[EXTERNAL] Re: Please review the draft for December's report

Jose Miguel Parrella Jose.Miguel at microsoft.com
Tue Jan 4 18:56:19 UTC 2022 

Another suggestion: while pacman-bintrans + rebuilderd work happened early this month, here's a diff adding the news to the December report. Happy to push directly to repo (access request is pending)

diff --git a/_reports/2021-12.md b/_reports/2021-12.md
index 18dd2fab..c76baf06 100644
--- a/_reports/2021-12.md
+++ b/_reports/2021-12.md
@@ -16,9 +16,9 @@ As a quick recap of what reproducible builds is trying to address, whilst anyone
 
 [![]({{ "/images/reports/2021-12/tails.png#right" | relative_url }})](https://tails.boum.org/)
 
-Early in December, Julien Voisin blogged about setting up a [*rebuilderd*](https://rebuilderd.com/) instance in order to reproduce [Tails](https://tails.boum.org/) images. Working on [previous work from 2018](https://dustri.org/b/please-try-to-build-tails-reproducibly.html), Julien has now set up a [public-facing instance](https://rebuilderd.dustri.org/) which is providing build attestations.
+Early in December, Julien Voisin blogged about setting up a [*rebuilderd*](https://rebuilderd.com/) instance in order to reproduce [Tails](https://tails.boum.org/) images. Working on [previous work from 2018](https://dustri.org/b/please-try-to-build-tails-reproducibly.html), Julien has now set up a [public-facing instance](https://rebuilderd.dustri.org/) which is providing build attestations. [rebuilderd](https://github.com/kpcyrd/rebuilderd/releases) saw great progress in December 2021 with the 0.18.0 release.
 
-As [Julien dryly notes in his post](https://dustri.org/b/reproducing-tails-with-rebuilderd.html), "Currently, this isn't really super-useful to anyone, except maybe some Tails developers who want to check that the release manager didn't backdoor the released image." Naturally, we would contend - sincerely - that this *is* indeed useful.
+While [Julien dryly notes in his post](https://dustri.org/b/reproducing-tails-with-rebuilderd.html) that "currently, this isn't really super-useful to anyone, except maybe some Tails developers who want to check that the release manager didn't backdoor the released image." we would contend - sincerely - that this *is* indeed useful. In fact, as we close this report, the [latest release](https://github.com/kpcyrd/pacman-bintrans/releases) of the `pacman-bintrans` experimental binary transparency utility can now [query rebuilderd](https://twitter.com/kpcyrd/status/1477662064625827841) showcasing a trust verification workflow for binary-based Linux distributions.
 
 <br>

-----Original Message-----
From: rb-general <rb-general-bounces at lists.reproducible-builds.org> On Behalf Of Vagrant Cascadian
Sent: Tuesday, January 4, 2022 10:47 AM
To: John Neffenger <john at status6.com>; Reproducible Builds List <rb-general at lists.reproducible-builds.org>
Subject: [EXTERNAL] Re: Please review the draft for December's report

On 2022-01-04, John Neffenger wrote:
> On 1/3/22 7:08 AM, Chris Lamb wrote:
>> Please review the draft for December's Reproducible Builds report:
>> 
>>    https://reproducible-builds.org/reports/2021-12/?draft
>
> Would it be helpful to add a section about upstream changes regarding 
> reproducible builds made by the upstream projects themselves?

Addressing upstream project reproducibility issues is absolutely welcome! :)

> The OpenJDK project has made good progress lately. All of my personal 
> Java projects are now reproducible when using the JDK 19 tools 
> directly in an early-access build. The last piece I needed was this pull request:
>
> 8276766: Enable jar and jmod to produce deterministic timestamped 
> content
> https://github.com/openjdk/jdk/pull/6481
>
> This change has been integrated into JDK 19 (to be released in 
> September 2022), and a back-port of the commit has been requested for 
> JDK 18 (to be released on March 22, 2022).
>
> The full discussion of the change is found below in the CSR 
> (Compatibility and Specification Review):
>
> JDK-8277755: Enable jar and jmod to produce deterministic timestamped 
> content
> https://bugs.openjdk.java.net/browse/JDK-8277755

This is all very exciting news to me! Thanks for workign on it and bringing it to our attention.


If you forsee being a regularly contributor, please sign up for an account at salsa.debian.org and we can get you access to the repository.


live well,
  vagrant

More information about the rb-general mailing list