Reproducible Builds in November 2024
Chris Lamb
chris at reproducible-builds.org
Thu Dec 5 18:00:05 UTC 2024
--------------------------------------------------------------------
o
⬋ ⬊ November 2024 in Reproducible Builds
o o
⬊ ⬋ https://reproducible-builds.org/reports/2024-11/
o
--------------------------------------------------------------------
Welcome to the November 2024 report from the Reproducible Builds
project!
Our monthly reports outline what we've been up to over the past month
and highlight items of news from elsewhere in the world of software
supply-chain security where relevant. As ever, if you are interested
in contributing to the Reproducible Builds project, please visit the
Contribute [0] page on our website.
§
Table of contents:
* Reproducible Builds mourns the passing of Lunar
* Introducing "reproduce.debian.net"
* New landing page design
* SBOMs for Python packages
* Debian updates
* Reproducible builds by default in Maven 4
* PyPI now supports digital attestations
* “Dependency Challenges in OSS Package Registries”
* Zig programming language demonstrated reproducible
* Website updates
* Upstream patches
* Misc development news
* Reproducibility testing framework
[0] https://reproducible-builds.org/contribute/
§
Reproducible Builds mourns the passing of Lunar
-----------------------------------------------
The Reproducible Builds community sadly announced it has lost its
founding member [2], Lunar. Jérémy Bobbio aka "Lunar" passed away on
Friday November 8th in palliative care in Rennes, France.
Lunar was instrumental in starting the Reproducible Builds project in
2013 as a loose initiative within the Debian project. He was the
author of our earliest status reports [4] and many of our key tools in
use today [5] are based on his design. Lunar's creativity, insight and
kindness were often noted.
You can view our full tribute [2] elsewhere on our website. He will be
greatly missed.
[2] https://reproducible-builds.org/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/
[4] https://lists.debian.org/debian-devel-announce/2015/02/msg00007.html
[5] https://diffoscope.org/
§
Introducing "reproduce.debian.net" [7]
--------------------------------------
In happier news, this month saw the introduction of
<https://reproduce.debian.net/>. Announced at the recent Debian
MiniDebConf in Toulouse [9], *reproduce.debian.net* is an instance of
rebuilderd [10] operated by the Reproducible Builds project.
rebuilderd is our server designed monitor the official package
repositories of Linux distributions and attempts to reproduce the
observed results there.
In November, reproduce.debian.net began rebuilding Debian 'unstable'
on the amd64 architecture, but throughout the MiniDebConf, it had
attempted to rebuild 66% of the official archive. From this, it could
be determined that it is currently possible to bit-for-bit reproduce
and corroborate approximately 78% of the actual binaries distributed
by Debian — that is, using the .buildinfo files hosted by Debian
itself.
reproduce.debian.net [11] also contains instructions how to setup
one's own rebuilderd [12] instance, and we very much invite everyone
with a machine to spare to setup their own version and to share the
results. Whilst rebuilderd is still in development, it has been used
to reproduce Arch Linux [13] since 2019. We are especially looking for
installations targeting Debian architectures other than i386 and
amd64.
[7] https://reproduce.debian.net
[9] https://toulouse2024.mini.debconf.org/
[10] https://github.com/kpcyrd/rebuilderd
[11] https://reproduce.debian.net
[12] https://github.com/kpcyrd/rebuilderd
[13] https://reproducible.archlinux.org/
§
New landing page design
-----------------------
As part of a very productive partnership with the Sovereign Tech Fund
Neighbourhoodie [15]), we are pleased to unveil our new
homepage/landing page:
https://reproducible-builds.org/
We are so very happy with our collaboration with both STF and
Neighbourhoodie (including many changes not directly related to the
website), and look forward to working with them in the future.
[14] https://www.sovereign.tech/
[15] https://neighbourhood.ie/
§
SBOMs for Python packages
-------------------------
The Python Software Foundation [17] has announced [18] a new "cross-
functional project for SBOMs and Python packages". Seth Michael Larson
writes that the project is "specifically looking to solve these issues":
> * Enable Python users that require SBOM documents (likely due to
> regulations like CRA [19] or SSDF [20]) to self-serve using
> existing SBOM generation tools.
> * Solve the "phantom dependency [21]" problem, where non-Python
> software is bundled in Python packages but not recorded in any
> metadata. This makes the job of software composition analysis
> (SCA) tools difficult or impossible.
> * Make the adoption work by relevant projects such as build
> backends, auditwheel-esque tools, as minimal as possible. Empower
> users who are interested in having better SBOM data for the Python
> projects they are using to be able to contribute engineering time
> towards that goal.
A GitHub repository [22] for the initiative is available, and there
are a number of queries, comments and remarks on Seth's Discourse
forum post [23].
[17] https://www.python.org/psf-landing/
[18] https://discuss.python.org/t/sboms-for-python-packages-project/70261
[19] https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
[20] https://csrc.nist.gov/Projects/ssdf
[21] https://github.com/sethmlarson/sboms-for-python-packages?tab=readme-ov-file#phantom-dependencies
[22] https://github.com/sethmlarson/sboms-for-python-packages
[23] https://discuss.python.org/t/sboms-for-python-packages-project/70261/2
§
Debian updates
--------------
There was significant development within Debian [24] this month.
Firstly, at the recent MiniDebConf in Toulouse [25], France, Holger
Levsen gave a Debian-specific talk on rebuilding packages distributed
from ftp.debian.org [26] — that is to say, how to reproduce the results
from the official Debian build servers:
Holger described the talk as follows:
> For more than ten years, the Reproducible Builds project has worked
> towards reproducible builds of many projects, and for ten years now
> we have build Debian packages twice—with maximal variations
> applied—to see if they can be build reproducible still.
>
> Since about a month, we've also been rebuilding trying to exactly
> match the builds being distributed via ftp.debian.org. This talk
> will describe the setup and the lessons learned so far, and why the
> results currently are what they are (spoiler: they are less than 30%
> reproducible), and what we can do to fix that.
The Debian Project Leader, Andreas Tille, was present at the talk and
remarked later in his "Bits from the DPL" [27] update that:
> It might be unfair to single out a specific talk from Toulouse, but
> I'd like to highlight the one on reproducible builds. Beyond its
> technical focus, the talk also addressed the recent loss of Lunar,
> whom we mourn deeply. It served as a tribute to Lunar's
> contributions and legacy. Personally, I've encountered packages
> maintained by Lunar and bugs he had filed. I believe that taking
> over his packages and addressing the bugs he reported is a
> meaningful way to honor his memory and acknowledge the value of his work.
Holger's slides [28] and video [29] in .webm format are available.
Next, rebuilderd [30] is the server to monitor package repositories of
Linux distributions and attempt to reproduce the observed results. This
month, version 0.21.0 [31] released, most notably with improved support
for binNMUs [32] by Jochen Sprickerhof and updating the rebuilderd-
debian.sh integration to the latest debrebuild version [33] by Holger
Levsen. There has also been significant work to get the rebuilderd
package into the Debian archive, in particular, both rust-rebuilderd-
common [34] version 0.20.0-1 and rust-rust-lzma [35] version 0.6.0-1
were packaged by kpcyrd and uploaded by Holger Levsen.
Related to this, Holger Levsen submitted three additional issues against
rebuilderd as well:
* rebuildctl should be more verbose when encountering issues. [36]
* Please add an option to used randomised queues. [37]
* Scheduling and re-scheduling multiple packages at once. [38]
… and lastly, Jochen Sprickerhof submitted one an issue requested that
rebuilderd downloads the source package in addition to the .buildinfo
file [39] and kpcyrd also submitted and fixed an issue surrounding
dependencies and clarifying the license [40]
Separate to this, back in 2018, Chris Lamb filed a bug report against
the sphinx-gallery package [41] as it generates unreproducible content
in various ways. This month, however, Dmitry Shachnev finally closed the
bug, listing the multiple sub-issues that were part of the problem [42]
and how they were resolved.
Elsewhere, Roland Clobus posted to our mailing list [43] this month,
asking for input on a bug [44] in Debian's ca-certificates-java package.
The issue is that the Java key management tools embed timestamps in its
output, and this output ends up in the /etc/ssl/certs/java/cacerts file
on the generated ISO images. A discussion resulted from Roland's post
[45] suggesting some short- and medium-term solutions to the problem.
Holger Levsen uploaded some packages with reproducibility-
related changes:
* devscripts versions 2.24.3 [46], 2.24.4 [47] and 2.24.5 [48] were
uploaded, including several fixes for the debrebuild and debootsnap
and scripts.
* cdbs version 0.4.167 uploaded [49] in order to drop dh_buildinfo
support [50], as dpkg has generated .buildinfo files since 2016 and
the results of dh_buildinfo are typically unreproducible. Related to
this a mass bug filing by Helmut Grohne intended to remove the
obsolete and deprecated dh-buildinfo package from the archive [51].
At the time of writing, this still affects 311 packages in
Debian unstable.
Lastly, 12 reviews of Debian packages were added, 5 were updated and 21
were removed this month adding to our knowledge about identified issues
in Debian [52].
[24] https://debian.org
[25] https://toulouse2024.mini.debconf.org/
[26] https://toulouse2024.mini.debconf.org/talks/4-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg/
[27] https://bits.debian.org/2024/12/bits-from-the-dpl-december.html
[28] https://reproducible-builds.org/_lfs/presentations/2024-11-16-R-B-rebuilding-what-is-distributed-from-ftp.debian.org/
[29] https://meetings-archive.debian.net/pub/debian-meetings/2024/MiniDebConf-Toulouse/toulouse2024-2-reproducible-builds-rebuilding-what-is-distributed-from-ftpdebianorg.webm
[30] https://github.com/kpcyrd/rebuilderd
[31] https://github.com/kpcyrd/rebuilderd/releases/tag/v0.21.0
[32] https://github.com/kpcyrd/rebuilderd/pull/147
[33] https://github.com/kpcyrd/rebuilderd/issues/151
[34] https://tracker.debian.org/rust-rebuilderd-common
[35] https://tracker.debian.org/rust-rust-lzma
[36] https://github.com/kpcyrd/rebuilderd/issues/155
[37] https://github.com/kpcyrd/rebuilderd/issues/152
[38] https://github.com/kpcyrd/rebuilderd/issues/150
[39] https://github.com/kpcyrd/rebuilderd/issues/154
[40] https://github.com/kpcyrd/rebuilderd/issues/153
[41] https://bugs.debian.org/901307
[42] https://bugs.debian.org/901307#59
[43] https://lists.reproducible-builds.org/listinfo/rb-general/
[44] https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003571.html
[45] https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/thread.html#3571
[46] https://tracker.debian.org/news/1584660/accepted-devscripts-2243-source-into-unstable/
[47] https://tracker.debian.org/news/1587480/accepted-devscripts-2244-source-into-unstable/
[48] https://tracker.debian.org/news/1588953/accepted-devscripts-2245-source-into-unstable/
[49] https://tracker.debian.org/news/1587868/accepted-cdbs-04167-source-into-unstable/
[50] https://bugs.debian.org/1088144
[51] https://bugs.debian.org/1068809
[52] https://tests.reproducible-builds.org/debian/index_issues.html
§
Reproducible builds by default in Maven 4 [53]
----------------------------------------------
On our mailing list [54] this month, Hervé Boutemy reported the latest
release of Maven (4.0.0-beta-5) has reproducible builds enabled by
default [55]. In his mailing list post [56], Hervé mentions that "this
story started during our Reproducible Builds summit in Hamburg [57]",
where he created the upstream issue [58] that builds on a "multi-year"
effort to have Maven builds configured for reproducibility.
[53] https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003565.html
[54] https://lists.reproducible-builds.org/listinfo/rb-general/
[55] https://issues.apache.org/jira/browse/MNG-8258
[56] https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003565.html
[57] https://reproducible-builds.org/events/hamburg2024/
[58] https://issues.apache.org/jira/browse/MNG-8258
§
PyPI now supports digital attestations
--------------------------------------
Elsewhere in the Python ecosystem and as reported on LWN [59] and
elsewhere, the Python Package Index [60] (PyPI) has announced [61] that
it has finalised support for PEP 740 [62] ("Index support for
digital attestations").
Trail of Bits [63], who performed much of the development work, has an
in-depth blog post [64] about the work and its adoption, as well as what
is left undone:
> One thing is notably missing from all of this work: downstream
> verification. […]
>
> This isn't an acceptable end state (cryptographic attestations have
> defensive properties only insofar as they're *actually verified*),
> so we're looking into ways to bring verification to individual
> installing clients. In particular, we're currently working on a
> plugin architecture for pip [65] that will enable users to load
> verification logic [66] directly into their pip install flows.
There was an in-depth discussion on LWN's announcement page [67], as
well as on Hacker News [68].
[59] https://lwn.net/Articles/998215/
[60] https://pypi.org/
[61] https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/
[62] https://peps.python.org/pep-0740/
[63] https://www.trailofbits.com/
[64] https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
[65] https://github.com/pypa/pip/issues/12766
[66] https://github.com/trailofbits/pip-plugin-pep740
[67] https://lwn.net/Articles/998215/
[68] https://news.ycombinator.com/item?id=42136375
§
"Dependency Challenges in OSS Package Registries [69]"
------------------------------------------------------
At BENEVOL [70], the Belgium-Netherlands Software Evolution workshop in
Namur, Belgium, Tom Mens and Alexandre Decan presented their paper, "An
Overview and Catalogue of Dependency Challenges in Open Source Software
Package Registries [71]".
The abstract of their paper is as follows:
> While open-source software has enabled significant levels of reuse
> to speed up software development, it has also given rise to the
> dreadful dependency hell [72] that all software practitioners face
> on a regular basis. This article provides a catalogue of
> dependency-related challenges that come with relying on OSS packages
> or libraries. The catalogue is based on the scientific literature on
> empirical research that has been conducted to understand, quantify
> and overcome these challenges. [73]
A PDF of the paper [74] is available online.
[69] https://arxiv.org/abs/2409.18884
[70] https://benevol2024.github.io/
[71] https://arxiv.org/abs/2409.18884
[72] https://en.wikipedia.org/wiki/Dependency_hell
[73] https://arxiv.org/abs/2409.18884
[74] https://arxiv.org/pdf/2409.18884
§
Zig programming language demonstrated reproducible
--------------------------------------------------
Motiejus Jakšty posted an interesting and practical blog post [75] on
his successful attempt to reproduce the Zig programming language [76]
without using the pre-compiled binaries checked into the repository
[77], and despite the circular dependency inherent in its
bootstrapping process.
As a summary, Motiejus concludes that:
> I can now confidently say (and you can also check, you don’t need to
> trust me) that there is nothing hiding in zig1.wasm [the checked-in
> binary] that hasn't been checked-in as a source file.
The full post is full of practical details, and includes a few open
questions [78].
[75] https://jakstys.lt/2024/zig-reproduced-without-binaries/
[76] https://ziglang.org/
[77] https://github.com/ziglang/zig/blob/0.13.0/stage1/zig1.wasm
[78] https://jakstys.lt/2024/zig-reproduced-without-binaries/#conclusions-and-open-questions
§
Website updates
---------------
Notwithstanding the significant change to the landing page (mentioned
above), there were an enormous number of changes made to our website
this month. This included:
* Alex Feyerke and Mariano Giménez:
* Dramatically overhaul the website's landing page [79] with new
"benefit" cards tailored to the expected visitors to our website
and a reworking of the visual hierarchy and
design. [80][81][82][83][84][85][86][87][88][89]
[79] https://reproducible-builds.org/
[80] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9678ab2d
[81] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/02cf3048
[82] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c3a62234
[83] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2ff18799
[84] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f4fa3475
[85] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2af4d245
[86] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fb1cb173
[87] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/22598fe6
[88] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/05d7e49b
[89] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7ae9adbe
* Bernhard M. Wiedemann:
* Update the "System images [90]" page to document the e2fsprogs
approach. [91]
[90] https://reproducible-builds.org/docs/system-images/
[91] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2351df56
* Chris Lamb:
* Cachebust every CSS file per-release. [92]
* Replace some inline markdown with HTML. [93]
* Use spaces on the "Publications [94]" page. [95]
* Add a news article about the passing of Lunar
[96]. [97][98][99][100]
* Add a black memorial band to the top of the page. [101]
[92] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0c422b97
[93] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/73c4a2e0
[94] https://reproducible-builds.org/docs/publications/
[95] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8409fe10
[96] https://reproducible-builds.org/news/2024/11/14/reproducible-builds-mourns-the-passing-of-lunar/
[97] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9c281efc
[98] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/64760bfb
[99] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/8cc1d5f6
[100] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dcf87a43
[101] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ba8d1c99
* FC (Fay) Stegerman:
* Replace more inline markdown with HTML on the "Success stories
[102]" page. [103]
* Add some links, fix some other links and correct some spelling
errors on the "Tools [104]" page. [105]
[102] https://reproducible-builds.org/success-stories/
[103] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2bdd804a
[104] https://reproducible-builds.org/tools/
[105] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5b33e71c
* Holger Levsen:
* Add a historical presentation ("Reproducible builds everywhere
eg. in Debian, OpenWrt and LEDE") from October 2016. [106]
* Add jochensp and Oejet to the list of known
contributors. [107][108]
[106] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7ba24171
[107] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e1fb63e5
[108] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1a6cb1b3
* Julia Krüger:
* Add a new "Stripping of unreproducible information [109] page to
the documentation. [110]
[109] https://reproducible-builds.org/docs/stripping-unreproducible-information/
[110] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/452f4dd1
* Ninette Adhikari & hulkoba:
* Add/rework the list of success stories into a new page [111] that
clearly shows milestones in Reproducible
Builds. [112][113][114][115][116][117]
[111] https://reproducible-builds.org/success-stories/
[112] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dfde9f40
[113] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f3c3820b
[114] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dd2af698
[115] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/dd87423a
[116] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d260a21b
[117] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f52f352f
* Philip Rinn:
* Import 47 historical weekly reports. [118]
[118] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/94e38848
* 'hulkoba'
* Add alt text to almost all images (!). [119][120]
* Fix a number of links on the "Talks [121]". [122][123]
* Avoid so-called 'ghost' buttons by not using <button> elements as
links, as the affordance of a <button> implies an action with
(potentially) a side effect. [124][125]
* Center the sponsor logos on the homepage [126]. [127]
* Move publications and generate them instead from a data.yml file
with an improved layout. [128][129]
* Make a large number of small but impactful stylisting
changes. [130][131][132][133]
* Expand the "Tools [134]" to include a number of missing tools,
fix some styling issues and fix a number of stale/broken
links. [135][136][137][138][139][140]
[119] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ed1e0592
[120] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/33b31ecc
[121] https://reproducible-builds.org/docs/resources/
[122] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/234e4a44
[123] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/db0dfe45
[124] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/1189c219
[125] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/bbb5528d
[126] https://reproducible-builds.org/
[127] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/3c24a612
[128] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/806381da
[129] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6cb170a2
[130] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/261b1ffa
[131] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c5f9f7e7
[132] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c02c15e0
[133] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5722bf65
[134] https://reproducible-builds.org/tools/
[135] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/4aeeeb8e
[136] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/23d5a30b
[137] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f0fdcb24
[138] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/422486ef
[139] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c06d452d
[140] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/845fe625
§
Upstream patches
----------------
The Reproducible Builds project detects, dissects and attempts to fix as
many currently-unreproducible packages as possible. We endeavour to send
all of our patches upstream where appropriate. This month, we wrote a
large number of such patches, including:
* Bernhard M. Wiedemann:
* clisp [141] (fix contributed by Bruno Haible)
* conky [142] (date-related issue)
* emacs-auctex [143] (date-related gzip issue)
* javadoc [144] (filesystem ordering issue)
* jboss-websocket-1.0-api [145] (embeds uname -r)
* lcms2 [146] (CPU issue)
* LiE [147] (ASLR [148]-related issue)
* make_ext4fs [149] (toolchain-related issue for for VM images)
* obs-build [150] (issue when running builds with certain CPU types
or core numbers)
* perl-Time-modules [151] (fails to build far in the future)
* python-bson [152] (fails to build far in the future)
* python-exiv2 [153] (fails to build far in the future)
* python-moto [154] (date-related gzip issue)
* python-pyhanko-certvalidator [155] (fails to build far in
the future)
* python-python-gvm [156] (concurrency-related issue)
* python310 [157] (fails to build far in the future)
* python313 [158] (fails to build far in the future)
* reproducible-faketools [159] (toolchain for emacs)
* shadowsocks-rust [160] (date-related issue)
* swipl [161] (fails to build far in the future)
[141] https://sourceforge.net/p/clisp/feature-requests/59/
[142] https://github.com/brndnmtthws/conky/pull/2096
[143] https://build.opensuse.org/request/show/1225609
[144] https://bugzilla.opensuse.org/show_bug.cgi?id=1233384
[145] https://bugzilla.opensuse.org/show_bug.cgi?id=1233352
[146] https://github.com/mm2/Little-CMS/issues/465
[147] https://build.opensuse.org/request/show/1225975
[148] https://en.wikipedia.org/wiki/Address_space_layout_randomization
[149] https://build.opensuse.org/request/show/1225978
[150] https://github.com/openSUSE/obs-build/pull/1037
[151] https://build.opensuse.org/request/show/1224308
[152] https://build.opensuse.org/request/show/1224307
[153] https://github.com/jim-easterbrook/python-exiv2/issues/44
[154] https://build.opensuse.org/request/show/1221758
[155] https://build.opensuse.org/request/show/1223844
[156] https://bugzilla.opensuse.org/show_bug.cgi?id=1233398
[157] https://bugzilla.opensuse.org/show_bug.cgi?id=1232750
[158] https://bugzilla.opensuse.org/show_bug.cgi?id=1232920
[159] https://build.opensuse.org/request/show/1225622
[160] https://build.opensuse.org/request/show/1223845
[161] https://github.com/SWI-Prolog/swipl/pull/32
* Chris Lamb:
* #1087330 [162] filed against python-pydash [163].
* #1087485 [164] filed against fritzconnection [165].
* #1087486 [166] filed against tracy [167].
* #1088238 [168] filed against rust-broot [169].
* #1088353 [170] filed against python-aiovlc [171].
* #1088742 [172] filed against python-aiohomekit [173].
[162] https://bugs.debian.org/1087330
[163] https://tracker.debian.org/pkg/python-pydash
[164] https://bugs.debian.org/1087485
[165] https://tracker.debian.org/pkg/fritzconnection
[166] https://bugs.debian.org/1087486
[167] https://tracker.debian.org/pkg/tracy
[168] https://bugs.debian.org/1088238
[169] https://tracker.debian.org/pkg/rust-broot
[170] https://bugs.debian.org/1088353
[171] https://tracker.debian.org/pkg/python-aiovlc
[172] https://bugs.debian.org/1088742
* James Addison:
* #1088144 [174] filed against cdbs [175].
[173] https://tracker.debian.org/pkg/python-aiohomekit
[174] https://bugs.debian.org/1088144
[175] https://tracker.debian.org/pkg/cdbs
§
Misc development news
---------------------
* Bernhard M. Wiedemann published another report [176] for the
openSUSE distribution.
[176] https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/KPKVE3L3MDNIMCLN5DE255UKICSHB7IB/
* Martin Abente Lahaye updated diffoscope [177] to fix a crash when
objdump is missing. [178]
[177] https://diffoscope.org
[178] https://salsa.debian.org/reproducible-builds/diffoscope/commit/534fc2aa
* On our mailing list, Jan-Benedict Glaw announced [179] the
publication of the fifth NetBSD Reproducibility Report [180]
[179] https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003576.html
[180] http://toolchain.lug-owl.de/reports/netbsd-reproducibility-overview-5.html
§
Reproducibility testing framework
---------------------------------
The Reproducible Builds project operates a comprehensive testing
framework running primarily at https://tests.reproducible-builds.org in
order to check packages and other artifacts for reproducibility. In
November, a number of changes were made by Holger Levsen, including:
* https://reproduce.debian.net-related changes:
* Create and introduce a new reproduce.debian.net service
and subdomain [184]
* Make a large number of documentation changes relevant to
rebuilderd. [185][186][187][188][189]
* Explain a temporary workaround for a specific issue in rebuilderd
[190]. [191]
* Setup another rebuilderd instance on the o4 node and update
installation documentation to match. [192][193]
* Make a number of helpful/cosmetic changes to the interface, such
as clarifying terms and adding links. [194][195][196][197][198]
* Deploy configuration to the /opt and /var directories. [199][200]
* Add an infancy (or 'alpha') disclaimer. [201][202]
* Add more notes to the temporary rebuilderd documentation. [203]
* Commit an nginx [204] configuration file for
reproduce.debian.net's "Stats" [206] page. [207]
* Commit a rebuilder-worker.conf configuration for the o5
node. [208]
[184] https://salsa.debian.org/qa/jenkins.debian.net/commit/db9f344b5
[185] https://salsa.debian.org/qa/jenkins.debian.net/commit/4860d6639
[186] https://salsa.debian.org/qa/jenkins.debian.net/commit/415e2c4e2
[187] https://salsa.debian.org/qa/jenkins.debian.net/commit/3c9ed32ba
[188] https://salsa.debian.org/qa/jenkins.debian.net/commit/1956909a0
[189] https://salsa.debian.org/qa/jenkins.debian.net/commit/183c1f58b
[190] https://github.com/kpcyrd/rebuilderd/issues/152
[191] https://salsa.debian.org/qa/jenkins.debian.net/commit/de2960ef9
[192] https://salsa.debian.org/qa/jenkins.debian.net/commit/5bfdbaa33
[193] https://salsa.debian.org/qa/jenkins.debian.net/commit/3ccd0edb7
[194] https://salsa.debian.org/qa/jenkins.debian.net/commit/f7eaedea9
[195] https://salsa.debian.org/qa/jenkins.debian.net/commit/ff770822b
[196] https://salsa.debian.org/qa/jenkins.debian.net/commit/598e9b753
[197] https://salsa.debian.org/qa/jenkins.debian.net/commit/8a3d5b093
[198] https://salsa.debian.org/qa/jenkins.debian.net/commit/9bdb3d724
[199] https://salsa.debian.org/qa/jenkins.debian.net/commit/bfd9dd073
[200] https://salsa.debian.org/qa/jenkins.debian.net/commit/5c592224b
[201] https://salsa.debian.org/qa/jenkins.debian.net/commit/1b92fe1a0
[202] https://salsa.debian.org/qa/jenkins.debian.net/commit/0ceedce38
[203] https://salsa.debian.org/qa/jenkins.debian.net/commit/f1c51eecf
[204] https://nginx.org/
[206] https://reproduce.debian.net/stats/
[207] https://salsa.debian.org/qa/jenkins.debian.net/commit/e3183f093
[208] https://salsa.debian.org/qa/jenkins.debian.net/commit/0e1c87a07
* Debian-related changes:
* Grant jspricke and jochensp access to the o5 node. [209][210]
* Build the qemu package with the nocheck build flag. [211]
[209] https://salsa.debian.org/qa/jenkins.debian.net/commit/4db56f46a
[210] https://salsa.debian.org/qa/jenkins.debian.net/commit/3d4c9e811
[211] https://salsa.debian.org/qa/jenkins.debian.net/commit/cadc58f40
* Misc changes:
* Adapt the update_jdn.sh script for new Debian 'trixie'
systems. [212]
* Stop installing the PostgreSQL [213] database engine on the o4
and o5 nodes. [214]
* Prevent accidental reboots of the o4 node because of a long-
running job owned by josch. [215][216]
[212] https://salsa.debian.org/qa/jenkins.debian.net/commit/9eca0f1f9
[213] https://www.postgresql.org/
[214] https://salsa.debian.org/qa/jenkins.debian.net/commit/3ab8c5c04
[215] https://salsa.debian.org/qa/jenkins.debian.net/commit/d44b4ed73
[216] https://salsa.debian.org/qa/jenkins.debian.net/commit/957914bdc
In addition, Mattia Rizzolo addressed a number of issues with
reproduce.debian.net [218][219][220][221]. And lastly, both
Holger Levsen [222][223][224][225] and Vagrant Cascadian
[226][227][228][229] performed node maintenance.
[218] https://salsa.debian.org/qa/jenkins.debian.net/commit/b1da67cca
[219] https://salsa.debian.org/qa/jenkins.debian.net/commit/998bf3cc9
[220] https://salsa.debian.org/qa/jenkins.debian.net/commit/95c5bb9d0
[221] https://salsa.debian.org/qa/jenkins.debian.net/commit/3390622f0
[222] https://salsa.debian.org/qa/jenkins.debian.net/commit/5df3bd8ee
[223] https://salsa.debian.org/qa/jenkins.debian.net/commit/f3083d2cf
[224] https://salsa.debian.org/qa/jenkins.debian.net/commit/f0ee4a697
[225] https://salsa.debian.org/qa/jenkins.debian.net/commit/0ae51eb54
[226] https://salsa.debian.org/qa/jenkins.debian.net/commit/4e0812df6
[227] https://salsa.debian.org/qa/jenkins.debian.net/commit/edb43bc85
[228] https://salsa.debian.org/qa/jenkins.debian.net/commit/32c7a74d1
[229] https://salsa.debian.org/qa/jenkins.debian.net/commit/54aa3b389
§
If you are interested in contributing to the Reproducible Builds
project, please visit the "Contribute" [230] page on our website.
However, you can get in touch with us via:
* IRC: #reproducible-builds on irc.oftc.net.
* Mastodon: @reproducible_builds at fosstodon.org [231]
* Mailing list: rb-general at lists.reproducible-builds.org [232]
* Twitter/X: @ReproBuilds [233]
[230] https://reproducible-builds.org/contribute/
[231] https://fosstodon.org/@reproducible_builds
[232] https://lists.reproducible-builds.org/listinfo/rb-general
[233] https://twitter.com/ReproBuilds
--
o
⬋ ⬊
o o reproducible-builds.org 💠
⬊ ⬋
o
More information about the rb-general
mailing list