Reproducible Builds in June 2024

Chris Lamb chris at reproducible-builds.org
Fri Jul 12 12:47:55 UTC 2024


--------------------------------------------------------------------
        o
      ⬋   ⬊      June 2024 in Reproducible Builds
     o     o
      ⬊   ⬋      https://reproducible-builds.org/reports/2024-06/
        o
--------------------------------------------------------------------


Welcome to the June 2024 report from the Reproducible Builds [0] project.
In these reports, we try to outline what we have been up to over the
past month and highlight news items in software supply-chain security
more broadly.

As ever, if you are interested in contributing to the project, please
visit our "Contribute" [1] page on our website.

 [0] https://reproducible-builds.org
 [1] https://reproducible-builds.org/contribute/

                                    §


TABLE OF CONTENTS

 * Next Reproducible Builds Summit dates announced
 * GNU Guix patch review session for reproducibility
 * New reproducibility-related academic papers
 * Misc development news
 * Website updates
 * Reproducibility testing framework


                                    §


Next Reproducible Builds Summit dates announced
-----------------------------------------------

We are very pleased to announce the upcoming Reproducible Builds
Summit [2], set to take place from September 17th — 19th 2024 in
Hamburg, Germany.

We are thrilled to host the seventh edition of this exciting event,
following the success of previous summits in various iconic locations
around the world, including Venice, Marrakesh, Paris, Berlin and Athens.
Our summits are a unique gathering that brings together attendees from
diverse projects, united by a shared vision of advancing the
Reproducible Builds effort. During this enriching event, participants
will have the opportunity to engage in discussions, establish
connections and exchange ideas to drive progress in this vital field.
Our aim is to create an inclusive space that fosters collaboration,
innovation and problem-solving.

If you're interesting in joining us this year, please make sure to read
the event page [2] which has more details about the event and location.
We are very much looking forward to seeing many readers of these
reports there.

 [2] https://reproducible-builds.org/events/hamburg2024/


                                    §


GNU Guix patch review session for reproducibility
-------------------------------------------------

Vagrant Cascadian will holding a Reproducible Builds session [6] as part
of the monthly Guix patch review [6] series on July 11th at 17:00 UTC.

These online events are intended to encourage everyone everyone becoming
a patch reviewer and the goal of reviewing patches is to help Guix
project accept contributions while maintaining our quality standards and
learning how to do patch reviews together in a friendly hacking session.

 [5] https://libreplanet.org/wiki/Group:Guix/PatchReviewSessions2024
 [6] https://www.meetup.com/guix-london/events/300819830/

                                    §


New reproducibility-related academic papers
-------------------------------------------

Multiple scholarly papers related to Reproducible Builds were published
this month:

1. "An Industry Interview Study of Software Signing for Supply Chain
Security" [8] was published by Kelechi G. Kalu, Tanmay Singla, Chinenye
Okafor, Santiago Torres-Arias and James C. Davis of Electrical and
Computer Engineering department of Purdue University [9], Indiana, USA,
and is concerned with:

> To understand software signing in practice, we interviewed 18 high-
> ranking industry practitioners across 13 organizations. We provide
> possible impacts of experienced software supply chain failures,
> security standards, and regulations on software signing adoption. We
> also study the challenges that affect an effective software signing
> implementation.

 [8] https://arxiv.org/abs/2406.08198
 [9] https://www.purdue.edu/

2. "DiVerify: Diversifying Identity Verification in Next-Generation
Software Signing" [10] was written by Chinenye L. Okafor, James C. Davis
and Santiago Torres-Arias (also of Purdue University [11]) and is
interested in:

> Code signing enables software developers to digitally sign their code
> using cryptographic keys, thereby associating the code to their
> identity. This allows users to verify the authenticity and integrity of
> the software, ensuring it has not been tampered with. Next-generation
> software signing such as Sigstore and OpenPubKey simplify code signing
> by providing streamlined mechanisms to verify and link signer identities
> to the public key. However, their designs have vulnerabilities: reliance
> on an identity provider introduces a single point of failure, and the
> failure to follow the principle of least privilege on the client side
> increases security risks. We introduce Diverse Identity Verification
> (DiVerify) scheme, which strengthens the security guarantees of next-
> generation software signing by leveraging threshold identity validations
> and scope mechanisms.

 [10] https://arxiv.org/abs/2406.15596
 [11] https://www.purdue.edu/

3. Felix Lagnöhed published their thesis on the "Integration of
Reproducibility Verification with Diffoscope in GNU Make" [12]. This
work, amongst some other results:

> […] resulted in an extension of GNU make which is called rmake, where
> diffoscope — a tool for detecting differences between a large number
> of file types — was integrated into the workflow of make. rmake was
> later used to answer the posed research questions for this thesis. We
> found that different build paths and offsets are a big problem as three
> out of three tested Free and Open Source Software projects all contained
> these variations. The results also showed that gcc’s optimisation levels
> did not affect reproducibility, but link-time optimisation embeds a lot
> of unreproducible information in build artefacts. Lastly, the results
> showed that build paths, build ID’s and randomness are the three most
> common groups of variations encountered in the wild and potential
> solutions for some variations were proposed.

 [12] https://www.diva-portal.org/smash/get/diva2:1877032/FULLTEXT01.pdf

4. Lastly, Pol Dellaiera [13] completed his master thesis on
Reproducibility in Software Engineering [14] at the University of Mons
[15], Belgium, under the supervision of Dr. Tom Mens [16], professor and
director of the Software Engineering Lab [17].

> The thesis serves as an introduction to the concept of
> reproducibility in software engineering, offering a comprehensive
> overview of formalizations using mathematical notations for key
> concepts and an empirical evaluation of several key tools. By
> exploring various case studies, methodologies and tools, the
> research aims to provide actionable insights for practitioners and
> researchers alike.

 [13] https://orcid.org/0009-0008-7972-7160
 [14] https://doi.org/10.5281/zenodo.12666899
 [15] https://web.umons.ac.be/
 [16] https://orcid.org/0000-0003-3636-5020
 [17] https://informatique-umons.be/genlog/


                                    §


Development news
----------------

In Debian this month, 4 reviews of Debian packages were added, 11 were
updated and 14 were removed this month adding to our knowledge about
identified issues [18]. Only one issue types was updated, though,
explaining that we don't vary the build path anymore [19].

 [18] https://tests.reproducible-builds.org/debian/index_issues.html
 [19] https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/c0afe1cb

On our mailing list [20] this month, Bernhard M. Wiedemann wrote [21]
that whilst he had previously collected issues that introduce non-
determinism [22] he has now moved on to discuss about "mitigations", in
the sense of how can we avoid whole categories of problem "without
patching an infinite number of individual packages". In addition,
Janneke Nieuwenhuizen announced the release of two versions of GNU
Mes. [23][24]

 [20] https://lists.reproducible-builds.org/listinfo/rb-general/
 [21] https://lists.reproducible-builds.org/pipermail/rb-general/2024-June/003436.html
 [22] https://github.com/bmwiedemann/theunreproduciblepackage/
 [23] https://lists.reproducible-builds.org/pipermail/rb-general/2024-June/003426.html
 [24] https://lists.reproducible-builds.org/pipermail/rb-general/2024-June/003441.html

In openSUSE news, Bernhard M. Wiedemann published another report [25]
for that distribution.

 [25] https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/CDIFFRNRSCI5BBXW7QSQSZVKE45YFTTH/

In NixOS, with the 24.05 release out, it was again validated that our
minimal ISO is reproducible [26] by building it on a virtual machine
with no access to the binary cache.

 [26] https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756/9

What's more, we continued to write patches in order to fix specific
reproducibility issues, including Bernhard M. Wiedemann writing three
patches (for qutebrowser [27], samba [28] and systemd [29]), Chris Lamb
filing Debian bug #1074214 [30] against the fastfetch [31] package and
Arnout Engelen proposing fixes to refind [32] and for the Scala
compiler [33].

 [27] https://github.com/qutebrowser/qutebrowser/pull/8233
 [28] https://bugzilla.opensuse.org/show_bug.cgi?id=1225754
 [29] https://bugzilla.opensuse.org/show_bug.cgi?id=1226200
 [30] https://bugs.debian.org/1074214
 [31] https://tracker.debian.org/pkg/fastfetch
 [32] https://sourceforge.net/p/refind/code/merge-requests/53/
 [33] https://github.com/scala/scala3/pull/20593

Lastly, diffoscope [34] is our in-depth and content-aware diff utility
that can locate and diagnose reproducibility issues. This month, Chris
Lamb uploaded two versions (270 and 271) to Debian, and made the
following changes as well:

* Drop Build-Depends on liblz4-tool in order to fix Debian bug #1072575
  [35]. [36]
* Update tests to support zipdetails version 4.004 that is shipped with
  Perl 5.40. [37]

 [34] https://diffoscope.org
 [35] https://bugs.debian.org/1072575
 [36] https://salsa.debian.org/reproducible-builds/diffoscope/commit/6a71d08a
 [37] https://salsa.debian.org/reproducible-builds/diffoscope/commit/9c0ce92f

                                    §


Website updates
---------------

There were a number of improvements made to our website this month,
including Akihiro Suda very helpfully making the <h4> elements more
distinguishable from the <h3> level [38][39] as well as adding a guide
for Dockerfile reproducibility [40].

 [38] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0a4adc9b
 [39] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/81e91a45
 [40] https://salsa.debian.org/reproducible-builds/reproducible-website/commit/461ab1eb

In addition Fay Stegerman added two tools, apksigcopier [41] and
reproducible-apk-tools [42], to our Tools [43] page.

 [41] https://github.com/obfusk/apksigcopier
 [42] https://github.com/obfusk/reproducible-apk-tools
 [43] https://reproducible-builds.org/tools/

                                    §


Reproducibility testing framework
---------------------------------

The Reproducible Builds project operates a comprehensive testing
framework running primarily at tests.reproducible-builds.org [44] in
order to check packages and other artifacts for reproducibility. In
June, a number of changes were made by Holger Levsen, including:

* Marking the virt(32|64)c-armhf nodes as down. [45]
* Granting a developer access to the osuosl4 node in order to debug a
  regression on the ppc64el architecture. [46]
* Granting a developer access to the osuosl4 node. [47][48]

 [44] https://tests.reproducible-builds.org
 [45] https://salsa.debian.org/qa/jenkins.debian.net/commit/0c7ad186e
 [46] https://salsa.debian.org/qa/jenkins.debian.net/commit/70b132f55
 [47] https://salsa.debian.org/qa/jenkins.debian.net/commit/4c3f6ba51
 [48] https://salsa.debian.org/qa/jenkins.debian.net/commit/04803bdeb

In addition, Mattia Rizzolo re-aligned the /etc/default/jenkins file
with changes performed upstream [49] and changed how configuration files
are handled on the rb-mail1 host. [50], whilst Vagrant Cascadian
documented the failure of the virt32c and virt64c nodes after initial
investigation [51].

 [49] https://salsa.debian.org/qa/jenkins.debian.net/commit/9d229b6f9
 [50] https://salsa.debian.org/qa/jenkins.debian.net/commit/de107d44d
 [51] https://salsa.debian.org/qa/jenkins.debian.net/commit/01f4be05c

                                    §


If you are interested in contributing to the Reproducible Builds
project, please visit our "Contribute" [52] page on our website.
However, you can get in touch with us via:

 * IRC: #reproducible-builds on irc.oftc.net.

 * Mastodon: @reproducible_builds at fosstodon.org [53]

 * Mailing list: rb-general at lists.reproducible-builds.org [54]

 * Twitter: @ReproBuilds [55]

 [52] https://reproducible-builds.org/contribute/
 [53] https://fosstodon.org/@reproducible_builds
 [54] https://lists.reproducible-builds.org/listinfo/rb-general
 [55] https://twitter.com/ReproBuilds



-- 
      o
    ⬋   ⬊
   o     o     reproducible-builds.org 💠
    ⬊   ⬋
      o


More information about the rb-general mailing list