can't really tell what's going on. Any ideas? In-Reply-To: References: Message-ID: <23140ef7-dd0e-aa54-5a0a-c36fd8522feb@bubu1.eu> Hi Bernhard, On 29.05.21 17:45, Bernhard M. Wiedemann wrote: > > > On 29/05/2021 14.30, Marcus Hoffmann via rb-general wrote: >> we're trying to hunt down an unreproducible apk build. >> >> We currently have a diff between two dex files which diffoscope can't >> really tell us anything about: >> https://bubu1.eu/diffoscope_dex.html >> >> Anyone got any idea what's going on here? >> >> (File are https://bubu1.eu/classes.dex and >> https://bubu1.eu/classes_fynn.dex) > > They differ in > "pg-map-id":"xxxxxxx" > > and the 24 differing bytes starting at offset 8 could be a 192 bit > checksum over the remaining content. Oooh, that makes a lot of sense (and the torproject gitlab issue seems to confirm that). The other thing is proguard/r8 releated, that should help a lot trying to figure that out! I was confused because I'm used to getting diffs in the discompile/disassembly of dex files which is explicitly not the case here (which is good, it's a step forward from where we were last week!) > > If in doubt, check the code creating it for "pg-map-id" and for what > goes after the dex\n035\000 magic header. > > https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40085 > seems related. > > https://speakerdeck.com/jakewharton/diffusing-changes-in-your-apks-droidcon-toronto-2019 > also has something. > From bubu at bubu1.eu Sat May 29 20:56:33 2021 From: bubu at bubu1.eu (Marcus Hoffmann) Date: Sat, 29 May 2021 22:56:33 +0200 Subject: apk/dex differences, diffoscope can't really tell what's going on. Any ideas? In-Reply-To: <23140ef7-dd0e-aa54-5a0a-c36fd8522feb@bubu1.eu> References: <23140ef7-dd0e-aa54-5a0a-c36fd8522feb@bubu1.eu> Message-ID: <55a2f1c0-02e3-0977-98bc-528e0e1cf7e5@bubu1.eu> On 29.05.21 18:05, Marcus Hoffmann via rb-general wrote: >> >> They differ in >> "pg-map-id":"xxxxxxx" >> >> and the 24 differing bytes starting at offset 8 could be a 192 bit >> checksum over the remaining content. > > Oooh, that makes a lot of sense (and the torproject gitlab issue seems > to confirm that). The other thing is proguard/r8 releated, that should > help a lot trying to figure that out! > Well, it turns out that our genious plan of on relying on R8/proguard to work around a non-deterministic codegen issue in the used navigation library didn't quite work out. Here's what's happening: * androidx.navigation.safeargs.kotlin *sometimes* (unclear when) generates some additional unused methods in some classes. * R8 removed those from the final dex file, which would make it reproducible... but then it calculates a hash over some mapping file which at least in this case ends up being different because of exactly those additional methods that it did or did not throw out. Reported this to google now: https://issuetracker.google.com/issues/189498001 Let's hope it get's fixed this year still :/ Marcus From rclobus at rclobus.nl Sun May 30 16:30:27 2021 From: rclobus at rclobus.nl (Roland Clobus) Date: Sun, 30 May 2021 18:30:27 +0200 Subject: Possible new category for non-reproducible builds: --build-id=sha1 -> actually cmake_rpath_contains_build_path_issue In-Reply-To: <0e7290f5-c000-be5b-fbea-2821c825db27@lsmod.de> References: <84c73e6e-5012-694c-7fa2-161c4c55d550@rclobus.nl> <0e7290f5-c000-be5b-fbea-2821c825db27@lsmod.de> Message-ID: <3a6af959-320b-7e1f-f86d-3b71c4bfc174@rclobus.nl> Hello again, On 25/04/2021 02:26, Bernhard M. Wiedemann wrote: > On 24/04/2021 17.59, Roland Clobus wrote: >> I've looked the reproducible report for apt-cacher-ng. >> It looks like it is caused by a linker flag: -Wl,--build-id=sha1 > If you see variations in build-id with sha1 mode, it means there were > already variations in inputs before and those inputs should be made > deterministic. On 24/04/2021 22:53, Santiago Torres Arias wrote: > https://tests.reproducible-builds.org/debian/issues/unstable/build_id_variation_requiring_further_investigation_issue.html Thank you for responding and providing pointers for further thought. I've bug deeper into the apt-cacher-ng package [3]. It turned out that there were two reasons for non-reproducibility: locales #988976 and build-id #989203 The build-id issue is a known issue [1][2] caused by CMake and its default behaviour to add an rpath to be binary. Upon installation the rpath bytes are zeroed. This means effectively that 1) the length of the build path is leaked 2) the build-id is not recalculated. The diffoscope output was not easy to interpret, because many of the debugging symbols had a new base-address (due to the different length of the rpath). In order to find this type of issue easier A) Reprotest could be extended to run with a build path of the same length as the original code, which would only show a difference in the build-id (instead of AND a difference in build-id AND a different length of the binary with shifted addresses for many functions) or B) Diffoscope could explicitly extract the rpath from the binary, to see whether it is of build-path-length and contains only '\0' bytes. With kind regards, Roland Clobus [1] https://reproducible-builds.org/docs/deterministic-build-systems/ [2] https://tests.reproducible-builds.org/debian/issues/unstable/cmake_rpath_contains_build_path_issue.html [3] https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/apt-cacher-ng.html -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From dan at shearer.org Mon May 31 13:52:32 2021 From: dan at shearer.org (Dan Shearer) Date: Mon, 31 May 2021 14:52:32 +0100 Subject: Reproducibility tool Message-ID: Hello reproducibility people, Reproducibility often requires source code assembly from multiple upstreams, with multiple versions, source formats and mutually incompatible maintenance cycles. There is now a tool called Not-Forking that does what cannot be addressed by a VCS or patch/merge/quilt, see https://lumosql.org/src/not-forking/doc/trunk/README.md . The diagrams illustrate common use cases, but it caters for other needs as well, and I suspect from conversations with various operating system maintainers that it could be well-suited for use there. Not-Forking can detect its own (very minimal) dependencies, upgrade itself, and use a down-level version of itself if needed. Not-Forking maintains a local cache that can reliably tell when an upstream has changed, or a branch within an upstream, regardless of the VCS or other system the upstream uses. Not-Forking was developed for the LumoSQL project, where we were faced with an extreme case in the sense that we are making changes to the world's most-used software (SQLite). The SQlite project is understandably very conservative in making changes that have compatibility implications, and perhaps because of this the SQLite library has been vendored, forked, relicensed etc hugely. We wanted to show how a lot of that may not be necessary. LumoSQL modifies SQLite to use multiple different key-value stores, adds per-row integrity checking and encryption and various other things. If SQLite were not so carefully engineered and maintained would be one of the biggest reproducibility weaknesses around, and in some ways it still is due to all the vendoring and forking - but this email is about Not-Forking. Best, -- Dan Shearer dan at shearer.org From chris at reproducible-builds.org Mon May 31 14:14:59 2021 From: chris at reproducible-builds.org (Chris Lamb) Date: Mon, 31 May 2021 15:14:59 +0100 Subject: =?UTF-8?Q?Re:_Possible_new_category_for_non-reproducible_builds:_--build?= =?UTF-8?Q?-id=3Dsha1_->_actually_cmake=5Frpath=5Fcontains=5Fbuild=5Fpat?= =?UTF-8?Q?h=5Fissue?= In-Reply-To: <3a6af959-320b-7e1f-f86d-3b71c4bfc174@rclobus.nl> References: <84c73e6e-5012-694c-7fa2-161c4c55d550@rclobus.nl> <0e7290f5-c000-be5b-fbea-2821c825db27@lsmod.de> <3a6af959-320b-7e1f-f86d-3b71c4bfc174@rclobus.nl> Message-ID: <4128c298-c690-477f-9001-e6ee7a409d05@www.fastmail.com> Hi Roland, > Diffoscope could explicitly extract the rpath from the binary, to see > whether it is of build-path-length and contains only '\0' bytes. That's a great idea. I've filed this as: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/260 (Hopefully, salsa has pinged you there.) Best wishes, -- o ? ? Chris Lamb o o reproducible-builds.org ? ? ? o