Sorry
This feed does not validate.
In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
Source: https://reproducible-builds.org/blog/index.rss
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>reproducible-builds.org</title><description>Reproducible builds blog</description><link>https://reproducible-builds.org/blog/</link><atom:link href="https://reproducible-builds.org/blog/index.rss" rel="self" type="application/rss+xml" /><pubDate>Fri, 12 May 2023 12:59:44 +0000</pubDate><lastBuildDate>Fri, 12 May 2023 12:59:44 +0000</lastBuildDate><generator>Jekyll v3.9.0</generator><item><title>Reproducible Builds in April 2023</title><pubDate>Sat, 06 May 2023 19:55:17 +0000</pubDate><link>https://reproducible-builds.org/reports/2023-04/</link><guid isPermaLink="true">https://reproducible-builds.org/reports/2023-04/</guid><description><p class="lead"><strong>Welcome to the April 2023 report from the <a href="https://reproducible-builds.org">Reproducible Builds</a> project!</strong></p><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2023-04/reproducible-builds.png#right" alt="" /></a></p><p>In these reports we outline the most important things that we have been up to over the past month. And, as always, if you are interested in contributing to the project, please visit our <a href="/contribute/"><em>Contribute</em></a> page on our website.</p><h2 id="general-news">General news</h2><p><a href="https://blog.josefsson.org/2023/04/10/trisquel-is-42-reproducible/"><img src="/images/reports/2023-04/trisquel.png#right" alt="" /></a></p><p><a href="https://trisquel.info/">Trisquel</a> is a fully-free operating system building on the work of <a href="https://ubuntu.com/">Ubuntu Linux</a>. This month, <a href="https://blog.josefsson.org/">Simon Josefsson</a> published an article on his blog titled <a href="https://blog.josefsson.org/2023/04/10/trisquel-is-42-reproducible/"><em>Trisquel is 42% Reproducible!</em></a>. Simon wrote:</p><blockquote><p>The absolute number may not be impressive, but what I hope is at least a useful contribution is that there actually is a number on how much of <a href="https://trisquel.info/">Trisquel</a> is reproducible. Hopefully this will inspire others to help improve the actual metric.</p></blockquote><p>Simon <a href="https://blog.josefsson.org/2023/04/15/sigstore-protects-apt-archives-apt-verify-apt-sigstore/">wrote another blog post</a> this month on a new tool to ensure that updates to Linux distribution archive metadata (eg. via <code>apt-get update</code>) will only use files that have been recorded in a globally immutable and tamper-resistant ledger. A similar solution exists for <a href="https://archlinux.org/">Arch Linux</a> (called <a href="https://github.com/kpcyrd/pacman-bintrans"><code>pacman-bintrans</code></a>) <a href="https://vulns.xyz/2021/08/monthly-report/">which was announced in August 2021</a> where <a href="https://pacman-bintrans.vulns.xyz/">an archive of all issued signatures</a> is publically accessible.</p><p><br /></p><p><a href="https://www.joachim-breitner.de/">Joachim Breitner</a> wrote <a href="https://www.joachim-breitner.de/blog/802-More_thoughts_on_a_bootstrappable_GHC">an in-depth blog post</a> on a bootstrap-capable <a href="https://www.haskell.org/ghc/">GHC</a>, the primary compiler for the Haskell programming language. As a quick background to what this is trying to solve, in order to generate a fully trustworthy compile chain, trustworthy root binaries are needed… and a popular approach to address this problem is called <a href="https://bootstrappable.org/">bootstrappable builds</a> where the core idea is to address previously-circular build dependencies by creating a new dependency path using simpler prerequisite versions of software. Joachim takes an somewhat recursive approach to the problem for Haskell, leading to the inadvertently humourous question: “Can I turn all of GHC into one module, and compile that?”</p><p>Elsewhere in the world of bootstrapping, Janneke Nieuwenhuizen and Ludovic Courtès wrote a blog post on the <a href="https://guix.gnu.org/en/blog/">GNU Guix blog</a> announcing <a href="https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/"><em>The Full-Source Bootstrap</em></a>, specifically:</p><blockquote><p>[…] the third reduction of the Guix bootstrap binaries has now been merged in the main branch of Guix! If you run <code>guix pull</code> today, you get a package graph of more than 22,000 nodes <strong>rooted in a 357-byte program</strong>—something that had never been achieved, to our knowledge, since the birth of Unix.</p></blockquote><p>More info about this change <a href="https://guix.gnu.org/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/">is available on the post itself</a>, including:</p><blockquote><p>The full-source bootstrap was once deemed impossible. Yet, here we are, building the foundations of a GNU/Linux distro entirely from source, a long way towards the ideal that the Guix project has been aiming for from the start.</p><p>There are still some daunting tasks ahead. For example, what about the Linux kernel? The good news is that the bootstrappable community has grown a lot, from two people six years ago there are now around 100 people in the <code>#bootstrappable</code> IRC channel.</p></blockquote><p><br /></p><p><a href="https://abbbi.github.io/">Michael Ablassmeier</a> created a script called <a href="https://abbbi.github.io//pypidiff/"><em>pypidiff</em></a> as they were looking for a way to track differences between packages published on <a href="https://pypi.org/">PyPI</a>. According to Micahel, <em>pypidiff</em> “uses <a href="https://diffoscope.org/"><em>diffoscope</em></a> to create reports on the published releases and automatically pushes them to a GitHub repository.” This can be seen on the <a href="https://github.com/pypi-diff"><em>pypi-diff</em></a> GitHub page (<a href="https://github.com/pypi-diff/20230426/blob/master/D/DAJIN2/0.1.8-0.1.9/diff.md#comparing-dajin2-018srcdajin2coreclusteringscreen_difflocipy--dajin2-019srcdajin2coreclusteringscreen_difflocipy">example</a>).</p><p><br /></p><p><a href="https://www.marktechpost.com/2023/04/09/a-new-ai-research-proposes-pythia-a-suite-of-decoder-only-autoregressive-language-models-ranging-from-70m-to-12b-parameters/"><img src="/images/reports/2023-04/eleutherai.png#right" alt="" /></a></p><p><a href="https://www.eleuther.ai/">Eleuther AI</a>, a non-profit AI research group, recently unveiled <a href="https://github.com/EleutherAI/pythia">Pythia</a>, a collection of 16 <a href="https://en.wikipedia.org/wiki/Large_language_model">Large Language Model</a> (LLMs) trained on public data in the same order designed specifically to facilitate scientific research. According to a <a href="https://www.marktechpost.com/2023/04/09/a-new-ai-research-proposes-pythia-a-suite-of-decoder-only-autoregressive-language-models-ranging-from-70m-to-12b-parameters/">post on MarkTechPost</a>:</p><blockquote><p>Pythia is the only publicly available model suite that includes models that were trained on the same data in the same order [and] all the corresponding <strong>data and tools to download and replicate the exact training process are publicly released</strong> to facilitate further research.</p></blockquote><p>These properties are intended to allow researchers to understand how gender bias (etc.) can affected by training data and model scale.</p><p><br /></p><p>Back in <a href="/reports/2023-02/">February’s report</a> we reported on a series of changes to the <a href="https://www.sphinx-doc.org/">Sphinx documentation generator</a> that was initiated after attempts to get the <a href="https://tracker.debian.org/pkg/alembic"><code>alembic</code></a> Debian package to build reproducibly. Although Chris Lamb was able to identify the source problem and <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002862.html">provided a potential patch that might fix it</a>, James Addison has taken the issue in hand, leading to a <a href="https://github.com/sphinx-doc/sphinx/issues/11198">large amount of activity</a> resulting in a <a href="https://github.com/sphinx-doc/sphinx/pull/11312">proposed pull request</a> that is waiting to be merged.</p><p><br /></p><p><a href="https://lists.zx2c4.com/pipermail/wireguard/2023-April/008045.html"><img src="/images/reports/2023-04/fdroid.png#right" alt="" /></a></p><p><a href="https://www.wireguard.com/">WireGuard</a> is a popular <a href="https://en.wikipedia.org/wiki/Virtual_private_network">Virtual Private Network</a> (VPN) service that aims to be faster, simpler and leaner than other solutions to create secure connections between computing devices. According to a post on the <a href="https://lists.zx2c4.com/pipermail/wireguard/">WireGuard developer mailing list</a>, the <a href="https://f-droid.org/en/packages/com.wireguard.android/">WireGuard Android app</a> can now be built reproducibly so that its contents can be publicly verified. According to <a href="https://lists.zx2c4.com/pipermail/wireguard/2023-April/008045.html">the post by Jason A. Donenfeld</a>, “the <a href="https://f-droid.org">F-Droid</a> project now does this verification by comparing <a href="https://f-droid.org/en/packages/com.wireguard.android/">their build of WireGuard</a> to the build that the WireGuard project publishes. When they match, the new version becomes available. This is very positive news.”</p><p><br /></p><p>Author and public speaker, <a href="https://en.wikipedia.org/wiki/VM_Brasseur">V. M. Brasseur</a> published a sample chapter from her upcoming book on “corporate open source strategy” which is the topic of <a href="https://anonymoushash.vmbrasseur.com/2023/04/24/software-bill-of-materials-sbom">Software Bill of Materials</a> (SBOM):</p><blockquote><p>A software bill of materials (SBOM) is defined as “…a nested inventory for software, a list of ingredients that make up software components.” When you receive a physical delivery of some sort, the bill of materials tells you what’s inside the box. Similarly, when you use software created outside of your organisation, the SBOM tells you what’s inside that software. The SBOM is a file that declares the software supply chain (SSC) for that specific piece of software. [<a href="https://anonymoushash.vmbrasseur.com/2023/04/24/software-bill-of-materials-sbom">…</a>]</p></blockquote><p><br /></p><p>Several distributions noticed recent versions of the Linux Kernel are no longer reproducible because the <a href="https://www.kernel.org/doc/html/latest/bpf/btf.html">BPF Type Format</a> (BTF) metadata is not generated in a deterministic way. This was discussed on the <code>#reproducible-builds</code> IRC channel, but no solution appears to be in sight for now.</p><hr /><h2 id="community-news">Community news</h2><p>On <a href="https://lists.reproducible-builds.org/listinfo/rb-general/">our mailing list</a> this month:</p><ul><li><p>Larry Doolittle shared an interesting puzzle with the group where <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-April/002919.html">three bytes in a <code>.zip</code> file</a> were different between two builds.</p></li><li><p>Alexis PM wrote a message as they <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-April/002931.html">had observed a difference between binaries available in the Debian archive and the ones on <em>tests.reproducible-builds.org</em></a>. The <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-April/thread.html#2931">thread</a> generated a number of replies, including interesting responses from Vagrant Cascadian [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-April/002939.html">…</a>] and <em>kpcyrd</em> [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-April/002934.html">…</a>].</p></li></ul><p><a href="https://foss-north.se/2023"><img src="/images/reports/2023-04/foss-north.png#right" alt="" /></a></p><p>Holger Levsen gave a talk at <a href="https://foss-north.se/2023">foss-north 2023</a> in Gothenburg, Sweden on the topic of <a href="https://foss-north.se/2023/speakers-and-talks.html#hlevsen"><em>Reproducible Builds, the first ten years</em></a>.</p><p>Lastly, there were a number of updates to <a href="/">our website</a>, including:</p><ul><li><p>Chris Lamb attempted a number of ways to try and fix literal <code>{: .lead}</code> appearing in the page [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b4e11377">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f55c283b">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/2d01c3d8">…</a>], made all the <em>Back to who is involved</em> links italics [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/762c5a6a">…</a>], and corrected the syntax of the <code>_data/sponsors.yml</code> file [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ec53c429">…</a>].</p></li><li><p>Holger Levsen added his recent talk [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0314c0db">…</a>], added Simon Josefsson, Mike Perry and Seth Schoen to the contributors page [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ea3966bc">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/a909974d">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d14f94fe">…</a>], reworked the <em>People</em> page a little [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/759b1ef0">…</a>] [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/b312ea5f">…</a>], as well as fixed spelling of ‘Arch Linux’ [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/626a4af0">…</a>].</p></li></ul><p>Lastly, Mattia Rizzolo moved some old sponsors to a ‘former’ section [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/85f22ddb">…</a>] and Simon Josefsson added Trisquel GNU/Linux. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c8316971">…</a>]</p><p><br /></p><hr /><h2 id="debian">Debian</h2><p><a href="https://debian.org/"><img src="/images/reports/2023-04/debian.png#right" alt="" /></a></p><ul><li><p>Vagrant Cascadian <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002961.html">reported on the Debian’s <code>build-essential</code> package set</a>, which was “inspired by how close we are to making the Debian <code>build-essential</code> set reproducible and how important that set of packages are in general”. Vagrant mentioned that: “I have some progress, some hope, and I daresay, some fears…”. <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-May/002961.html">[…]</a></p></li><li><p>Debian Developer <a href="https://mraw.org/">Cyril Brulebois (<em>kibi</em>)</a> filed a bug against <a href="https://snapshot.debian.org/"><em>snapshot.debian.org</em></a> after they noticed that “there are many missing <code>dinstalls</code>” — that is to say, the snapshot service is not capturing 100% of all of historical states of the Debian archive. This is relevant to reproducibility because without the availability historical versions, it is becomes impossible to repeat a build at a future date in order to correlate checksums. .<a href="https://bugs.debian.org/1031628">…</a></p></li><li><p>20 reviews of Debian packages were added, 21 were updated and 5 were removed this month adding to our <a href="https://tests.reproducible-builds.org/debian/index_issues.html">knowledge about identified issues</a>. Chris Lamb added a new <code>build_path_in_line_annotations_added_by_ruby_ragel</code> toolchain issue. <a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/f62c135d">[…]</a></p></li><li><p>Mattia Rizzolo announced that the data for the <em>stretch</em> archive on <em>tests.reproducible-builds.org</em> <a href="https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20230424/014118.html">has been archived</a>. This matches the <a href="https://lists.debian.org/debian-devel-announce/2023/03/msg00006.html">archival of <em>stretch</em> within Debian itself</a>. This is of some historical interest, as <em>stretch</em> was the first Debian release regularly tested by the Reproducible Builds project.</p></li></ul><hr /><h2 id="upstream-patches">Upstream patches</h2><p>The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:</p><ul><li><p>Bernhard M. Wiedemann:</p><ul><li><a href="https://github.com/opensuse-haskell/ghc-rpm-macros/pull/1"><code>ghc</code></a> (workaround a parallelism-related issue)</li></ul></li><li><p>Jan Zerebecki:</p><ul><li><a href="https://gitlab.haskell.org/ghc/ghc/-/issues/23299"><code>ghc</code></a> (report a parallelism-related issue)</li></ul></li><li><p>Chris Lamb:</p><ul><li><a href="https://bugs.debian.org/1034147">#1034147</a> filed against <a href="https://tracker.debian.org/pkg/ruby-regexp-parser"><code>ruby-regexp-parser</code></a>.</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://bugs.debian.org/1033954">#1033954</a>, <a href="https://bugs.debian.org/1033955">#1033955</a> and <a href="https://bugs.debian.org/1033957">#1033957</a> filed against <a href="https://tracker.debian.org/pkg/pike8.0"><code>pike8.0</code></a>.</li><li><a href="https://bugs.debian.org/1033958">#1033958</a> and <a href="https://bugs.debian.org/1033959">#1033959</a> filed against <a href="https://tracker.debian.org/pkg/binutils"><code>binutils</code></a>.</li><li><a href="https://bugs.debian.org/1034129">#1034129</a> filed against <a href="https://tracker.debian.org/pkg/lomiri-action-api"><code>lomiri-action-api</code></a>.</li><li><a href="https://bugs.debian.org/1034199">#1034199</a> and <a href="https://bugs.debian.org/1034200">#1034200</a> filed against <a href="https://tracker.debian.org/pkg/lomiri"><code>lomiri</code></a>.</li><li><a href="https://bugs.debian.org/1034327">#1034327</a> filed against <a href="https://tracker.debian.org/pkg/nmodl"><code>nmodl</code></a>.</li><li><a href="https://bugs.debian.org/1034423">#1034423</a> filed against <a href="https://tracker.debian.org/pkg/php8.2"><code>php8.2</code></a>.</li><li><a href="https://bugs.debian.org/1034431">#1034431</a> filed against <a href="https://tracker.debian.org/pkg/qemu"><code>qemu</code></a>.</li><li><a href="https://bugs.debian.org/1034499">#1034499</a> filed against <a href="https://tracker.debian.org/pkg/twisted"><code>twisted</code></a>.</li><li><a href="https://bugs.debian.org/1034740">#1034740</a> filed against <a href="https://tracker.debian.org/pkg/boost1.74"><code>boost1.74</code></a>.</li><li><a href="https://bugs.debian.org/1034892">#1034892</a> filed against <a href="https://tracker.debian.org/pkg/php8.2"><code>php8.2</code></a>.</li><li><a href="https://bugs.debian.org/1035324">#1035324</a> filed against <a href="https://tracker.debian.org/pkg/shaderc"><code>shaderc</code></a>.</li><li><a href="https://bugs.debian.org/1035329">#1035329</a> and <a href="https://bugs.debian.org/1035331">#1035331</a> filed against <a href="https://tracker.debian.org/pkg/jackd2"><code>jackd2</code></a>.</li></ul></li></ul><hr /><h2 id="diffoscope-development"><a href="https://diffoscope.org"><em>diffoscope</em></a> development</h2><p><a href="https://diffoscope.org"><img src="/images/reports/2023-04/diffoscope.png#right" alt="" /></a></p><p><a href="https://diffoscope.org"><em>diffoscope</em></a> version <code>241</code> was <a href="https://tracker.debian.org/news/1429548/accepted-diffoscope-241-source-into-unstable/">uploaded to Debian unstable</a> by Chris Lamb. It <a href="https://salsa.debian.org/reproducible-builds/diffoscope/commits/241">included contributions already covered in previous months</a> as well a change by Chris Lamb to add a missing <code>raise</code> statement that was <a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/2d95ae41efad">accidentally dropped in a previous commit</a>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/52a55da5">…</a>]</p><p><br /></p><hr /><h2 id="testing-framework">Testing framework</h2><p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2023-04/testframework.png#right" alt="" /></a></p><p>The Reproducible Builds project operates a comprehensive testing framework (available at <a href="https://tests.reproducible-builds.org">tests.reproducible-builds.org</a>) in order to check packages and other artifacts for reproducibility. In April, a number of changes were made, including:</p><ul><li><p>Holger Levsen:</p><ul><li>Significant work on a new Documented Jenkins Maintenance (djm) script to support logged maintenance of nodes, etc. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/291bc540d">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/ddd8e480e">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/63b29e66f">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/2a08b4568">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/ad826396b">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/05d3c235a">…</a>]</li><li>Add the new APT repo url for Jenkins itself with a new signing key. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/1990ba553">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/f1733a4ba">…</a>]</li><li>In the Jenkins shell monitor, allow 40 GiB of files for <a href="https://diffoscope.org"><em>diffoscope</em></a> for the Debian <em>experimental</em> distribution as Debian is frozen around the release at the moment. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/7e83620d0">…</a>]</li><li>Updated Arch Linux testing to cleanup leftover files left in <code>/tmp/archlinux-ci/</code> after three days. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e9cb00e87">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/065d4e172">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/bd09d3dcc">…</a>]</li><li>Mark a number of nodes hosted by <a href="https://osuosl.org/">Oregon State University Open Source Lab</a> (OSUOSL) as online and offline. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/7121c81c6">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/bd84a1b6f">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/cdd4b5c15">…</a>]</li><li>Update the node health checks to detect failures to end <code>schroot</code> sessions. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b9f3487dd">…</a>]</li><li>Filter out another duplicate contributor from the contributor statistics. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/462fa2454">…</a>]</li></ul></li><li><p>Mattia Rizzolo:</p><ul><li>Code changes to properly <a href="https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20230424/014118.html">archive the <code>stretch</code> Debian distribution</a>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/f0f2dab30369c4a44c7bb7a8fe0129dcb9db011c">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/1a3aaf3c47df97adeea95016b1e9679a7b1172c2">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/cabef2f6ac8defa5b9f809b704a08e4a6ee879dc">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/7a90bbd77e5eb2a6aff2ecd97fe32faa7024ab31">…</a>]</li><li>Introduce the “archived suites” configuration option. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/dadd1a38c798058399c1d8aa7dfd10c90853cb47">…</a>]][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/66df6f97098063a41a4f1479ce2425928265957a">…</a>]</li><li>Fix the <a href="https://salsa.debian.org/kgb-team/kgb/-/wikis/home">KGB bot</a> configuration to support <code>pyyaml</code> 6.0 as present in Debian <em>bookworm</em>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/bf6fdb5edeb2a57afe25cb9b3cb2f76b9fbf0068">…</a>]</li></ul></li></ul><p><br /><br /></p><hr /><p>If you are interested in contributing to the Reproducible Builds project, please visit our <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. However, you can get in touch with us via:</p><ul><li><p>IRC: <code>#reproducible-builds</code> on <code>irc.oftc.net</code>.</p></li><li><p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p></li><li><p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code>rb-general@lists.reproducible-builds.org</code></a></p></li></ul></description></item><item><title>Reproducible Builds in March 2023</title><pubDate>Thu, 06 Apr 2023 13:52:40 +0000</pubDate><link>https://reproducible-builds.org/reports/2023-03/</link><guid isPermaLink="true">https://reproducible-builds.org/reports/2023-03/</guid><description><p class="lead"><strong>Welcome to the March 2023 report from the <a href="https://reproducible-builds.org">Reproducible Builds</a> project.</strong></p><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2023-03/reproducible-builds.png#right" alt="" /></a></p><p>In these reports we outline the most important things that we have been up to over the past month. As a quick recap, the motivation behind the reproducible builds effort is to ensure no malicious flaws have been introduced during compilation and distributing processes. It does this by ensuring identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.</p><p>If you are interested in contributing to the project, please do visit our <a href="/contribute/"><em>Contribute</em></a> page on our website.</p><p><br /></p><h2 id="news">News</h2><p><a href="https://github.com/golang/go/issues/57120"><img src="/images/reports/2023-03/golang.png#right" alt="" /></a></p><p>There was progress towards making the <a href="https://go.dev">Go programming language</a> reproducible this month, with the overall goal remaining making the Go binaries distributed from Google and by <a href="https://archlinux.org/">Arch Linux</a> (and others) to be bit-for-bit identical. These changes could become part of the upcoming version 1.21 release of Go. An <a href="https://github.com/golang/go/issues/57120">issue in the Go issue tracker (#57120)</a> is being used to follow and record progress on this.</p><p><br /></p><p>Arnout Engelen updated <a href="/">our website</a> to add and update reproducibility-related links for <a href="https://nixos.org/">NixOS</a> to <a href="https://reproducible.nixos.org"><em>reproducible.nixos.org</em></a>. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/04aa8023">…</a>]. In addition, Chris Lamb made some cosmetic changes to our <a href="/resources/">presentations and resources</a> page. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/18424a3c">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/05507724">…</a>]</p><p><br /></p><p><a href="https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html"><img src="/images/reports/2023-03/intel.png#right" alt="" /></a></p><p><a href="https://www.intel.com">Intel</a> published <a href="https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html">a guide</a> on how to reproducibly build their Trust Domain Extensions (TDX) firmware. TDX here refers to an Intel technology that combines their existing virtual machine and memory encryption technology with a new kind of virtual machine guest called a Trust Domain. This runs the CPU in a mode that protects the confidentiality of its memory contents and its state from any other software.</p><p><br /></p><p>A <a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93371">reproducibility-related bug from early 2020</a> in the <a href="https://gcc.gnu.org/">GNU GCC compiler</a> as been fixed. The issues was that if GCC was invoked via the <code>as</code> frontend, the <code>-ffile-prefix-map</code> was being ignored. We were tracking this in Debian via the <a href="https://tests.reproducible-builds.org/debian/issues/unstable/build_path_captured_in_assembly_objects_issue.html"><code>build_path_captured_in_assembly_objects</code></a> issue. It has now been fixed and will be reflected in GCC version 13.</p><p><br /></p><p><a href="https://foss-north.se/2023"><img src="/images/reports/2023-03/foss-north.png#right" alt="" /></a></p><p>Holger Levsen will present at <a href="https://foss-north.se/2023">foss-north 2023</a> in April of this year in Gothenburg, Sweden on the topic of <em>Reproducible Builds, the first ten years</em>.</p><p><br /></p><p>Anthony Andreoli, Anis Lounis, Mourad Debbabi and Aiman Hanna of the <a href="https://www.concordia.ca/ginacody/research/security-research-centre.html">Security Research Centre</a> at <a href="https://www.concordia.ca/">Concordia University, Montreal</a> published a paper this month entitled <a href="https://www.sciencedirect.com/science/article/abs/pii/S2666281723000094"><em>On the prevalence of software supply chain attacks: Empirical study and investigative framework</em></a>:</p><blockquote><p>Software Supply Chain Attacks (SSCAs) typically compromise hosts through trusted but infected software. The intent of this paper is twofold: First, we present an empirical study of the most prominent software supply chain attacks and their characteristics. Second, we propose an investigative framework for identifying, expressing, and evaluating characteristic behaviours of newfound attacks for mitigation and future defense purposes. We hypothesize that these behaviours are statistically malicious, existed in the past, and thus could have been thwarted in modernity through their cementation x-years ago. [<a href="https://www.sciencedirect.com/science/article/abs/pii/S2666281723000094">…</a>]</p></blockquote><p><br /></p><p>On <a href="https://lists.reproducible-builds.org/listinfo/rb-general/">our mailing list</a> this month:</p><ul><li><p>Mattia Rizzolo is asking everyone in the community to save the date for the 2023’s Reproducible Builds summit which will take place between October 31st and November 2nd at <a href="https://dock-europe.net/">Dock Europe</a> in Hamburg, Germany. Separate announcement(s) to follow. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-March/002915.html">…</a>]</p></li><li><p><em>ahojlm</em> posted an message announcing a new project which is “the first project offering bootstrappable and verifiable builds without any binary seeds.” That is to say, a way of providing a verifiable path towards trusted software development platform without relying on pre-provided binary code in order to prevent against various forms of <a href="https://en.wikipedia.org/wiki/Backdoor_(computing)#Compiler_backdoors">compiler backdoors</a>. The <a href="http://rbzfp7h25zcnmxu4wnxhespe64addpopah5ckfpdfyy4qetpziitp5qd.onion/">project’s homepage</a> is hosted on Tor (<a href="https://www.zq1.de/~bernhard/mirror/rbzfp7h25zcnmxu4wnxhespe64addpopah5ckfpdfyy4qetpziitp5qd.onion/">mirror</a>).</p></li></ul><p><br /></p><p>The <a href="http://meetbot.debian.net/reproducible-builds/2023/reproducible-builds.2023-03-28-14.58.html">minutes and logs from our March 2023 IRC meeting</a> have been published. In case you missed this one, our next IRC meeting will take place on <strong>Tuesday 25th April at 15:00 UTC</strong> on <code>#reproducible-builds</code> on the <a href="https://oftc.net">OFTC</a> network.</p><p><br /></p><p><a href="http://layer-acht.org/thinking/blog/20230214-i-love-osuosl/"><img src="/images/reports/2023-03/osuosl.jpg#right" alt="" /></a></p><p>… and as a Valentines Day present, Holger Levsen wrote on his blog on 14th February to express his thanks to <a href="https://osuosl.org/">OSUOSL</a> for their continuous support of <em>reproducible-builds.org</em>. [<a href="http://layer-acht.org/thinking/blog/20230214-i-love-osuosl/">…</a>]</p><p><br /></p><hr /><h2 id="debian">Debian</h2><p><a href="https://debian.org/"><img src="/images/reports/2023-03/debian.png#right" alt="" /></a></p><p>Vagrant Cascadian developed an easier setup for testing debian packages which uses <a href="https://wiki.debian.org/sbuild"><em>sbuild</em></a>’s “<a href="https://wiki.debian.org/sbuild#Using_unshare_with_mmdebstrap_.28no_root_needed.29">unshare mode</a>” along and <a href="https://salsa.debian.org/reproducible-builds/reprotest"><em>reprotest</em></a>, our tool for building the same source code twice in different environments and then checking the binaries produced by each build for any differences. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-March/002917.html">…</a>]</p><p><br /></p><p>Over 30 reviews of Debian packages were added, 14 were updated and 7 were removed this month, all adding to <a href="https://tests.reproducible-builds.org/debian/index_issues.html">our knowledge about identified issues</a>. A number of issues were updated, including the Holger Levsen updating <code>build_path_captured_in_assembly_objects</code> to note that it has been fixed for GCC 13 [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/3233540c">…</a>] and Vagrant Cascadian added new issues to mark packages where the build path is being captured via the <a href="https://www.rust-lang.org/">Rust</a> toolchain [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/2691bc83">…</a>] as well as new categorisation for where <a href="https://www.debian.org/doc/debian-policy/ch-binary.html#s-virtual-pkg">virtual packages</a> have nondeterministic versioned dependencies [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/ccaaab5f">…</a>].</p><hr /><h2 id="upstream-patches">Upstream patches</h2><p>The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:</p><ul><li><p>Bernhard M. Wiedemann:</p><ul><li><a href="https://build.opensuse.org/request/show/1073723"><code>cockpit</code></a> (gzip mtime)</li><li><a href="https://build.opensuse.org/request/show/1072113"><code>crmsh</code></a> (by mcepl: rewrite to avoid python toolchain issue)</li><li><a href="https://github.com/marcelotduarte/cx_Freeze/pull/1860"><code>cx_Freeze</code></a> (merged, FTBFS-2038)</li><li><a href="https://build.opensuse.org/request/show/1073618"><code>golangci-lint</code></a> (date)</li><li><a href="https://build.opensuse.org/request/show/1072597"><code>guestfs-tools</code></a> (gzip mtime)</li><li><a href="https://lore.kernel.org/linux-perf-users/20230320201841.1133-1-bwiedemann@suse.de/T/#u"><code>perf</code></a> (merged, sort python scandir)</li><li><a href="https://build.opensuse.org/request/show/1072531"><code>perl-Date-Calc-XS</code></a> (FTBFS-2038)</li><li><a href="https://build.opensuse.org/request/show/1072525"><code>perl-Date-Calc</code></a> (FTBFS-2038)</li><li><a href="https://github.com/PerryWerneck/pw3270/pull/50"><code>pw3270</code></a> (merged, date)</li><li><a href="https://build.opensuse.org/request/show/1068462"><code>python-dtaidistance</code></a> (drop unreproducible unnecessary file)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1208969"><code>sonic-pi</code></a> (FTBFS-2038)</li><li><a href="https://github.com/spack/spack/pull/36064"><code>spack</code></a> (parallelism)</li><li><a href="https://github.com/tesseract-ocr/tesseract/issues/4030"><code>tesseract</code></a> (fixed, CPU, -march=native)</li></ul></li><li><p>Chris Lamb:</p><ul><li><a href="https://bugs.debian.org/1032409">#1032409</a> filed against <a href="https://tracker.debian.org/pkg/esda"><code>esda</code></a>.</li><li><a href="https://bugs.debian.org/1032759">#1032759</a> filed against <a href="https://tracker.debian.org/pkg/gle-graphics-manual"><code>gle-graphics-manual</code></a>.</li></ul></li><li><p>Stefan Brüns:</p><ul><li><a href="https://sourceforge.net/p/mcj/fig2dev/ci/fc429e73ff70f3da13434a6787ee2c7be41dfa51/"><code>transfig/fig2dev</code></a> (also <a href="https://build.opensuse.org/request/show/1070627">in openSUSE</a> ; date in PDF)</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://bugs.debian.org/1033032">#1033032</a> filed against <a href="https://tracker.debian.org/pkg/buddy"><code>buddy</code></a>.</li><li><a href="https://bugs.debian.org/1033089">#1033089</a> filed against <a href="https://tracker.debian.org/pkg/subread"><code>subread</code></a>.</li><li><a href="https://bugs.debian.org/1033663">#1033663</a> filed against <a href="https://tracker.debian.org/pkg/linux"><code>linux</code></a>.</li></ul></li></ul><p>In addition, Vagrant Cascadian <a href="https://savannah.nongnu.org/bugs/index.php?63944">filed a bug with a patch</a> to ensure <a href="https://www.nongnu.org/gm2/homepage.html">GNU Modula-2</a> supports the <a href="/docs/source-date-epoch/"><code>SOURCE_DATE_EPOCH</code></a> environment variable.</p><hr /><h2 id="testing-framework">Testing framework</h2><p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2023-03/testframework.png#right" alt="" /></a></p><p>The Reproducible Builds project operates a comprehensive testing framework (available at <a href="https://tests.reproducible-builds.org">tests.reproducible-builds.org</a>) in order to check packages and other artifacts for reproducibility. In March, the following changes were made by Holger Levsen:</p><ul><li><p><a href="https://archlinux.org/">Arch Linux</a>-related changes:</p><ul><li>Build Arch packages in <code>/tmp/archlinux-ci/$SRCPACKAGE</code> instead of <code>/tmp/$SRCPACKAGE</code>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/83d7c78f0">…</a>]</li><li>Start 2/3 of the builds on the <code>o1</code> node, the rest on <code>o2</code>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b798a3111">…</a>]</li><li>Add graphs for Arch Linux (and OpenWrt) builds. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/93c0abe7d">…</a>]</li><li>Toggle Arch-related builders to debug why a specific node overloaded. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/2f3214451">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/0c68f8d80">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/f65123374">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/9aaa1a5f9">…</a>]</li></ul></li><li><p>Node health checks:</p><ul><li>Detect <code>SetuptoolsDeprecationWarning</code> tracebacks in Python builds. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/950256a89">…</a>]</li><li>Detect failures do perform <code>chdist</code> calls. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b87374d28">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/39ade4464">…</a>]</li></ul></li><li><p><a href="https://osuosl.org/">OSUOSL</a> node migration.</p><ul><li>Install <code>megacli</code> packages that are needed for hardware RAID. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/649a70080">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/52fae771e">…</a>]</li><li>Add health check and maintenance jobs for new nodes. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/11a38325e">…</a>]</li><li>Add mail config for new nodes. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/3ca9e3a8d">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/72f3fbb89">…</a>]</li><li>Handle a node running in the future correctly. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/8cdfe61f0">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/3bc4af860">…</a>]</li><li>Migrate some nodes to Debian <em>bookworm</em>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/95e7d0773">…</a>]</li><li>Fix nodes health overview for osuosl3. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e29233697">…</a>]</li><li>Make sure the <code>/srv/workspace</code> directory is owned by by the <code>jenkins</code> user. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/c30f8722f">…</a>]</li><li>Use <code>.debian.net</code> names everywhere, except when communicating with the outside world. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e3df5ea5d">…</a>]</li><li>Grant <em>fpierret</em> access to a new node. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/13c01e232">…</a>]</li><li>Update documentation. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b350fd3d2">…</a>]</li><li>Misc migration changes. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/66051839c">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e95106f82">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/a8815d1c9">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/a9ef6c0c2">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/11fc197ac">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/9a74cdaf9">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/5c9a894a1">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/627e56fa3">…</a>]</li></ul></li><li><p>Misc changes:</p><ul><li>Enable fail2ban everywhere and monitor it with munin [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/2d5c765d0">…</a>].</li><li>Gracefully deal with non-existing <a href="https://www.alpinelinux.org/">Alpine</a> schroots. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/a8d44f889">…</a>]</li></ul></li></ul><p>In addition, Roland Clobus is continuing his work on <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002877.html">reproducible Debian ISO images</a>:</p><ul><li>Add/update <a href="http://open.qa/">openQA</a> configuration [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/962a721f4">…</a>], and use the actual timestamp for openQA builds [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/f0ac16d13">…</a>].</li><li>Moved adding the user to the <code>docker</code> group from the <code>janitor_setup_worker</code> script to the (more general) <code>update_jdn.sh</code> script. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/25835d550">…</a>]</li><li>Use the (short-term) ‘reproducible’ source when generating <code>live-build</code> images. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b1c218dad">…</a>]</li></ul><hr /><h2 id="diffoscope-development"><a href="https://diffoscope.org"><em>diffoscope</em></a> development</h2><p><a href="https://diffoscope.org"><img src="/images/reports/2023-03/diffoscope.png#right" alt="" /></a></p><p><a href="https://diffoscope.org"><em>diffoscope</em></a> is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats as well. This month, Mattia Rizzolo released versions <a href="https://diffoscope.org/news/diffoscope-238-released/"><code>238</code></a>, and Chris Lamb released versions <a href="https://diffoscope.org/news/diffoscope-239-released/"><code>239</code></a> and <a href="https://diffoscope.org/news/diffoscope-240-released/"><code>240</code></a>. Chris Lamb also made the following changes:</p><ul><li>Fix compatibility with PyPDF 3.x, and correctly restore test data. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/a91f8bfe">…</a>]</li><li>Rework PDF annotation handling into a separate method. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/2b268980">…</a>]</li></ul><p>In addition, Holger Levsen performed a long-overdue overhaul of the <a href="https://lintian.debian.org/">Lintian</a> overrides in the Debian packaging [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/7d0fd9c3">…</a>][<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/8b0fe07a">…</a>][<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/e430e268">…</a>][<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/04f2114f">…</a>], and Mattia Rizzolo updated the packaging to silence an <code>include_package_data=True</code> [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/f2f30420">…</a>], fixed the build under Debian <em>bullseye</em> [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/9e525a8e">…</a>], fixed tool name in a list of tools permitted to be absent during package build tests [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/36854d06">…</a>] and as well as documented sending out an email upon [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/635c404d">…</a>].</p><p>In addition, Vagrant Cascadian updated the version of <a href="https://guix.gnu.org/">GNU Guix</a> to 238 [<a href="https://issues.guix.gnu.org/62312">…</a> and 239 [<a href="https://issues.guix.gnu.org/62312">…</a>]. Vagrant also updated <em>reprotest</em> to version 0.7.23. [<a href="https://issues.guix.gnu.org/62172">…</a>]</p><hr /><h2 id="other-development-work">Other development work</h2><p><a href="https://www.opensuse.org/"><img src="/images/reports/2023-03/opensuse.png#right" alt="" /></a></p><p>Bernhard M. Wiedemann published another <a href="https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/WB5NTG4Q6KK2YLIZ4OF65MI5CQDOEA3B/">monthly report about reproducibility within openSUSE</a></p><p><br /><br /></p><hr /><p>If you are interested in contributing to the Reproducible Builds project, please visit our <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. However, you can get in touch with us via:</p><ul><li><p>IRC: <code>#reproducible-builds</code> on <code>irc.oftc.net</code>.</p></li><li><p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p></li><li><p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code>rb-general@lists.reproducible-builds.org</code></a></p></li></ul></description></item><item><title>Reproducible Builds in February 2023</title><pubDate>Sun, 05 Mar 2023 08:53:40 +0000</pubDate><link>https://reproducible-builds.org/reports/2023-02/</link><guid isPermaLink="true">https://reproducible-builds.org/reports/2023-02/</guid><description><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2023-02/reproducible-builds.png#right" alt="" /></a></p><p><strong>Welcome to the February 2023 report from the <a href="https://reproducible-builds.org">Reproducible Builds</a> project.</strong> As ever, if you are interested in contributing to our project, please visit the <a href="/contribute/"><em>Contribute</em></a> page on our website.</p><hr /><p><a href="FOSDEM"><img src="/images/reports/2023-02/fosdem.jpeg#right" alt="" /></a></p><p><a href="https://fosdem.org/2023/">FOSDEM 2023</a> was held in Brussels on the 4th &amp; 5th of February and featured a number of talks related to reproducibility. In particular, Akihiro Suda gave a talk titled <a href="https://fosdem.org/2023/schedule/event/container_reproducible_dockerfile"><em>Bit-for-bit reproducible builds with Dockerfile</em></a> discussing deterministic timestamps and deterministic <code>apt-get</code> (<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002842.html">original announcement</a>). There was also an entire <a href="https://fosdem.org/2023/schedule/track/software_bill_of_materials/">‘track’ of talks on Software Bill of Materials</a> (SBOMs). SBOMs are an inventory for software with the intention of increasing the transparency of software components (the US <a href="https://ntia.gov/">National Telecommunications and Information Administration</a> (NTIA) published a useful <a href="https://ntia.gov/sites/default/files/publications/sbom_myths_vs_facts_nov2021_0.pdf"><em>Myths vs. Facts</em></a> document in 2021).</p><p><br /></p><p>On <a href="https://lists.reproducible-builds.org/listinfo/rb-general/">our mailing list</a> this month, Larry Doolittle was puzzled why the <a href="https://tracker.debian.org/pkg/verilator">Debian <code>verilator</code> package</a> was not reproducible [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002856.html">…</a>], but Chris Lamb pointed out that this was due to the use of Python’s <a href="https://docs.python.org/3/library/datetime.html#datetime.datetime.fromtimestamp"><code>datetime.fromtimestamp</code></a> over <a href="https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp"><code>datetime.utcfromtimestamp</code></a> [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002859.html">…</a>].</p><p><br /></p><p>James Addison also was having issues with a Debian package: in this case, the <a href="https://tracker.debian.org/pkg/alembic"><code>alembic</code></a> package. Chris Lamb was also able to identify the <a href="https://www.sphinx-doc.org/en/master/">Sphinx documentation generator</a> as the cause of the problem, and <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002862.html">provided a potential patch that might fix it</a>. This was later filed upstream [<a href="https://github.com/sphinx-doc/sphinx/issues/11198">…</a>].</p><p><br /></p><p>Anthony Harrison wrote to our list twice, first by <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002871.html">introducing himself and their background</a> and later to mention the increasing relevance of Software Bill of Materials (SBOMs):</p><blockquote><p>As I am sure everyone is aware, there is a growing interest in [SBOMs] as away of improving software security and resilience. In the last two years, theUS through the Exec Order, the EU through the proposed Cyber Resilience Act(CRA) and this month the UK has issued a consultation paper looking atsoftware security and SBOMs appear very prominently in eachpublication. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002872.html">…</a>]</p></blockquote><p><br /></p><p><a href="https://retout.co.uk/2023/02/04/almalinux-and-sboms/"><img src="/images/reports/2023-02/almalinux.png#right" alt="" /></a></p><p><a href="https://retout.co.uk/">Tim Retout</a> wrote a blog post discussing <a href="https://almalinux.org/">AlmaLinux</a> in the context of CentOS, RHEL and supply-chain security in general [<a href="https://retout.co.uk/2023/02/04/almalinux-and-sboms/">…</a>]:</p><blockquote><p>Alma are generating and publishing Software Bill of Material (SBOM) files forevery package; these are becoming a requirement for all software sold to theUS federal government. What’s more, they are sending these SBOMs to a thirdparty (<a href="https://codenotary.com/">CodeNotary</a>) who store them in some sort of<a href="https://en.wikipedia.org/wiki/Merkle_tree">Merkle tree</a> system to make itdifficult for people to tamper with later. This should theoretically allowend users of the distribution to verify the supply chain of the packages theyhave installed?</p></blockquote><hr /><h2 id="debian">Debian</h2><p><a href="https://debian.org/"><img src="/images/reports/2023-02/debian.png#right" alt="" /></a></p><ul><li><p>Vagrant Cascadian noted that the Debian <em>bookworm</em> distribution has finally surpassed <em>bullseye</em> for reproducibility: 96.1% vs. 96.0%, despite having over 3500 more packages in the distribution.</p></li><li><p>Roland Clobus posted his <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002877.html">latest update of the status of reproducible Debian ISO images</a> noting that “all major desktops build reproducibly with <em>bullseye</em>, <em>bookworm</em> and <em>sid</em>,” with the caveat that “when non-free firmware is activated, some non-reproducible files are generated”.</p></li><li><p>FC Stegerman submitted a new <a href="https://wiki.debian.org/ITP">Intent to Package (ITP)</a> bug report <a href="https://bugs.debian.org/1030768">representing an intention to package <code>repro-apk</code></a>, a set of <a href="https://github.com/obfusk/reproducible-apk-tools">scripts to make Android <code>.apk</code> files reproducible</a>.</p></li><li><p>23 reviews of Debian packages were added, 24 were updated and 20 were removed this month adding to <a href="https://tests.reproducible-builds.org/debian/index_issues.html">our knowledge about identified issues</a>. A new issue was added and identified by Chris Lamb [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/c2b3882c">…</a>], and the <code>timestamps_embedded_in_manpages_by_node_marked_man</code> issue has been marked as resolved [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5cb5d781">…</a>].</p></li></ul><hr /><h2 id="f-droid--android">F-Droid &amp; Android</h2><p><a href="https://f-droid.org/"><img src="/images/reports/2023-02/fdroid.png#right" alt="" /></a></p><ul><li><p>This month, F-Droid added 21 apps published with reproducible builds (out of 33 new apps in total), the <a href="https://gitlab.com/obfusk/fdroid-misc-scripts/-/blob/master/reproducible/overview.md">overview of F-Droid apps published with Reproducible Builds</a> now includes graphs, and there are now also some <a href="https://gitlab.com/obfusk/fdroid-misc-scripts/-/blob/master/verification/graphs.md">graphs of F-Droid apps verified by the Verification Server</a>.</p></li><li><p>FC Stegerman noticed that <a href="https://github.com/obfusk/apksigcopier/issues/88">signatures made by older versions of Android Gradle plugin cannot be copied</a> because the signing method differs too much from that used by <a href="https://developer.android.com/studio/command-line/apksigner"><em>apksigner</em></a> (and <a href="https://android.googlesource.com/platform/tools/base/+/studio-master-dev/signflinger/"><em>signflinger</em></a>).</p></li><li><p>FC Stegerman also created a helpful HOWTO page on the <a href="https://gitlab.com/fdroid/wiki/-/wikis/pages">F-Droid Wiki</a> detailing how to <a href="https://gitlab.com/fdroid/wiki/-/wikis/HOWTO:-diff-&amp;-fix-APKs-for-Reproducible-Builds">compare and subsequently make APKs reproducible</a>.</p></li><li><p>A long-running thread on <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/thread.html#2828"><em>Hiding data/code in Android APK embedded signatures</em></a> continued on <a href="https://lists.reproducible-builds.org/listinfo/rb-general/">our mailing list</a> this month; <a href="https://github.com/obfusk/apksigcopier"><em>apksigcopier</em></a> <code>v1.1.1</code> and <a href="https://github.com/obfusk/reproducible-apk-tools"><em>reproducible-apk-tools</em></a> <code>v0.2.2</code> + <code>v0.2.3</code> were also <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002853.html">announced</a> on the same list.</p></li><li><p>Lastly, FC Stegerman reported two issues on Google’s own issue tracker: one related to a non-deterministic “Dependency Info Block” [<a href="https://issuetracker.google.com/issues/268071369">…</a>] and another about a “virtual entry” added by the <a href="https://android.googlesource.com/platform/tools/base/+/studio-master-dev/signflinger/"><em>signflinger</em></a> tool causing unexpected differences between signed and unsigned APKs [<a href="https://issuetracker.google.com/issues/268071371">…</a>].</p></li></ul><hr /><h2 id="diffoscope"><a href="https://diffoscope.org">diffoscope</a></h2><p><a href="https://diffoscope.org"><img src="/images/reports/2023-02/diffoscope.png#right" alt="" /></a></p><p><a href="https://diffoscope.org"><em>diffoscope</em></a> is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats.</p><p>This month, Chris Lamb released versions <a href="https://diffoscope.org/news/diffoscope-235-released/"><code>235</code></a> and <a href="https://diffoscope.org/news/diffoscope-236-released/"><code>236</code></a>; Mattia Rizzolo later released version <a href="https://diffoscope.org/news/diffoscope-237-released/"><code>237</code></a>.</p><p>Contributions include:</p><ul><li>Chris Lamb:<ul><li>Fix compatibility with PyPDF2 (re. issue <a href="https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/331">#331</a>) [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/82a767d2">…</a>][<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/ff6d9bbd">…</a>][<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/ccf3c2a4">…</a>].</li><li>Fix compatibility with <a href="https://imagemagick.org">ImageMagick</a> version 7.1 [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/60ea9cc6">…</a>].</li><li>Require at least version 23.1.0 to run the <a href="https://github.com/psf/black">Black</a> source code tests [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/c45de0a1">…</a>].</li><li>Update <code>debian/tests/control</code> after merging changes from others [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/72e5b2a1">…</a>].</li><li>Don’t write test data during a test [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/25dcd1e6">…</a>].</li><li>Update copyright years [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/be3973b0">…</a>].</li><li>Merged a large number of changes from others.</li></ul></li><li><p>Akihiro Suda edited the <code>.gitlab-ci.yml</code> configuration file to ensure that versioned tags are pushed to the container registry [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/637c2985">…</a>].</p></li><li><p>Daniel Kahn Gillmor provided a way to migrate from PyPDF2 to pypdf (<a href="https://bugs.debian.org/1029742">#1029741</a>).</p></li><li><p>Efraim Flashner updated the tool metadata for <code>isoinfo</code> on <a href="https://guix.gnu.org/">GNU Guix</a> [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/7d6ce503">…</a>].</p></li><li><p>FC Stegerman added support for Android <code>resources.arsc</code> files [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/7cf77ed1">…</a>], improved a number of file-matching regular expressions [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/8d7762f6">…</a>][<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/c988c3ad">…</a>] and added support for Android <code>dexdump</code> [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/1bb9b812">…</a>]; they also <a href="https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/f48fbe61">fixed</a> a test failure (<a href="https://bugs.debian.org/1031433">#1031433</a>) caused by Debian’s <code>black</code> package having been updated to a newer version.</p></li><li>Mattia Rizzolo:<ul><li>updated the release documentation [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/b17b0595">…</a>],</li><li>fixed a number of <a href="https://flake8.pycqa.org/en/latest/">Flake8</a> errors [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/8f710cd5">…</a>][<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/6eb8d06f">…</a>],</li><li>updated the autopkgtest configuration to only install <code>aapt</code> and <code>dexdump</code> on architectures where they are available [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/61f7c2b3">…</a>], making sure that the latest diffoscope release is in a good fit for the upcoming Debian bookworm freeze.</li></ul></li></ul><hr /><h2 id="reprotest"><a href="https://salsa.debian.org/reproducible-builds/reprotest">reprotest</a></h2><p><a href="https://salsa.debian.org/reproducible-builds/reprotest">Reprotest</a> version 0.7.23 was uploaded to both <a href="https://pypi.org/">PyPI</a> and Debian unstable, including the following changes:</p><ul><li><p>Holger Levsen improved a lot of documentation [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/296800e">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/82d585b">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/b2a6f6f">…</a>], tidied the documentation as well [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/e8d9476">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/84496fa">…</a>], and experimented with a new <code>--random-locale</code> flag [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/f76f6e1">…</a>].</p></li><li><p>Vagrant Cascadian adjusted <em>reprotest</em> to no longer randomise the build locale and use a UTF-8 supported locale instead <a href="https://salsa.debian.org/reproducible-builds/reprotest/-/commit/610e6cae">[…]</a> (re. <a href="https://bugs.debian.org/925879">#925879</a>, <a href="https://bugs.debian.org/1004950">#1004950</a>), and to also support passing <code>--vary=locales.locale=LOCALE</code> to specify the locale to vary [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/a92f741">…</a>].</p></li></ul><p>Separate to this, Vagrant Cascadian started a thread on our <a href="https://lists.reproducible-builds.org/listinfo/rb-general">mailing list</a> questioning the <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002876.html">future development and direction of <em>reprotest</em></a>.</p><hr /><h2 id="upstream-patches">Upstream patches</h2><p>The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:</p><ul><li><p>Bernhard M. Wiedemann:</p><ul><li><a href="https://github.com/aio-libs/aiohttp/pull/7191"><code>aiohttp</code></a> (build fails in the future)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1180471"><code>diff-pdf</code></a></li><li><a href="https://build.opensuse.org/request/show/1067125"><code>dpdk</code></a></li><li><a href="https://build.opensuse.org/request/show/1066747"><code>ebumeter</code></a> (CPU-related issue)</li><li><a href="https://github.com/firecracker-microvm/firecracker/issues/3439"><code>firecracker</code></a> (hashmap ordering issue)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1208386"><code>jhead/gcc</code></a> (used random temporary directory name)</li><li><a href="https://build.opensuse.org/request/show/1068331"><code>libhugetlbfs</code></a> (drop unused unreproducible file)</li><li><a href="https://build.opensuse.org/request/show/1066043"><code>prosody</code></a> (generates nondeterministic example SSL certificates)</li><li><a href="https://build.opensuse.org/request/show/1067129"><code>python-sqlalchemy-migrate</code></a> (clean files leftover by <a href="https://www.sphinx-doc.org/en/master/">Sphinx</a>)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1208478"><code>tigervnc</code></a> (random RSA key)</li></ul></li><li><p>Chris Lamb:</p><ul><li><a href="https://bugs.debian.org/1030708">#1030708</a> filed against <a href="https://tracker.debian.org/pkg/gap-browse"><code>gap-browse</code></a>.</li><li><a href="https://bugs.debian.org/1030714">#1030714</a> filed against <a href="https://tracker.debian.org/pkg/cwltool"><code>cwltool</code></a>.</li><li><a href="https://bugs.debian.org/1030715">#1030715</a> filed against <a href="https://tracker.debian.org/pkg/adacgi"><code>adacgi</code></a>.</li><li><a href="https://bugs.debian.org/1030724">#1030724</a> filed against <a href="https://tracker.debian.org/pkg/node-marked-man"><code>node-marked-man</code></a> (<a href="https://github.com/kapouer/marked-man/pull/32">forwarded upstream</a>).</li><li><a href="https://bugs.debian.org/1030727">#1030727</a> filed against <a href="https://tracker.debian.org/pkg/multipath-tools"><code>multipath-tools</code></a>.</li><li><a href="https://bugs.debian.org/1031030">#1031030</a> filed against <a href="https://tracker.debian.org/pkg/ruby-pgplot"><code>ruby-pgplot</code></a>.</li><li><a href="https://bugs.debian.org/1031412">#1031412</a> filed against <a href="https://tracker.debian.org/pkg/pysdl2"><code>pysdl2</code></a>.</li><li><a href="https://bugs.debian.org/1031829">#1031829</a> filed against <a href="https://tracker.debian.org/pkg/gawk"><code>gawk</code></a>.</li><li><a href="https://bugs.debian.org/1032057">#1032057</a> filed against <a href="https://tracker.debian.org/pkg/pyproject-api"><code>pyproject-api</code></a>.</li></ul></li><li><p>Gioele Barabucci:</p><ul><li><a href="https://bugs.debian.org/1032056">#1032056</a> filed against <a href="https://tracker.debian.org/pkg/systemtap"><code>systemtap</code></a>.</li></ul></li><li><p>Larry Doolittle:</p><ul><li><a href="https://bugs.debian.org/1031711">#1031711</a> filed against <a href="https://tracker.debian.org/pkg/verilator"><code>verilator</code></a>.</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://bugs.debian.org/1030270">#1030270</a> filed against <a href="https://tracker.debian.org/pkg/libreoffice"><code>libreoffice</code></a>.</li></ul></li></ul><hr /><h2 id="testing-framework">Testing framework</h2><p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2023-02/testframework.png#right" alt="" /></a></p><p>The Reproducible Builds project operates a comprehensive testing framework (available at <a href="https://tests.reproducible-builds.org">tests.reproducible-builds.org</a>) in order to check packages and other artifacts for reproducibility. In February, the following changes were made by Holger Levsen:</p><ul><li>Add three new <a href="https://osuosl.org/">OSUOSL</a> nodes [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/d188805b">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/f9f9c65d">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/f57dbeb1">…</a>] and decommission the <code>osuosl174</code> node [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/f05f9ce7">…</a>].</li><li>Change the order of listed Debian architectures to show the 64-bit ones first [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/0b65129f">…</a>].</li><li>Reduce the frequency that the Debian package sets and <code>dd-list</code> HTML pages update [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/965b4358">…</a>].</li><li>Sort “Tested suite” consistently (and Debian <em>unstable</em> first) [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/6503fafd">…</a>].</li><li>Update the Jenkins shell monitor script to only query disk statistics every 230min [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/7eafae2d">…</a>] and improve the documentation [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/5ed88c03">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/8d882964">…</a>].</li></ul><hr /><h2 id="other-development-work">Other development work</h2><p><a href="https://salsa.debian.org/reproducible-builds/disorderfs"><em>disorderfs</em></a> version <code>0.5.11-3</code> was uploaded by Holger Levsen, fixing a number of issues with the manual page [<a href="https://salsa.debian.org/reproducible-builds/disorderfs/commit/2c3df22">…</a>][<a href="https://salsa.debian.org/reproducible-builds/disorderfs/commit/e92c9c2">…</a>][<a href="https://salsa.debian.org/reproducible-builds/disorderfs/commit/76c9e78">…</a>].</p><p><br /></p><p><a href="https://www.opensuse.org/"><img src="/images/reports/2023-02/opensuse.png#right" alt="" /></a></p><p>Bernhard M. Wiedemann published another <a href="https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/5TURLU4YB6PL2ES5GFWUJIQS22Z4YRKZ/">monthly report about reproducibility within openSUSE</a>.</p><hr /><p>If you are interested in contributing to the Reproducible Builds project, please visit the <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. You can get in touch with us via:</p><ul><li><p>IRC: <code>#reproducible-builds</code> on <code>irc.oftc.net</code>.</p></li><li><p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p></li><li><p>Mastodon: <a href="https://fosstodon.org/@reproducible_builds">@reproducible_builds@fosstodon.org</a></p></li><li><p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code>rb-general@lists.reproducible-builds.org</code></a></p></li></ul></description></item><item><title>Reproducible Builds in January 2023</title><pubDate>Mon, 06 Feb 2023 00:37:36 +0000</pubDate><link>https://reproducible-builds.org/reports/2023-01/</link><guid isPermaLink="true">https://reproducible-builds.org/reports/2023-01/</guid><description><p class="lead"><strong>Welcome to the first report for 2023 from the <a href="https://reproducible-builds.org">Reproducible Builds</a> project!</strong></p><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2023-01/reproducible-builds.png#right" alt="" /></a></p><p>In these reports we try and outline the most important things that we have been up to over the past month, as well as the most important things in/around the community. As a quick recap, the motivation behind the reproducible builds effort is to ensure no malicious flaws can be deliberately introduced during compilation and distribution of the software that we run on our devices. As ever, if you are interested in contributing to the project, please visit our <a href="/contribute/"><em>Contribute</em></a> page on our website.</p><hr /><h2 id="news">News</h2><p><a href="https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/"><img src="/images/reports/2023-01/github.png#right" alt="" /></a></p><p>In a curious turn of events, GitHub first announced this month that the checksums of various Git archives may be subject to change, specifically that because:</p><blockquote><p>… the default compression for Git archives has recently changed. As result, archives downloaded from GitHub may have different checksums even though the contents are completely unchanged.</p></blockquote><p>This change (which <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-October/002709.html">was brought up on our mailing list</a> last October) would have had quite wide-ranging implications for anyone wishing to validate and verify downloaded archives using cryptographic signatures. However, GitHub reversed this decision, updating their <a href="https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/">original announcement</a> with a message that “We are reverting this change for now. More details to follow.” It appears that this was informed in part by an <a href="https://github.com/orgs/community/discussions/45830">in-depth discussion in the GitHub Community issue tracker</a>.</p><p><br /></p><p><a href="https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2022.pdf?__blob=publicationFile&amp;v=6"><img src="/images/reports/2023-01/bsi.png#right" alt="" /></a></p><p>The <em>Bundesamt für Sicherheit in der Informationstechnik</em> (BSI) (trans: ‘The Federal Office for Information Security’) is the agency in charge of managing computer and communication security for the German federal government. They recently produced a report that touches on attacks on software supply-chains (<em>Supply-Chain-Angriff</em>). (<a href="https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2022.pdf?__blob=publicationFile&amp;v=6">German PDF</a>)</p><p><br /></p><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2023-01/reproducible-builds.png#right" alt="" /></a></p><p>Contributor <em>Seb35</em> updated <a href="/">our website</a> to fix broken links to <a href="https://tails.boum.org/">Tails</a>’ Git repository [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7f98d24b">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f3ae46cc">…</a>], and Holger updated a large number of pages around our <a href="/events/venice2022/">recent summit in Venice</a> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/80e4e5b9">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/af639729">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/78a0a627">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/385c83e9">…</a>].</p><p><br /></p><p><a href="https://www.cesarsotovalero.net/files/publications/The_State_Of_Software_Diversity_In_The_Software_Supply_Chain.pdf"><img src="/images/reports/2023-01/jonsson-paper.png#right" alt="" /></a></p><p>Noak Jönsson has written an interesting paper entitled <a href="https://www.cesarsotovalero.net/files/publications/The_State_Of_Software_Diversity_In_The_Software_Supply_Chain.pdf"><em>The State of Software Diversity in the Software Supply Chain of Ethereum Clients</em></a>. As the paper outlines:</p><blockquote><p>In this report, the software supply chains of the most popular Ethereum clients are cataloged and analyzed. The dependency graphs of Ethereum clients developed in Go, Rust, and Java, are studied. These client are Geth, Prysm, OpenEthereum, Lighthouse, Besu, and Teku. To do so, their dependency graphs are transformed into a unified format. Quantitative metrics are used to depict the software supply chain of the blockchain. The results show a clear difference in the size of the software supply chain required for the execution layer and consensus layer of Ethereum.</p></blockquote><p><br /></p><p>Yongkui Han posted to <a href="https://lists.reproducible-builds.org/pipermail/rb-general/">our mailing list</a> discussing <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002813.html">making reproducible builds &amp; GitBOM work together without gitBOM-ID embedding</a>. GitBOM (now renamed to <a href="https://omnibor.io/">OmniBOR</a>) is a project to “enable automatic, verifiable artifact resolution across today’s diverse software supply-chains” [<a href="https://omnibor.io/">…</a>]. In addition, Fabian Keil wrote to us asking whether <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002811.html">anyone in the community would be at Chemnitz Linux Days 2023</a>, which is due to take place on 11th and 12th March (<a href="https://chemnitzer.linux-tage.de/2023/en">event info</a>).</p><p><a href="https://fosdem.org/"><img src="/images/reports/2023-01/fosdem.jpeg#right" alt="" /></a></p><p>Separate to this, Akihiro Suda posted to our mailing list just after the end of the month with a <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-February/002842.html">status report of bit-for-bit reproducible Docker/OCI images</a>. As Akihiro mentions in their post, they will be giving a talk at <a href="https://fosdem.org/">FOSDEM</a> in the <a href="https://fosdem.org/2023/schedule/track/containers/">‘Containers’ devroom</a> titled <a href="https://fosdem.org/2023/schedule/event/container_reproducible_dockerfile/"><em>Bit-for-bit reproducible builds with <code>Dockerfile</code></em></a> and that “my talk will also mention how to pin the apt/dnf/apk/pacman packages with my <a href="https://github.com/reproducible-containers/repro-get"><code>repro-get</code></a> tool.”</p><p><br /></p><p><a href="https://signal.org/"><img src="/images/reports/2023-01/signal.png#right" alt="" /></a></p><p>The extremely popular <a href="https://signal.org/">Signal messenger app</a> added upstream support for the <a href="/docs/source-date-epoch/"><code>SOURCE_DATE_EPOCH</code></a> environment variable this month. This means that release tarballs of the Signal desktop client do not embed nondeterministic release information. [<a href="https://github.com/signalapp/Signal-Desktop/pull/5753">…</a>][<a href="https://github.com/signalapp/Signal-Desktop/pull/6212">…</a>]</p><p><br /></p><hr /><h2 id="distribution-work">Distribution work</h2><h3 id="f-droid--android">F-Droid &amp; Android</h3><p><a href="https://f-droid.org/"><img src="/images/reports/2023-01/fdroid.png#right" alt="" /></a></p><p>There was a very large number of changes in the <a href="https://f-droid.org/">F-Droid</a> and wider Android ecosystem this month:</p><p>On January 15th, a blog post entitled <a href="https://f-droid.org/en/2023/01/15/towards-a-reproducible-fdroid.html"><em>Towards a reproducible F-Droid</em></a> was published on the <a href="https://f-droid.org/">F-Droid website</a>, outlining the reasons why “F-Droid signs published APKs with its own keys” and how reproducible builds allow using upstream developers’ keys instead. In particular:</p><blockquote><p>In response to […] criticisms, we started <a href="https://gitlab.com/fdroid/fdroiddata/-/issues/2816">encouraging new apps to enable reproducible builds</a>. It turns out that reproducible builds are not so difficult to achieve for many apps. <a href="https://gitlab.com/fdroid/fdroiddata/-/issues/2844">In the past few months we’ve gotten many more reproducible apps in F-Droid than before</a>. Currently we can’t highlight which apps are reproducible in the client, so maybe you haven’t noticed that there are many new apps signed with upstream developers’ keys.</p></blockquote><p>(There was a <a href="https://news.ycombinator.com/item?id=34457143">discussion about this post</a> on <a href="https://news.ycombinator.com/">Hacker News</a>.)</p><p>In addition:</p><ul><li><p>F-Droid added 13 apps published with reproducible builds this month. [<a href="https://gitlab.com/fdroid/fdroiddata/-/issues/2844">…</a>]</p></li><li><p>FC Stegerman outlined a bug where <a href="https://gist.github.com/obfusk/61046e09cee352ae6dd109911534b12e"><code>baseline.profm</code> files are nondeterministic</a>, developed a workaround, and provided all the details required for a fix. As they note, this issue <a href="https://android.googlesource.com/platform/tools/base/+/2f2c6b30b55e18e2672edf5ee8e8e583be759d3e">has now been fixed</a> but the fix is not yet part of an official <a href="https://developer.android.com/studio/releases/gradle-plugin">Android Gradle plugin release</a>.</p></li><li><p>GitLab user <a href="https://gitlab.com/Parwor"><em>Parwor</em></a> discovered that the number of CPU cores can affect the reproducibility of <code>.dex</code> files. [<a href="https://gitlab.com/fdroid/rfp/-/issues/1519#note_1226216164">…</a>]</p></li><li><p>FC Stegerman also announced the <code>0.2.0</code> and <code>0.2.1</code> releases of <a href="https://github.com/obfusk/reproducible-apk-tools"><em>reproducible-apk-tools</em></a>, a suite of tools to help make <code>.apk</code> files reproducible. Several new subcommands and scripts were added, and a number of bugs were fixed as well [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002815.html">…</a>][<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002816.html">…</a>]. They also updated the <a href="https://f-droid.org/">F-Droid website</a> to improve the reproducibility-related documentation. [<a href="https://gitlab.com/fdroid/fdroid-website/-/merge_requests/895/diffs">…</a>][<a href="https://gitlab.com/fdroid/fdroid-website/-/merge_requests/901/diffs">…</a>]</p></li><li><p>On the F-Droid issue tracker, FC Stegerman <a href="https://gitlab.com/fdroid/fdroiddata/-/merge_requests/12145#note_1231715091">discussed reproducible builds</a> with one of the developers of the <a href="https://threema.ch/">Threema messenger app</a> and reported that Android SDK <em>build-tools</em> <code>31.0.0</code> and <code>32.0.0</code> (unlike earlier and later versions) have a <a href="https://gitlab.com/fdroid/fdroiddata/-/issues/2816#note_1249683547"><code>zipalign</code> command that produces incorrect padding</a>.</p></li><li><p>A number of bugs related to reproducibility were discovered in Android itself. Firstly, the non-deterministic order of <code>.zip</code> entries in <code>.apk</code> files [<a href="https://issuetracker.google.com/issues/265653160">…</a>] and then newline differences between building on Windows versus Linux that can make builds not reproducible as well. [<a href="https://issuetracker.google.com/issues/266109851">…</a>] (Note that these links may require a Google account to view.)</p></li><li><p>And just before the end of the month, FC Stegerman started a thread on <a href="https://lists.reproducible-builds.org/listinfo/rb-general">our mailing list</a> on the topic of <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002825.html">hiding data/code in APK embedded signatures</a> which has been made possible by the <a href="https://source.android.com/docs/security/features/apksigning">Android APK Signature Scheme v2/v3</a>. As part of this, they made an Android app that reads the APK Signing block of its own APK and extracts a payload in order to alter its behaviour called <a href="https://github.com/obfusk/sigblock-code-poc"><em>sigblock-code-poc</em></a>.</p></li></ul><h3 id="debian">Debian</h3><p><a href="https://debian.org/"><img src="/images/reports/2023-01/debian.png#right" alt="" /></a></p><p>As mentioned in <a href="/reports/2022-12/">last month’s report</a>, Vagrant Cascadian has been organising a series of online sprints in order to ‘clear the huge backlog of reproducible builds patches submitted’ by performing NMUs (<a href="https://wiki.debian.org/NonMaintainerUpload">Non-Maintainer Uploads</a>). During January, a sprint took place on the 10th, resulting in the following uploads:</p><ul><li><p>Chris Lamb:</p><ul><li><a href="https://tracker.debian.org/pkg/critcl"><code>critcl</code></a> (<a href="https://bugs.debian.org/963600">#963600</a>)</li><li><a href="https://tracker.debian.org/pkg/log4cpp"><code>log4cpp</code></a> (<a href="https://bugs.debian.org/1020662">#1020662</a>)</li><li><a href="https://tracker.debian.org/pkg/logapp"><code>logapp</code></a> (<a href="https://bugs.debian.org/1010845">#1010845</a>)</li><li><a href="https://tracker.debian.org/pkg/nanomsg"><code>nanomsg</code></a> (<a href="https://bugs.debian.org/1001853">#1001853</a>)</li></ul></li><li><p>Holger Levsen:</p><ul><li><a href="https://tracker.debian.org/pkg/netkit-rsh"><code>netkit-rsh</code></a> (<a href="https://bugs.debian.org/1020798">#1020798</a>)</li><li><a href="https://tracker.debian.org/pkg/wcwidth"><code>wcwidth</code></a> (<a href="https://bugs.debian.org/1005408">#1005408</a>)</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://tracker.debian.org/pkg/mc"><code>mc</code></a> (<a href="https://bugs.debian.org/828683">#828683</a>)</li><li><a href="https://tracker.debian.org/pkg/gtk-sharp3"><code>gtk-sharp3</code></a> (<a href="https://bugs.debian.org/989965">#989965</a> &amp; <a href="https://bugs.debian.org/989966">#989966</a>)</li></ul></li></ul><p>During this sprint, Holger Levsen filed Debian bug <a href="https://bugs.debian.org/1028615">#1028615</a> to request that the <a href="https://tracker.debian.org"><code>tracker.debian.org</code></a> service display results of reproducible rebuilds, not just reproducible ‘CI’ results.</p><p>Elsewhere in Debian, <a href="https://tracker.debian.org/pkg/strip-nondeterminism"><em>strip-nondeterminism</em></a> is our tool to remove specific non-deterministic results from a completed build. This month, version <code>1.13.1-1</code> was <a href="https://tracker.debian.org/news/1409573/accepted-strip-nondeterminism-1131-1-source-into-unstable/">uploaded to Debian unstable</a> by Holger Levsen, including a fix by FC Stegerman (<em>obfusk</em>) to update a regular expression for the latest version of <code>file(1)</code> [<a href="https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/f1017c6">…</a>]. (<a href="https://bugs.debian.org/1028892">#1028892</a>)</p><p>Lastly, 65 reviews of Debian packages were added, 21 were updated and 35 were removed this month adding to <a href="https://tests.reproducible-builds.org/debian/index_issues.html">our knowledge about identified issues</a>.</p><h3 id="other-distributions">Other distributions</h3><p>In other distributions:</p><p><a href="https://www.opensuse.org/"><img src="/images/reports/2023-01/opensuse.png#right" alt="" /></a></p><ul><li><p>Bernhard M. Wiedemann published another <a href="https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/RQ3TMTIOU7HUX5TIP7IE7KT7ZWERWPXB/">monthly report for reproducibility within openSUSE</a>, as well as <a href="https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/2DKRGC4EIBVUVP6RWHBCEL5SJKCTWRFM/">a belated report for December 2022</a>.</p></li><li><p>It was announced that <a href="https://docs.fedoraproject.org/en-US/releases/rawhide/">Fedora Rawhide</a> now ‘clamps’ file modification types to <a href="/docs/source-date-epoch/"><code>SOURCE_DATE_EPOCH</code></a>. [<a href="https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/2BDU7CFZGEXUWBHJIZDB2QAOIR2R5TFN/">…</a>]</p></li><li><p>Finally, an existing tool called <a href="https://github.com/fepitre/rpmreproduce"><em>rpmreproduce</em></a> was (re-)discovered this month, which claims that “given a buildinfo file from a RPM package, [it can] generate instructions for attempting to reproduce the binary packages built from the associated source and build information.”</p></li></ul><hr /><h2 id="diffoscope"><a href="https://diffoscope.org">diffoscope</a></h2><p><a href="https://diffoscope.org"><img src="/images/reports/2023-01/diffoscope.png#right" alt="" /></a></p><p><a href="https://diffoscope.org"><em>diffoscope</em></a> is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb made the following changes to <a href="https://diffoscope.org">diffoscope</a>, including preparing and uploading versions <code>231</code>, <code>232</code>, <code>233</code> and <code>234</code> to Debian:</p><ul><li>No need for <code>from __future__ import print_function</code> import anymore. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/7a1dc409">…</a>]</li><li>Comment and tidy the <code>extras_require.json</code> handling. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/7129af15">…</a>]</li><li>Split inline Python code to generate test <code>Recommends</code> into a separate Python script. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/c341b63a">…</a>]</li><li>Update <code>debian/tests/control</code> after merging support for <a href="https://pypdf2.readthedocs.io/">PyPDF</a> support. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/2e317927">…</a>]</li><li>Correctly catch segfaulting <code>cd-iccdump</code> binary. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/2d95ae41">…</a>]</li><li>Drop some old debugging code. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/fca2293a">…</a>]</li><li>Allow ICC tests to (temporarily) fail. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/dff253b5">…</a>]</li></ul><p>In addition, FC Stegerman (<em>obfusk</em>) made a number of changes, including:</p><ul><li>Updating the <code>test_text_proper_indentation</code> test to support the latest version(s) of <a href="https://en.wikipedia.org/wiki/File_(command)"><code>file(1)</code></a>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/329">…</a>]</li><li>Use an <code>extras_require.json</code> file to store some build/release metadata, instead of accessing the internet. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/325">…</a>]</li><li>Updating an APK-related <a href="https://en.wikipedia.org/wiki/File_(command)"><code>file(1)</code></a> regular expression. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/72f8f33d">…</a>]</li><li>On the <a href="https://diffoscope.org/"><em>diffoscope.org</em> website</a>, de-duplicate contributors by e-mail. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/1ebaa67">…</a>]</li></ul><p>Lastly, Sam James added support for <a href="https://pypi.org/project/pypdf/">PyPDF</a> version 3 [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/6aed2e53">…</a>] and Vagrant Cascadian updated a handful of tool references for <a href="https://guix.gnu.org/">GNU Guix</a>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/a0b80552">…</a>][<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/a10a169c">…</a>]</p><hr /><h3 id="upstream-patches">Upstream patches</h3><p>The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. This month, we wrote a large number of such patches, including:</p><ul><li><p>Bernhard M. Wiedemann:</p><ul><li><a href="https://github.com/praiskup/argparse-manpage/pull/76"><code>argparse</code></a> (date-related issue)</li><li><a href="https://github.com/peterbrittain/asciimatics/pull/365"><code>asciimatics</code></a> (build failure)</li><li><a href="https://github.com/MagicStack/asyncpg/issues/997"><code>asyncpg</code></a> (fails to build in 2032)</li><li><a href="https://github.com/python/cpython/issues/101069"><code>cpython</code></a> (fails to build in 2038)</li><li><a href="https://github.com/django/django/pull/16459"><code>django</code></a> (fails to build in 2038)</li><li><a href="https://github.com/GrandOrgue/grandorgue/pull/1358"><code>grandorgue</code></a> (<code>.zip</code>-related issue)</li><li><a href="https://github.com/libarchive/libarchive/pull/1836"><code>libarchive</code></a> (fails to build in 2038)</li><li><a href="https://github.com/libarchive/libarchive/pull/1838"><code>libarchive</code></a> (fails to build in 2038)</li><li><a href="https://github.com/RusXMMS/librcc/pull/5"><code>librcc</code></a> (date)</li><li><a href="https://github.com/Mbed-TLS/mbedtls/issues/6978"><code>mbedtls</code></a> (fails to build in 2023)</li><li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1813401"><code>mozilla-nss</code></a> (fails to build in 2023)</li><li><a href="https://build.opensuse.org/request/show/1061850"><code>ocaml-rpm-macros</code></a> (fix fallout from an RPM-related change)</li><li><a href="https://github.com/libwww-perl/HTTP-Cookies/pull/72"><code>perl HTTP::Cookies</code></a> (fails to build in 2038)</li><li><a href="https://build.opensuse.org/request/show/1058352"><code>python-aiosmtplib/python-trustme</code></a> (fails to build in 2038 due to SSL certificate)</li><li><a href="https://github.com/intel/bmap-tools/issues/116"><code>python-bmap</code></a> (fails to build in 2024)</li><li><a href="https://github.com/fedora-python/compileall2/pull/26"><code>python-compileall2</code></a> (fails to build in 2038)</li><li><a href="https://github.com/GothenburgBitFactory/taskwarrior/issues/3050"><code>taskwarrior</code></a> (<code>python-tasklib</code> fails to build in 2038)</li><li><a href="https://github.com/GothenburgBitFactory/taskwarrior/pull/3052"><code>taskwarrior</code></a> (fix fails to build in 2038)</li><li><a href="https://github.com/wg/wrk/issues/507"><code>wrk</code></a> (hash ordering issue)</li><li><a href="https://build.opensuse.org/request/show/1058331"><code>xemacs</code></a> (fails to build in 2038 stuck)</li></ul></li><li><p>Chris Lamb:</p><ul><li><a href="https://bugs.debian.org/1027988">#1027988</a> filed against <a href="https://tracker.debian.org/pkg/click"><code>click</code></a>.</li><li><a href="https://bugs.debian.org/1027992">#1027992</a> filed against <a href="https://tracker.debian.org/pkg/towncrier"><code>towncrier</code></a>.</li><li><a href="https://bugs.debian.org/1028051">#1028051</a> filed against <a href="https://tracker.debian.org/pkg/unifrac-tools"><code>unifrac-tools</code></a>.</li><li><a href="https://bugs.debian.org/1028310">#1028310</a> filed against <a href="https://tracker.debian.org/pkg/hamster-time-tracker"><code>hamster-time-tracker</code></a>.</li><li><a href="https://bugs.debian.org/1028515">#1028515</a> filed against <a href="https://tracker.debian.org/pkg/accel-config"><code>accel-config</code></a>.</li><li><a href="https://bugs.debian.org/1029295">#1029295</a> filed against <a href="https://tracker.debian.org/pkg/python-miio"><code>python-miio</code></a>.</li><li><a href="https://bugs.debian.org/1029297">#1029297</a> filed against <a href="https://tracker.debian.org/pkg/python-graphviz"><code>python-graphviz</code></a>.</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://bugs.debian.org/1029227">#1029227</a> filed against <a href="https://tracker.debian.org/pkg/ectrans"><code>ectrans</code></a>.</li><li><a href="https://bugs.debian.org/1029303">#1029303</a> filed against <a href="https://tracker.debian.org/pkg/fiat-ecmwf"><code>fiat-ecmwf</code></a>.</li><li><a href="https://bugs.debian.org/1029307">#1029307</a> filed against <a href="https://tracker.debian.org/pkg/node-katex"><code>node-katex</code></a>.</li><li><a href="https://bugs.debian.org/1029800">#1029800</a> filed against <a href="https://tracker.debian.org/pkg/aribas"><code>aribas</code></a>.</li><li><a href="https://bugs.debian.org/1029801">#1029801</a> filed against <a href="https://tracker.debian.org/pkg/tbox"><code>tbox</code></a>.</li><li><a href="https://bugs.debian.org/1029807">#1029807</a> filed against <a href="https://tracker.debian.org/pkg/borgbackup2"><code>borgbackup2</code></a>.</li><li><a href="https://bugs.debian.org/1029809">#1029809</a> filed against <a href="https://tracker.debian.org/pkg/dnf-plugins-core"><code>dnf-plugins-core</code></a>.</li><li><a href="https://bugs.debian.org/1030057">#1030057</a> filed against <a href="https://tracker.debian.org/pkg/refpolicy"><code>refpolicy</code></a>.</li></ul></li><li><p>FC Stegerman:</p><ul><li>Several patches for <a href="https://en.wikipedia.org/wiki/File_(command)"><code>file(1)</code></a> (which is used by reproducible builds tools like <em>diffoscope</em> and <em>strip-nondeterminism</em>) that improve detection of various file formats are now included in the Debian packaging. [<a href="https://github.com/file/file/search?q=FC+Stegerman&amp;type=commits">…</a>]</li></ul></li></ul><hr /><h2 id="testing-framework">Testing framework</h2><p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2023-01/testframework.png#right" alt="" /></a></p><p>The Reproducible Builds project operates a comprehensive testing framework at <a href="https://tests.reproducible-builds.org">tests.reproducible-builds.org</a> in order to check packages and other artifacts for reproducibility. In January, the following changes were made by Holger Levsen:</p><ul><li><p>Node changes:</p><ul><li>Add three new nodes hosted at the <a href="https://osuosl.org/">Oregon State University Open Source Lab</a> including integrating them into the DNS, maintenance and monitoring systems. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/48a18e51">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/26497180">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e151cc7c">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/93115d67">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/840dc8da">…</a>]</li></ul></li><li><p>Debian-related changes:</p><ul><li>Only keep <a href="https://diffoscope.org">diffoscope</a>’s HTML output (ie. no <code>.json</code> or <code>.txt</code>) for LTS suites and older in order to save diskspace on the Jenkins host. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/098742fb">…</a>]</li><li>Re-create <code>pbuilder</code> base less frequently for the <code>stretch</code>, <code>bookworm</code> and <code>experimental</code> suites. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/d2d7923c">…</a>]</li></ul></li><li><p>OpenWrt-related changes:</p><ul><li>Add gcc-multilib to <code>OPENWRT_HOST_PACKAGES</code> and install it on the nodes that need it. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/7f88cba8">…</a>]</li><li>Detect more problems in the health check when failing to build OpenWrt. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/02ce1d17">…</a>]</li></ul></li><li><p>Misc changes:</p><ul><li>Update the <code>chroot-run</code> script to correctly manage <code>/dev</code> and <code>/dev/pts</code>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/0e49a9eb">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/a68ae0fd">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/f18ba089">…</a>]</li><li>Update the Jenkins ‘shell monitor’ script to collect disk stats less frequently [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/2ea61357">…</a>] and to include various directory stats. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/00400ad4">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e5b31286">…</a>]</li><li>Update the ‘real’ year in the configuration in order to be able to detect whether a node is running in the future or not. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/3827ba7c">…</a>]</li><li>Bump copyright years in the default page footer. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/ff82ec5f">…</a>]</li></ul></li></ul><p>In addition, Christian Marangi submitted a patch to build OpenWrt packages with the <code>V=s</code> flag to enable debugging. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e8db59c3">…</a>]</p><hr /><p>If you are interested in contributing to the Reproducible Builds project, please visit the <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. You can get in touch with us via:</p><ul><li><p>IRC: <code>#reproducible-builds</code> on <code>irc.oftc.net</code>.</p></li><li><p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p></li><li><p>Mastodon: <a href="https://fosstodon.org/@reproducible_builds">@reproducible_builds@fosstodon.org</a></p></li><li><p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code>rb-general@lists.reproducible-builds.org</code></a></p></li></ul></description></item><item><title>Reproducible Builds in December 2022</title><pubDate>Sat, 07 Jan 2023 15:22:28 +0000</pubDate><link>https://reproducible-builds.org/reports/2022-12/</link><guid isPermaLink="true">https://reproducible-builds.org/reports/2022-12/</guid><description><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2022-12/reproducible-builds.png#right" alt="" /></a></p><p><strong>Welcome to the December 2022 report from the <a href="https://reproducible-builds.org">Reproducible Builds</a> project.</strong></p><hr /><p><a href="/events/hamburg2023/"><img src="/images/reports/2022-12/summit_photo.jpg#right" alt="" /></a></p><p>We are extremely pleased to announce that the dates for the <a href="/events/hamburg2023/">Reproducible Builds Summit in 2023</a> have been announced in 2022 already:</p><ul><li>When: October 31st, November 1st, November 2nd 2023.</li><li>Where: <a href="https://dock-europe.net/"><em>Dock Europe</em></a>, Hamburg, Germany.</li></ul><p>We plan to spend three days continuing to the grow of the Reproducible Builds effort. As in previous events, the exact content of the meeting will be shaped by the participants. And, as mentioned in <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-December/002804.html">Holger Levsen’s post to our mailing list</a>, the dates have been booked and confirmed with the venue, so if you are considering attending, <strong>please reserve these dates</strong> in your calendar today.</p><hr /><p><a href="https://remy.grunblatt.org/nix-and-nixos-my-pain-points.html"><img src="/images/reports/2022-12/nixos.png#right" alt="" /></a></p><p><a href="https://remy.grunblatt.org/">Rémy Grünblatt</a>, an associate professor in the <a href="https://telecom-sudparis.eu/">Télécom Sud-Paris</a> engineering school wrote up his <a href="https://remy.grunblatt.org/nix-and-nixos-my-pain-points.html">“pain points” of using Nix and NixOS</a>. Although some of the points do not touch on reproducible builds, Rémy touches on problems he has encountered with the different kinds of reproducibility that these distributions appear to promise including configuration files affecting the behaviour of systems, the fragility of upstream sources as well as the conventional idea of binary reproducibility.</p><hr /><p><a href="https://go.dev/"><img src="/images/reports/2022-12/golang.png#right" alt="" /></a></p><p>Morten Linderud reported that he is quietly optimistic that if <a href="https://go.dev">Go programming language</a> resolves all of its issues with reproducible builds (<a href="https://github.com/golang/go/issues/57120">tracking issue</a>) then the Go binaries distributed from Google and by <a href="https://archlinux.org/">Arch Linux</a> may be bit-for-bit identical. “It’s just a bit early to sorta figure out what roadblocks there are. [But] Go bootstraps itself every build, so in theory I think it should be possible.”</p><hr /><p><a href="/news/2022/12/15/supporter-spotlight-davidawheeler-supply-chain-security/&quot;"><img src="/images/reports/2022-12/dwheeler-2003c.jpg#right" alt="" /></a></p><p>On December 15th, Holger Levsen published an <a href="/news/2022/12/15/supporter-spotlight-davidawheeler-supply-chain-security/">in-depth interview he performed with David A. Wheeler</a> on supply-chain security and reproducible builds, but it also touches on the biggest challenges in computing as well.</p><p>This is part of a larger series of posts featuring the projects, companies and individuals who support the Reproducible Builds project. Other instalments include an article <a href="/news/2020/10/21/supporter-spotlight-cip-project/">featuring the Civil Infrastructure Platform</a> project and followed this up with a <a href="/news/2021/04/06/supporter-spotlight-ford-foundation/">post about the Ford Foundation</a> as well as a recent ones about <a href="/news/2022/04/14/supporter-spotlight-ardc/">ARDC</a>, the <a href="/news/2022/04/26/supporter-spotlight-google-open-source-security-team/">Google Open Source Security Team (GOSST)</a>, <a href="/news/2022/05/18/jan-nieuwenhuizen-on-bootrappable-builds-gnu-mes-and-gnu-guix/">Jan Nieuwenhuizen on Bootstrappable Builds, GNU Mes and GNU Guix</a> and <a href="/news/2022/06/24/supporter-spotlight-hans-christoph-steiner-f-droid-project/">Hans-Christoph Steiner of the F-Droid project</a>.</p><hr /><p><a href="/"><img src="/images/reports/2022-12/reproducible-builds.png#right" alt="" /></a></p><p>A number of changes were made to the Reproducible Builds website and documentation this month, including FC Stegerman adding an F-Droid/apksigcopier example to our <a href="/docs/embedded-signatures/">embedded signatures</a> page [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/34817389">…</a>], Holger Levsen making a large number of changes related to the 2022 summit in Venice as well as 2023’s summit in Hamburg [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6ae3578d">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/41a1779c">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/0539562a">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ba9a56a9">…</a>] and Simon Butler updated our <a href="/docs/publications/">publications page</a> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6cc6f723">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/bbdda2b4">…</a>].</p><hr /><p>On <a href="https://lists.reproducible-builds.org/listinfo/rb-general/">our mailing list</a> this month, James Addison asked a question about whether there has been any effort to trace the files used by a build system in order to identify the corresponding build-dependency packages. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-December/002779.html">…</a>] In addition, Bernhard M. Wiedemann then posed a thought-provoking question asking “<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-December/002782.html">How to talk to skeptics?</a>”, which was occasioned by a colleague who had <a href="https://fy.blackhats.net.au/blog/html/2021/05/12/compiler_bootstrapping_can_we_trust_rust.html">published a blog post in May 2021 skeptical of reproducible builds</a>. The thread generated a number of replies.</p><hr /><h3 id="android-news">Android news</h3><p><a href="https://en.wikipedia.org/wiki/Android_(operating_system)"><img src="/images/reports/2022-12/android.png#right" alt="" /></a></p><p><em>obfusk</em> (FC Stegerman) <a href="https://gist.github.com/obfusk/c51ebbf571e04ddf29e21146096675f8">performed a thought-provoking review</a> of tools designed to determine the difference between two different <code>.apk</code> files shipped by a number of free-software instant messenger applications.</p><p>These scripts are often necessary in the Android/APK ecosystem due to these files containing embedded signatures so the conventional bit-for-bit comparison cannot be used. After detailing a litany of issues with these tools, they come to the conclusion that:</p><blockquote><p>It’s quite possible these messengers actually have reproducible builds, but the verification scripts they use don’t actually allow us to verify whether they do.</p></blockquote><p>This reflects the consensus view within the Reproducible Builds project: pursuing a situation in language or package ecosystems where binaries are bit-for-bit identical (over requiring a bespoke ecosystem-specific tool) is not a luxury demanded by purist engineers, but rather the only <em>practical</em> way to demonstrate reproducibility. <em>obfusk</em> also <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-December/002769.html">announced the first release of their own set of tools</a> on our mailing list.</p><p>Related to this, <em>obfusk</em> also <a href="https://github.com/mastodon/mastodon-android/issues/4#issuecomment-1336259343">posted to an issue filed against Mastodon</a> regarding the difficulties of creating bit-by-bit identical APKs, especially with respect to copying <a href="https://source.android.com/docs/security/features/apksigning/v2">v2/v3 APK signatures</a> created by different tools; they also reported that some APK ordering differences were not caused by building on macOS after all, but by using <a href="https://developer.android.com/studio">Android Studio</a> [<a href="https://gitlab.com/fdroid/fdroiddata/-/issues/2816#note_1204147286">…</a>] and that F-Droid <a href="https://gitlab.com/fdroid/fdroiddata/-/issues/2844">added 16 more apps published with Reproducible Builds</a> in December.</p><hr /><h3 id="debian">Debian</h3><p><a href="https://debian.org/"><img src="/images/reports/2022-12/debian.png#right" alt="" /></a></p><p>As mentioned in <a href="/reports/2022-11/">last months report</a>, Vagrant Cascadian has been organising a series of online sprints in order to ‘clear the huge backlog of reproducible builds patches submitted’ by performing NMUs (<a href="https://wiki.debian.org/NonMaintainerUpload">Non-Maintainer Uploads</a>).</p><p>During December, meetings were held on the 1st, 8th, 15th, 22nd and 29th, resulting in a large number of uploads and bugs being addressed:</p><ul><li><p>Chris Lamb: <a href="https://tracker.debian.org/pkg/aespipe"><code>aespipe</code></a> (<a href="https://bugs.debian.org/661079">#661079</a>, <a href="https://bugs.debian.org/1020809">#1020809</a>), <a href="https://tracker.debian.org/pkg/cdbackup"><code>cdbackup</code></a> (<a href="https://bugs.debian.org/1011428">#1011428</a>) &amp; <a href="https://tracker.debian.org/pkg/xmlrpc-epi"><code>xmlrpc-epi</code></a> (<a href="https://bugs.debian.org/865688">#865688</a>, <a href="https://bugs.debian.org/1020651">#1020651</a>)</p></li><li><p>Holger Levsen: <a href="https://tracker.debian.org/pkg/apr-util"><code>apr-util</code></a> (<a href="https://bugs.debian.org/1006865">#1006865</a>), <a href="https://tracker.debian.org/pkg/lirc"><code>lirc</code></a> (<a href="https://bugs.debian.org/979024">#979024</a>) &amp; <a href="https://tracker.debian.org/pkg/ruby-omniauth-tumblr"><code>ruby-omniauth-tumblr</code></a></p></li><li><p>Vagrant Cascadian: <a href="https://tracker.debian.org/pkg/amavisd-milter"><code>amavisd-milter</code></a> (<a href="https://bugs.debian.org/975954">#975954</a>), <a href="https://tracker.debian.org/pkg/apophenia"><code>apophenia</code></a> (<a href="https://bugs.debian.org/940013">#940013</a>), <a href="https://tracker.debian.org/pkg/cfi"><code>cfi</code></a> (<a href="https://bugs.debian.org/995647">#995647</a>), <a href="https://tracker.debian.org/pkg/chessx"><code>chessx</code></a> (<a href="https://bugs.debian.org/881664">#881664</a>), <a href="https://tracker.debian.org/pkg/cmocka"><code>cmocka</code></a> (<a href="https://bugs.debian.org/991181">#991181</a>), <a href="https://tracker.debian.org/pkg/desmume"><code>desmume</code></a> (<a href="https://bugs.debian.org/890312">#890312</a>), <a href="https://tracker.debian.org/pkg/golang-gonum-v1-plot"><code>golang-gonum-v1-plot</code></a> (<a href="https://bugs.debian.org/968045">#968045</a>), <a href="https://tracker.debian.org/pkg/intel-gpu-tools"><code>intel-gpu-tools</code></a> (<a href="https://bugs.debian.org/945105">#945105</a>), <a href="https://tracker.debian.org/pkg/jhbuild"><code>jhbuild</code></a> (<a href="https://bugs.debian.org/971420">#971420</a>), <a href="https://tracker.debian.org/pkg/libjama"><code>libjama</code></a> (<a href="https://bugs.debian.org/986601">#986601</a>), <a href="https://tracker.debian.org/pkg/libjs-qunit"><code>libjs-qunit</code></a> (<a href="https://bugs.debian.org/976445">#976445</a>), <a href="https://tracker.debian.org/pkg/liblip"><code>liblip</code></a> (<a href="https://bugs.debian.org/1001513">#1001513</a>, <a href="https://bugs.debian.org/989583">#989583</a>), <a href="https://tracker.debian.org/pkg/libstatgrab"><code>libstatgrab</code></a> (<a href="https://bugs.debian.org/961747">#961747</a>), <a href="https://tracker.debian.org/pkg/mlpost"><code>mlpost</code></a> (<a href="https://bugs.debian.org/977179">#977179</a> and <a href="https://bugs.debian.org/977180">#977180</a>), <a href="https://tracker.debian.org/pkg/netcdf-parallel"><code>netcdf-parallel</code></a> (<a href="https://bugs.debian.org/972930">#972930</a>), <a href="https://tracker.debian.org/pkg/netgen-lvs"><code>netgen-lvs</code></a> (<a href="https://bugs.debian.org/955783">#955783</a>), <a href="https://tracker.debian.org/pkg/perfect-scrollbar"><code>perfect-scrollbar</code></a> (<a href="https://bugs.debian.org/1000770">#1000770</a>), <a href="https://tracker.debian.org/pkg/python-tomli"><code>python-tomli</code></a> (<a href="https://bugs.debian.org/994979">#994979</a>), <a href="https://tracker.debian.org/pkg/pytsk"><code>pytsk</code></a> (<a href="https://bugs.debian.org/992060">#992060</a>), <a href="https://tracker.debian.org/pkg/smplayer"><code>smplayer</code></a> (<a href="https://bugs.debian.org/997689">#997689</a>), <a href="https://tracker.debian.org/pkg/squeak-plugins-scratch"><code>squeak-plugins-scratch</code></a> (<a href="https://bugs.debian.org/876771">#876771</a>, <a href="https://bugs.debian.org/942006">#942006</a>), <a href="https://tracker.debian.org/pkg/stgit"><code>stgit</code></a> (<a href="https://bugs.debian.org/942009">#942009</a>), <a href="https://tracker.debian.org/pkg/strace"><code>strace</code></a> (<a href="https://bugs.debian.org/896016">#896016</a>), <a href="https://tracker.debian.org/pkg/surgescript"><code>surgescript</code></a> (<a href="https://bugs.debian.org/992061">#992061</a>), <a href="https://tracker.debian.org/pkg/sympow"><code>sympow</code></a> (<a href="https://bugs.debian.org/973601">#973601</a>), <a href="https://tracker.debian.org/pkg/wxmaxima"><code>wxmaxima</code></a> (<a href="https://bugs.debian.org/983148">#983148</a>), <a href="https://tracker.debian.org/pkg/xavs2"><code>xavs2</code></a> (<a href="https://bugs.debian.org/952493">#952493</a>), <a href="https://tracker.debian.org/pkg/xaw3d"><code>xaw3d</code></a> (<a href="https://bugs.debian.org/991180">#991180</a>, <a href="https://bugs.debian.org/986704">#986704</a>) and <a href="https://tracker.debian.org/pkg/yard"><code>yard</code></a> (<a href="https://bugs.debian.org/972668">#972668</a>).</p></li></ul><p>The next sprint is <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002807.html">due to take place this coming Tuesday, January 10th at 16:00 UTC</a>.</p><hr /><h3 id="upstream-patches">Upstream patches</h3><p>The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. This month, we wrote a large number of such patches, including:</p><ul><li><p>Bernhard M. Wiedemann:</p><ul><li><a href="https://gitlab.com/CalcProgrammer1/OpenRGB/-/merge_requests/1567"><code>OpenRGB</code></a> (filesystem ordering issue)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1206342"><code>python-maturin</code></a> (report an issue regarding random numbers)</li><li><a href="https://github.com/xiph/rav1e/pull/3081"><code>rav1e</code></a> (datetime-related issue)</li><li><a href="https://github.com/WeblateOrg/weblate/issues/8556"><code>weblate</code></a> (report that the build fails in 2038)</li></ul></li><li><p>Chris Lamb:</p><ul><li><a href="https://bugs.debian.org/1025415">#1025415</a> filed against <a href="https://tracker.debian.org/pkg/cctools"><code>cctools</code></a>.</li><li><a href="https://bugs.debian.org/1025801">#1025801</a> filed against <a href="https://tracker.debian.org/pkg/sphinx"><code>sphinx</code></a> (<a href="https://github.com/sphinx-doc/sphinx/pull/11037">forwarded upstream</a>)</li><li><a href="https://bugs.debian.org/1026381">#1026381</a> filed against <a href="https://tracker.debian.org/pkg/python-django-health-check"><code>python-django-health-check</code></a>.</li><li><a href="https://bugs.debian.org/1026876">#1026876</a> filed against <a href="https://tracker.debian.org/pkg/jamin"><code>jamin</code></a>.</li><li><a href="https://bugs.debian.org/1026877">#1026877</a> filed against <a href="https://tracker.debian.org/pkg/opari2"><code>opari2</code></a>.</li></ul></li></ul><hr /><h3 id="testing-framework">Testing framework</h3><p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2022-12/testframework.png#right" alt="" /></a></p><p>The Reproducible Builds project operates a comprehensive testing framework at <a href="https://tests.reproducible-builds.org">tests.reproducible-builds.org</a> in order to check packages and other artifacts for reproducibility. In October, the following changes were made by Holger Levsen:</p><ul><li>The <code>osuosl167</code> machine is no longer a <code>openqa-worker</code> node anymore. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/3aaabdbd">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/64841ce1">…</a>]</li><li>Detect problems with APT repository signatures [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b800b755">…</a>] and update a repository signing key [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/fbe0179c">…</a>].</li><li>reproducible Debian builtin-pho: improve job output. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/0e71f347">…</a>]</li><li>Only install the <code>foot-terminfo</code> package on Debian systems. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/10319000">…</a>]</li></ul><p>In addition, Mattia Rizzolo added support for the version of <a href="https://diffoscope.org"><em>diffoscope</em></a> in Debian <em>stretch</em> which doesn’t support the <code>--timeout</code> flag. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/988c1e94">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/1f5ae3b7">…</a>]</p><hr /><h3 id="diffoscope"><a href="https://diffoscope.org">diffoscope</a></h3><p><a href="https://diffoscope.org"><img src="/images/reports/2022-12/diffoscope.png#right" alt="" /></a></p><p><a href="https://diffoscope.org"><em>diffoscope</em></a> is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb made the following changes to <a href="https://diffoscope.org">diffoscope</a>, including preparing and uploading versions <code>228</code>, <code>229</code> and <code>230</code> to Debian:</p><ul><li>Fix compatibility with <a href="https://darwinsys.com/file/"><code>file(1)</code></a> version 5.43, with thanks to Christoph Biedl. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/44ebd188">…</a>]</li><li>Skip the <code>test_html.py::test_diff</code> test if <code>html2text</code> is not installed. (<a href="https://bugs.debian.org/1026034">#1026034</a>)</li><li>Update copyright years. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/9ac43af7">…</a>]</li></ul><p>In addition, Jelle van der Waa added support for <a href="https://en.wikipedia.org/wiki/Berkeley_DB">Berkeley DB</a> version 6. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/ab87ab6a">…</a>]</p><p>Orthogonal to this, Holger Levsen bumped the Debian <a href="https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-standards-version"><code>Standards-Version</code></a> on all of our packages, including <em>diffoscope</em> [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/e980ce7c">…</a>], <em>strip-nondeterminism</em> [<a href="https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/4380d64">…</a>], <em>disorderfs</em> [<a href="https://salsa.debian.org/reproducible-builds/disorderfs/commit/878de25">…</a>] and <em>reprotest</em> [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/18e4f65">…</a>].</p><hr /><p>If you are interested in contributing to the Reproducible Builds project, please visit our <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. You can get in touch with us via:</p><ul><li><p>IRC: <code>#reproducible-builds</code> on <code>irc.oftc.net</code>.</p></li><li><p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p></li><li><p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code>rb-general@lists.reproducible-builds.org</code></a></p></li></ul></description></item><item><title>Supporter spotlight: David A. Wheeler on supply chain security</title><pubDate>Thu, 15 Dec 2022 12:00:00 +0000</pubDate><link>https://reproducible-builds.org/news/2022/12/15/supporter-spotlight-davidawheeler-supply-chain-security/</link><guid isPermaLink="true">https://reproducible-builds.org/news/2022/12/15/supporter-spotlight-davidawheeler-supply-chain-security/</guid><description><p><big>The Reproducible Builds project <a href="/who/">relies on several projects, supporters and sponsors</a> for financial support, but they are also valued as ambassadors who spread the word about our project and the work that we do.</big></p><p>This is the <em>sixth</em> instalment in a series featuring the projects, companies and individuals who support the Reproducible Builds project. We started this series by <a href="/news/2020/10/21/supporter-spotlight-cip-project/">featuring the Civil Infrastructure Platform</a> project and followed this up with a <a href="/news/2021/04/06/supporter-spotlight-ford-foundation/">post about the Ford Foundation</a> as well as a recent ones about <a href="/news/2022/04/14/supporter-spotlight-ardc/">ARDC</a>, the <a href="/news/2022/04/26/supporter-spotlight-google-open-source-security-team/">Google Open Source Security Team (GOSST)</a>, <a href="/news/2022/05/18/jan-nieuwenhuizen-on-bootrappable-builds-gnu-mes-and-gnu-guix/">Jan Nieuwenhuizen on Bootstrappable Builds, GNU Mes and GNU Guix</a> and <a href="/news/2022/06/24/supporter-spotlight-hans-christoph-steiner-f-droid-project/">Hans-Christoph Steiner of the F-Droid project</a>.</p><p>Today, however, we will be talking with <big><strong>David A. Wheeler</strong></big>, the Director of Open Source Supply Chain Security at the <a href="https://www.linuxfoundation.org/">Linux Foundation</a>.</p><p><br /><br /></p><p><img src="/images/news/supporter-spotlight-david-a-wheeler/dwheeler-2003c.jpg#right" alt="" /></p><p><strong>Holger Levsen: Welcome, David, thanks for taking the time to talk with us today. First, could you briefly tell me about yourself?</strong></p><p>David: Sure! I’m David A. Wheeler andI work for the <a href="https://www.linuxfoundation.org/">Linux Foundation</a> as the Director of Open Source Supply Chain Security.That just means that my job is to help open source software projectsimprove their security, including its development, build, distribution,and incorporation in larger works, all the way out to its eventual use by end-users.In my copious free time I also teach at <a href="https://www.gmu.edu/">George Mason University</a> (GMU); in particular,I teach a graduate course on how to design and implement secure software.</p><p>My background is technical. I have a Bachelor’s in Electronics Engineering,a Master’s in Computer Science and a PhD in Information Technology.</p><p>My PhD dissertation is connected to reproducible builds.My PhD dissertation was on countering the ‘Trusting Trust’ attack, an attackthat subverts fundamental build system tools such as compilers.The attack was discovered by Karger &amp; Schell in the 1970s, and laterdemonstrated &amp; popularized by Ken Thompson.In <a href="https://dwheeler.com/trusting-trust">my dissertation on ‘trusting trust’</a> I showed that a processcalled ‘Diverse Double-Compiling’ (DDC) could detect trusting trust attacks.That process is a specialized kind of reproducible build specifically designedto detect trusting trust style attacks. In addition, countering the trusting trustattack primarily becomes more important only when reproducible builds becomemore common. Reproducible builds enable detection ofbuild-time subversions.Most attackers wouldn’t bother with a trusting trust attack if they could justdirectly use a build-time subversion of the software they actually want to subvert.</p><p><br /></p><p><strong>Holger: Thanks for taking the time to introduce yourself to us. What do you think are the biggest challenges today in computing?</strong></p><p>There are many big challenges in computing today. For example:</p><ul><li>Lack of resilience &amp; capacity in chip fabrication. Fabs are extraordinarily expensive,and at the high end continue to have technological advancement.As a result, supply is failing to meet demand, and geopolitical issues raise further concerns.We’ve seen cars, gaming consoles and many other devicesunable to be delivered due to chip shortages. More fabs arebeing built, and some politicians are raising concerns, but it’s unclearthat current efforts will be enough.</li><li>Lack of enough developers able to develop the software that people &amp; organizations need.Computers are far faster, and open source software has made software reuseincredibly easy. However, organizations still struggle to automatemany tasks. The bottleneck is the lack of enough talented developers able to convertideas into working software. ‘Low-code’ and ‘no-code’ approaches help in specialized areas,just like all previous ‘automate the programmer’ efforts of the last 60 years, butthere’s no reason to believe they will help enough.</li><li>Large scale of software. Small systems are easier to develop &amp; maintain, but today’ssystems increasingly get bigger to meet users’ needs &amp; are much harder to manage.Even small embedded systems are often supported by huge back-end systems.</li><li>Ending tail of Moore’s law &amp; rise of smartphones. Historically people would just wait a few years for theirsoftware to speed up, but Moore’s law is petering out, and smartphones are necessarilylimited by power &amp; size limits. As a result, software developerscan’t wait for the hardware to save their slow systems; they must redesign.Switching to faster languages, or using multiple processors, is much more difficult thanwaiting for performance problems to disappear.</li><li>Continuous change in interfaces. Developers continuously find reasons to changecomponent interfaces: perhaps they’re too inflexible, too hard to use, and so on.But now that developers are reusing hundreds, thousands, or tens of thousands of components,managing the continuous change of the reused components is challenging.Package managers make updating easy — but don’t automatically handle interface changes.I think this is mostly a self-inflicted problem — most components <em>could</em> support old interfaces(like the Linux kernel does) — but because it’s often not acknowledged as a problem, it’s often not addressed.</li><li>Security &amp; privacy. Decades ago there were fewer computers and most computers weren’t connected to a network.Today things are different. Criminals have found many ways to attack computer systems tomake money, and nation-states have found many ways to attack computer systems for their own reasons.Attackers now have very strong motivations to perform attacks.Yet many developers aren’t told how to develop software that resists attacks, norhow to protect their supply chains. Operations try to monitor and recover fromattacks, but their job is difficult due to inadequately secure software that doesn’tsupport those monitoring &amp; recovery efforts well either. The results are terrible security.</li></ul><p><br /></p><p><strong>Holger: Do you think reproducible builds are an important part in secure computing today already?</strong></p><p>David: Yes, but first let’s put things in context.</p><p>Today, when attackers exploit software vulnerabilities, they’re primarilyexploiting unintentional vulnerabilities that were created by the softwaredevelopers. There are a lot of efforts to counter this:</p><ul><li>Train &amp; education developers in how to develop secure software.The OpenSSF provides a <a href="https://openssf.org/training/courses/">free course on how to do that</a> (full disclosure: I’m the author).Take that course or something like it!</li><li>Add tools to your CI pipeline to detect potential vulnerabilities. Yes, they have falsepositives and false negatives, so you have to also use your brain… but that just means youneed to be smart about using tools, instead of not using them.</li><li>Get projects &amp; organizations to update the components they use,since often the vulnerabilities are well-known publicly(e.g., <a href="https://en.wikipedia.org/wiki/2017_Equifax_data_breach">Equifax in 2017</a>). Add some tools to your development process to warn you aboutcomponents with known vulnerabilities! GitHub &amp; GitLab both provide tools to do this,and there are many other tools.</li><li>When starting new projects, try to use memory-safe languages. On average 70% of thevulnerabilities in Chrome and in Microsoft are from memory safety problems; using a memory-safelanguage eliminates most of them.</li></ul><p>We’re just starting to get better at this, which is good. However, attackers alwaystry to attack the easiest target. As our deployed software has started to be hardenedagainst attack, attackers have dramatically increased their attackson the software supply chain (<a href="https://www.sonatype.com/state-of-the-software-supply-chain/open-source-supply-demand-security">Sonatype found in 2022 that there’s been a 742% increase year-over-year</a>).</p><p>The software supply chain hasn’t historically gotten much attention, making it the easy target.</p><p>There are simple supply chain attacks with simple solutions:</p><ul><li>In almost every year the top attack has been typosquatting. In typo squatting,an attacker creates packages with <em>almost</em> the right name. This is an easy attack tocounter — developers just need to double-check the name of a package before adding it.But we aren’t warning developers enough about it!For more information, see papers such as the <a href="https://dasfreak.github.io/Backstabbers-Knife-Collection/">Backstabber’s Knife Collection</a>.</li><li>Last year the top software supply chain attack was ‘dependency confusion’ — convincingprojects to use the wrong repo for a given package. There are simple solutions to this, such asspecifying the package source and/or requiring a cryptographic hash to match.</li><li>Some attacks involve takeovers of developer accounts. In almost all cases, these arecaused by stolen passwords. Using a multi-factor authentication (MFA) token eliminatesstolen password attacks, which is why severalrepositories are starting to require MFA tokens in some cases.</li></ul><p>Unfortunately, attackers know there are other lines of attack.One of the most dangerous is subverted build systems, as demonstrated bythe subversion of SolarWinds’ Orion system. In a subverted build system,developers can review the software source code all day and see no problem,because there <em>is</em> no problem there. Instead, the process to convert source codeinto the code people run, called the ‘build system’, is subverted by an attacker.</p><p>One solution for countering subverted build systems is to make the build systems harderto attack. That’s a good thing to do, but you can never be confident that it was ‘good enough’.How can you be sure it’s not subverted, if there’s no way to know?</p><p>A stronger defense against subverted build systems is the idea of verified reproducible builds.A build is reproducible if given the same source code, build environment and build instructions,any party can recreate bit-by-bit identical copies of all specified artifacts.A build is <em>verified</em> if multiple different parties verify that they get the same result for that situation.When you have a verified reproducible build, either all the parties colluded(and you could always double-check it yourself), or the build process isn’t subverted.</p><p>There is one last turtle: What if the build system tools or machines are subverted themselves?This is not a common attack today, but it’s important to know if we <em>can</em> address themwhen the time comes. The good news is that we <em>can</em> address this.For some situations reproducible builds can also counter such attacks.If there’s a loop (that is, a compiler is used to generate itself), that’s called the ‘trusting trust’ attack,and that is more challenging. Thankfully, the ‘trusting trust’ attack has been known about fordecades and there are known solutions. The ‘diverse double-compiling’ (DDC) process thatI explained in my PhD dissertation, as well as the ‘bootstrappable builds’ process, canboth counter trusting trust attacks in the software space. So there is no reason to lose hope:there is a ‘bottom turtle’, as it were.</p><p><br /></p><p><strong>Holger: Thankfully, this has all slowly started to change and supply chain issues are now widely discussed, as evident by efforts like<a href="https://www.cisa.gov/uscert/sites/default/files/publications/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF">Securing the Software Supply Chain: Recommended Practices Guide for Developers</a>which you shared <a href="https://lists.reproducible-builds.org/listinfo/rb-general">on our mailing list</a>. In there, Reproducible Builds are mentioned as recommended advanced practice, which is both pretty cool (we’ve come a long way!), but to me it also sounds like this will take another decade until it’s become standard normal procedure. Do you agree on that timeline?</strong></p><p>David: I don’t think there will be any particular timeframe. Different projects andecosystems will move at different speeds. I wouldn’t be surprised if ittook a decade or so for them to become relatively common — there aregood reasons for that.</p><p>Today the most common kinds of attacks based on softwarevulnerabilities still involve unintentional vulnerabilities in operational systems.Attackers are starting to apply supply chain attacks, but the top such attackstoday are typosquatting (creating packages with similar names) anddependency confusion) (convincing projects to download packages from the wrongrepositories).</p><p>Reproducible builds don’t counter those kinds of attacks, theycounter subverted builds. It’s important to eventually have verifiedreproducible builds, but understandably other issues are currently gettingprioritized first.</p><p>That said, reproducible builds are important long term.Many people are working on countering unintentional vulnerabilitiesand the most common kinds of supply chain attacks.As these other threats are countered, attackers will increasingly targetbuild systems. Attackers always go for the weakest link.We will eventually need verified reproducible builds in many situations, andit’ll take a while to get build systems able to widely perform reproducible builds,so we need to start that work now. That’s true for anything where you knowyou’ll need it but it will take a long time to get ready — you need to start now.</p><p><br /></p><p><strong>Holger: What are your suggestions to accelerate adoption?</strong></p><p>David: Reproducible builds need to be:</p><ul><li>Easy (ideally automatic). Tools need to be modified so that reproducible buildsare the default or at least easier to do.</li><li>Transparent to projects &amp; potential users. Many projects have no idea that their results aren’treproducible, and many potential users of the project don’t know either.That information needs to be obvious. I’ve proposed that the OpenSSFDashboard SIG try to reproduce builds, for at least some packages, to make itmore obvious to everyone when a project isn’t reproducible. I don’t know if thatwill happen in that particular case, but the point is to help people learn that informationas soon as possible.</li><li>Deployed.Experiments are great, but experiments showing that a project <em>could</em> be reproducibleare inadequate. We need the projects that people <em>use</em> to be reproducible.</li></ul><p>I think there’s a snowball effect. Once many projects’ packages are reproducible,it will be easier to convince other projects to make their packages reproducible.</p><p>I also think there should be some prioritization. If a package is in wide use(e.g., part of minimum set of packages for a widely-used Linux distribution orframework), its reproducibility should be a special focus. If a package is vital forsupporting some societally important critical infrastructure (e.g., running dams),it should also be considered important. You can then work on theones that are less important over time.</p><p><br /></p><p><strong>Holger: How is the <a href="https://github.com/coreinfrastructure/best-practices-badge/">Best Practices Badge</a> going? How many projects are participating and how many are missing?</strong></p><p>David: It’s going very well. You can <a href="https://bestpractices.coreinfrastructure.org/project_stats">see some automatically-generated statistics</a>, showing we have over 5,000 projects, adding more than 1/day on average.We have more than 900 projects that have earned at least the ‘passing’ badge level.</p><p><br /></p><p><strong>Holger: How many of the projects participating in the Best Practices badge engaging with reproducible builds?</strong></p><p>David: As of this writing there are 168 projects that report meeting the reproducible builds criterion.That’s a relatively small percentage of projects. However, note that this criterion (labelled <em>build_reproducible</em>)is only required for the ‘gold’ badge. It’s not required for the passing or silver level badge.</p><p>Currently we’ve been strategically focused on getting projects to at least earn a passing badge,and less on earning silver or gold badges.We would <em>love</em> for all projects to get earn a silver or gold badge, of course, butour theory is that projects that can’t even earn a passing badge present the most risk to their users.</p><p>That said, there are some projects we especially want to see implementing higher badge levels.Those include projects that are very widely used, so thatvulnerabilities in them can impact many systems.Examples of such projects include the Linux kernel and curl.In addition, some projects are used withinsystems where it’s important to society that they not have serious security vulnerabilities.Examples include projects used bychemical manufacturers, financial systems and weapons.We definitely encourage any of those kinds of projects to earn higher badge levels.</p><p><br /></p><p><strong>Holger: Many thanks for this interview, David, and for all of your work at the Linux Foundation and elsewhere!</strong></p><p><br /><br /></p><p><a href="https://www.linuxfoundation.org/"><img src="/images/news/supporter-spotlight-david-a-wheeler/lf-stacked-color.svg#right" alt="" /></a></p><p><br /></p><hr /><p><br /><em>For more information about the Reproducible Builds project, please see our website at<a href="/">reproducible-builds.org</a>. If you are interested inensuring the ongoing security of the software that underpins our civilisationand wish to sponsor the Reproducible Builds project, please reach out to theproject by emailing<a href="mailto:contact@reproducible-builds.org">contact@reproducible-builds.org</a>.</em></p></description></item><item><title>Reproducible Builds in November 2022</title><pubDate>Thu, 08 Dec 2022 17:45:11 +0000</pubDate><link>https://reproducible-builds.org/reports/2022-11/</link><guid isPermaLink="true">https://reproducible-builds.org/reports/2022-11/</guid><description><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2022-11/reproducible-builds.png#right" alt="" /></a></p><p>Welcome to yet another report from the <a href="https://reproducible-builds.org">Reproducible Builds</a> project, this time for <em>November 2022</em>. In all of these reports (which we have been <a href="/news/">publishing regularly since May 2015</a>) we attempt to outline the most important things that we have been up to over the past month. As always, if you interested in contributing to the project, please visit our <a href="/contribute/"><em>Contribute</em></a> page on our website.</p><p><br /></p><h3 id="reproducible-builds-summit-2022">Reproducible Builds Summit 2022</h3><p><a href="/events/venice2022/"><img src="/images/reports/2022-11/summit_photo.jpg#right" alt="" /></a></p><p>Following-up from <a href="/reports/2022-10/">last month’s report</a> about our recent summit in Venice, Italy, a comprehensive report from the meeting has not been finalised yet — watch this space!</p><p>As a very small preview, however, we can link to several issues that were filed about the website during the summit (<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/38">#38</a>, <a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/39">#39</a>, <a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/40">#40</a>, <a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/41">#41</a>, <a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/42">#42</a>, <a href="https://salsa.debian.org/reproducible-builds/reproducible-website/-/issues/43">#43</a>, etc.) and collectively learned about <a href="https://en.wikipedia.org/wiki/Software_supply_chain#Usage">Software Bill of Materials</a> (SBOM)’s and how <code>.buildinfo</code> files can be seen/used as SBOMs. And, no less importantly, the Reproducible Builds t-shirt design has been updated…</p><hr /><h3 id="reproducible-builds-at-european-cyber-week-2022">Reproducible Builds at European Cyber Week 2022</h3><p><a href="https://www.european-cyber-week.eu/?lang=en"><img src="/images/reports/2022-11/cyberweek.jpg#right" alt="" /></a></p><p>During the <a href="https://www.european-cyber-week.eu/?lang=en">European Cyber Week 2022</a>, a <a href="https://en.wikipedia.org/wiki/Capture_the_flag_(cybersecurity)">Capture The Flag</a> (CTF) cybersecurity challenge was created by Frédéric Pierret on the subject of Reproducible Builds. The challenge consisted in a pedagogical sense based on how to make a software release reproducible. To progress through the challenge issues that affect the reproducibility of build (such as build path, timestamps, file ordering, etc.) were to be fixed in steps in order to get the final ‘flag’ in order to win the challenge.</p><p>At the end of the competition, five people succeeded in solving the challenge, all of whom were awarded with a shirt. Frédéric Pierret intends to create similar challenge in the form of a “how to” in the <a href="/docs/">Reproducible Builds documentation</a>, but two of the 2022 winners are shown here:</p><p><a href="https://www.european-cyber-week.eu/?lang=en"><img src="/images/reports/2022-11/IMG_20221130_220704_288.jpg#center" alt="" /></a></p><hr /><h3 id="on-business-adoption-and-use-of-reproducible-builds">‘<em>On business adoption and use of reproducible builds…</em>’</h3><p><a href="https://link.springer.com/article/10.1007/s11219-022-09607-z"><img src="/images/reports/2022-11/butler.png#right" alt="" /></a></p><p>Simon Butler <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-November/002761.html">announced on the <em>rb-general</em> mailing list</a> that the <a href="https://www.springer.com/journal/11219">Software Quality Journal</a> published an article called <a href="https://link.springer.com/article/10.1007/s11219-022-09607-z"><em>On business adoption and use of reproducible builds for open and closed source software</em></a>.</p><p>This article is an interview-based study which focuses on the adoption and uses of Reproducible Builds in industry, with a focus on investigating the reasons why organisations might not have adopted them:</p><blockquote><p>[…] industry application of R-Bs appears limited, and we seek to understand whether awareness is low or if significant technical and business reasons prevent wider adoption.</p></blockquote><p>This is achieved through interviews with software practitioners and business managers, and touches on both the business and technical reasons supporting the adoption (or not) of Reproducible Builds. The article also begins with an excellent explanation and literature review, and even introduces a new helpful analogy for reproducible builds:</p><blockquote><p>[Users are] able to perform a bitwise comparison of the two binaries to verify that they are identical and that the distributed binary is indeed built from the source code in the way the provider claims. Applied in this manner, R-Bs <strong>function as a canary</strong>, a mechanism that indicates when something might be wrong, and offer an improvement in security over running unverified binaries on computer systems.</p></blockquote><p>The <a href="https://link.springer.com/article/10.1007/s11219-022-09607-z">full paper</a> is available to download on an ‘<a href="https://en.wikipedia.org/wiki/Open_access">open access</a>’ basis.</p><p><a href="https://arxiv.org/pdf/2211.06249.pdf"><img src="/images/reports/2022-11/integrity-paper.png#right" alt="" /></a></p><p>Elsewhere in academia, Beatriz Michelson Reichert and Rafael R. Obelheiro have published a paper proposing a systematic threat model for a generic software development pipeline identifying possible mitigations for each threat (<a href="https://arxiv.org/pdf/2211.06249.pdf">PDF</a>). Under the <em>Tampering</em> rubric of their paper, various attacks against Continuous Integration (CI) processes:</p><blockquote><p>An attacker may insert a backdoor into a CI or build tool and thus introduce vulnerabilities into the software (resulting in an improper build). To avoid this threat, it is the developer’s responsibility to take due care when making use of third-party build tools. Tampered compilers can be mitigated using diversity, as in the diverse double compiling (DDC) technique. <strong>Reproducible builds, a recent research topic, can also provide mitigation for this problem.</strong> (<a href="https://arxiv.org/pdf/2211.06249.pdf">PDF</a>)</p></blockquote><hr /><h3 id="misc-news">Misc news</h3><p><a href="https://go.dev/"><img src="/images/reports/2022-11/golang.png#right" alt="" /></a></p><ul><li><p>A change was proposed for the <a href="https://go.dev/">Go programming language</a> to <a href="https://go-review.googlesource.com/c/go/+/413974">enable reproducible builds when Link Time Optimisation (LTO) is enabled</a>. As mentioned in the changelog, Morten Linderud’s patch fixes two issues when the linker used in conjunction with the <code>-flto</code> option: the first involves solving an issue related to <a href="https://en.wikipedia.org/wiki/Random_seed">seeded random numbers</a>; and the second involved the binary embedding the current working directory in compressed sections of the LTO object. Both of these issues made the build unreproducible.</p></li><li><p>In the <a href="https://en.wikipedia.org/wiki/.NET">.NET framework ecosystem</a>, a wiki page for the <a href="https://learn.microsoft.com/en-gb/dotnet/csharp/roslyn-sdk/">Roslyn .NET C# and Visual Basic compiler</a> was uncovered this month that <a href="https://github.com/dotnet/roslyn/blob/main/docs/compilers/Deterministic%20Inputs.md">details its attempts to ensure end-to-end reproducible builds</a> by focusing on the definition on what are ‘considered inputs to the compiler for the purpose of determinism’. This is a spiritual followup to a 2016 blog post by Microsoft developer <a href="https://blog.paranoidcoding.com/">Jared Parsons</a> on ‘<a href="https://blog.paranoidcoding.com/2016/04/05/deterministic-builds-in-roslyn.html">Deterministic builds in Roslyn</a>’ which starts: ‘It seems silly to celebrate features which should have been there from the start.’</p></li><li><p><a href="https://gcc.gnu.org/pipermail/gcc-patches/2022-November/606205.html">Ian Lance Taylor followed up an old post</a> to report that Jakub Jelinek’s patch from September 2000 is incomplete.</p></li></ul><p><a href="https://f-droid.org/"><img src="/images/reports/2022-11/fdroid.png#right" alt="" /></a></p><ul><li><p>In <a href="https://f-droid.org/">F-Droid</a> this month, Reproducible Builds contributor FC Stegerman created a <a href="https://github.com/obfusk/reproducible-apk-tools">set of ‘reproducible APK tools’</a> as a workaround for issues like <a href="https://gitlab.com/fdroid/fdroiddata/-/issues/2816#note_1179533719">the order of files in APKs built on macOS being non-deterministic</a>. In addition, the new issue documenting <a href="https://gitlab.com/fdroid/fdroiddata/-/issues/2844">the overview of apps using reproducible builds</a> shows that F-Droid added 11 new apps that use reproducible builds, and FC Stegerman released <em>apksigcopier</em> version 1.1.0 which <a href="https://github.com/obfusk/apksigcopier#what-about-apks-signed-by-gradlezipflingersignflinger-instead-of-apksigner">adds support for APKs signed by ‘Signflinger’</a>.</p></li><li><p><em>martinSusz</em> has written up a <a href="https://github.com/martinSusz/rkdeveloptool/wiki/Generating--quasi-reproducible-BootROM-firmware-for-Rock-Chips-SoC">fascinating wiki page</a> describing how to generate ‘quasi-reproducible’ firmware ROMs for <a href="https://en.wikipedia.org/wiki/System_on_a_chip">System-on-a-Chip</a> (SoC) components fabricated by <a href="https://en.wikipedia.org/wiki/Rockchip">Rock Chip</a>. These chips are used in popular low-cost laptops such as the <a href="https://www.pine64.org/pinebook-pro/">Pine64 PinebookPro</a> and <a href="https://www.asus.com/us/laptops/for-home/chromebook/asus-chromebook-c201/">Asus C201</a>. The link is worth viewing simply for the <a href="https://user-images.githubusercontent.com/119517241/205492847-f2e03cd0-c7b4-43f2-b7f0-e970e531e805.png">interesting diagram</a>.</p></li><li><p>Our monthly IRC meeting was <a href="http://meetbot.debian.net/reproducible-builds/2022/reproducible-builds.2022-11-29-14.58.html">held on November 29th 2022</a>. Our next meeting will be on <strong>January 31st 2023</strong>; we’ll skip the meeting in December due to the proximity to Christmas, etc.</p></li></ul><hr /><p>On <a href="https://lists.reproducible-builds.org/listinfo/rb-general/">our mailing list</a> this month:</p><ul><li><p>Adrian Diglio from Microsoft asked “<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-November/002726.html">How to Add a New Project within Reproducible Builds</a>” which solicited a number of replies.</p></li><li><p>Vagrant Cascadian posed an interesting question regarding the difference between “test builds” vs “rebuilds” (or “verification rebuilds”). As <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-November/002747.html">Vagrant poses in their message</a>, “they’re both useful for slightly different purposes, and it might be good to clarify the distinction […].”</p></li></ul><hr /><h3 id="debian--other-linux-distributions">Debian &amp; other Linux distributions</h3><p><a href="https://debian.org/"><img src="/images/reports/2022-11/debian.png#right" alt="" /></a></p><p>Over 50 reviews of Debian packages were added this month, another 48 were updated and almost 30 were removed, all of which adds to <a href="https://tests.reproducible-builds.org/debian/index_issues.html">our knowledge about identified issues</a>. Two new issue types were added as well. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/9c673bfa">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/bbe35ed0">…</a>].</p><p>Vagrant Cascadian announced on <a href="https://lists.reproducible-builds.org/pipermail/rb-general/">our mailing list</a> another online sprint to help ‘clear the huge backlog of reproducible builds patches submitted’ by performing NMUs (<a href="https://wiki.debian.org/NonMaintainerUpload">Non-Maintainer Uploads</a>). The first such sprint took place on September 22nd, but others were held on October 6th and October 20th. There were two additional sprints that occurred in November, however, which resulted in the following progress:</p><ul><li><p>Chris Lamb:</p><ul><li><a href="https://tracker.debian.org/pkg/paxctl"><code>paxctl</code></a> (Fixed <a href="https://bugs.debian.org/1020804">#1020804</a>)</li><li><a href="https://tracker.debian.org/pkg/png23d"><code>png23d</code></a> (Fixed <a href="https://bugs.debian.org/1020805">#1020805</a>)</li><li><a href="https://tracker.debian.org/pkg/tuxcmd-modules"><code>tuxcmd-modules</code></a> (Fixed <a href="https://bugs.debian.org/1011500">#1011500</a> &amp; <a href="https://bugs.debian.org/941296">#941296</a>)</li><li><a href="https://tracker.debian.org/pkg/waili"><code>waili</code></a> (Fixed <a href="https://bugs.debian.org/1020751">#1020751</a>)</li><li><a href="https://tracker.debian.org/pkg/zephyr"><code>zephyr</code></a> (Fixed <a href="https://bugs.debian.org/828867">#828867</a> <a href="https://bugs.debian.org/1021374">#1021374</a>)</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://tracker.debian.org/pkg/ddd"><code>ddd</code></a> (Fixed <a href="https://bugs.debian.org/834016">#834016</a>)</li><li><a href="https://tracker.debian.org/pkg/libpam-ldap"><code>libpam-ldap</code></a> (Fixed <a href="https://bugs.debian.org/834050">#834050</a>)</li><li><a href="https://tracker.debian.org/pkg/nsnake/"><code>nsnake</code></a> (Fixed <a href="https://bugs.debian.org/833612">#833612</a>)</li><li><a href="https://tracker.debian.org/pkg/quvi"><code>quvi</code></a> (Fixed <a href="https://bugs.debian.org/835259">#835259</a>)</li><li><a href="https://tracker.debian.org/pkg/stressapptest"><code>stressapptest</code></a> (Fixed <a href="https://bugs.debian.org/831587">#831587</a> &amp; <a href="https://bugs.debian.org/986653">#986653</a>)</li><li><a href="https://tracker.debian.org/pkg/tcpreen"><code>tcpreen</code></a> (Fixed <a href="https://bugs.debian.org/831585">#831585</a>)</li><li><a href="https://tracker.debian.org/pkg/boolector"><code>boolector</code></a> (Fixed <a href="https://bugs.debian.org/1023886">#1023886</a>)</li><li><a href="https://tracker.debian.org/pkg/tsdecrypt"><code>tsdecrypt</code></a> (Fixed <a href="https://bugs.debian.org/829713">#829713</a> &amp; <a href="https://bugs.debian.org/1022130">#1022130</a>)</li><li><a href="https://tracker.debian.org/pkg/wbxml2"><code>wbxml2</code></a> (QA upload fixed build path issues)</li><li><a href="https://tracker.debian.org/pkg/tercpp"><code>tercpp</code></a> (QA upload fixed build path issues)</li></ul></li></ul><p>Lastly, Roland Clobus posted his <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-November/002760.html">latest update of the status of reproducible Debian ISO images</a> on our mailing list. This reports that ‘all major desktops build reproducibly with <em>bullseye</em>, <em>bookworm</em> and <em>sid</em>’ as well as that no custom patches needed to applied to Debian <em>unstable</em> for this result to occur. During November, however, Roland <a href="https://salsa.debian.org/images-team/live-setup/-/merge_requests/2">proposed some modifications to <em>live-setup</em></a> and the rebuild script has been adjusted to fix the failing Jenkins tests for Debian <em>bullseye</em> [<a href="https://salsa.debian.org/live-team/live-build/-/merge_requests/293">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/e237cab3ed87826b1c25b068b88fabcecf020d21">…</a>].</p><p><br /></p><p>In other news, <a href="https://fedoraproject.org/wiki/User:Churchyard">Miro Hrončok</a> proposed a change to ‘clamp’ build modification times to the value of <a href="/docs/source-date-epoch/"><code>SOURCE_DATE_EPOCH</code></a>. This was <a href="https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/MWKWFO52KTOGVGOEUDZT7YBOON2G5A2K/">initially suggested and discussed on a <code>devel@</code> mailing list post</a> but was later <a href="https://fedoraproject.org/wiki/Changes/ReproducibleBuildsClampMtimes">written up on the Fedora Wiki</a> as well as being <a href="https://pagure.io/fesco/issue/2899">officially proposed to Fedora Engineering Steering Committee (FESCo)</a>.</p><hr /><h3 id="upstream-patches">Upstream patches</h3><p>The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:</p><ul><li><p>Bernhard M. Wiedemann:</p><ul><li><a href="https://build.opensuse.org/request/show/1036953"><code>dwz</code></a> (<a href="https://en.wikipedia.org/wiki/Profile-guided_optimization">Profile-guided optimisation</a> issue)</li><li><a href="https://gitlab.com/fbb-git/icmake/-/merge_requests/5"><code>icmake</code></a> (filesystem ordering issue)</li><li><a href="https://build.opensuse.org/request/show/1037221"><code>llmnrd</code></a></li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1205134"><code>elixir</code></a> (report a bug re. stuck build on single-core VMs)</li><li><a href="https://github.com/Warzone2100/warzone2100/issues/2991"><code>warzone2100</code></a> (report a bug re. parallelism-dependent output)</li></ul></li><li><p>Chris Lamb:</p><ul><li><a href="https://bugs.debian.org/1023589">#1023589</a> filed against <a href="https://tracker.debian.org/pkg/libnvme"><code>libnvme</code></a>.</li><li><a href="https://bugs.debian.org/1024352">#1024352</a> filed against <a href="https://tracker.debian.org/pkg/pykafka"><code>pykafka</code></a>.</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://bugs.debian.org/1023886">#1023886</a> filed against <a href="https://tracker.debian.org/pkg/boolector"><code>boolector</code></a>.</li><li><a href="https://bugs.debian.org/1023956">#1023956</a> filed against <a href="https://tracker.debian.org/pkg/fl-cow"><code>fl-cow</code></a>.</li><li><a href="https://bugs.debian.org/1023957">#1023957</a> filed against <a href="https://tracker.debian.org/pkg/gerstensaft"><code>gerstensaft</code></a>.</li><li><a href="https://bugs.debian.org/1023960">#1023960</a> filed against <a href="https://tracker.debian.org/pkg/libcgicc"><code>libcgicc</code></a>.</li><li><a href="https://bugs.debian.org/1024007">#1024007</a> filed against <a href="https://tracker.debian.org/pkg/haskell98-report"><code>haskell98-report</code></a>.</li><li><a href="https://bugs.debian.org/1024125">#1024125</a> filed against <a href="https://tracker.debian.org/pkg/ucspi-proxy"><code>ucspi-proxy</code></a>.</li><li><a href="https://bugs.debian.org/1024126">#1024126</a> filed against <a href="https://tracker.debian.org/pkg/hunt"><code>hunt</code></a>.</li><li><a href="https://bugs.debian.org/1024279">#1024279</a> filed against <a href="https://tracker.debian.org/pkg/tolua++"><code>tolua++</code></a>.</li><li><a href="https://bugs.debian.org/1024282">#1024282</a> filed against <a href="https://tracker.debian.org/pkg/twoftpd"><code>twoftpd</code></a>.</li><li><a href="https://bugs.debian.org/1024283">#1024283</a> filed against <a href="https://tracker.debian.org/pkg/ipsvd"><code>ipsvd</code></a>.</li><li><a href="https://bugs.debian.org/1024284">#1024284</a> filed against <a href="https://tracker.debian.org/pkg/gentoo"><code>gentoo</code></a>.</li><li><a href="https://bugs.debian.org/1024286">#1024286</a> filed against <a href="https://tracker.debian.org/pkg/lcm"><code>lcm</code></a>.</li><li><a href="https://bugs.debian.org/1024288">#1024288</a> filed against <a href="https://tracker.debian.org/pkg/apcupsd"><code>apcupsd</code></a>.</li><li><a href="https://bugs.debian.org/1024289">#1024289</a> filed against <a href="https://tracker.debian.org/pkg/openfortivpn"><code>openfortivpn</code></a>.</li><li><a href="https://bugs.debian.org/1024290">#1024290</a> filed against <a href="https://tracker.debian.org/pkg/xtb"><code>xtb</code></a>.</li><li><a href="https://bugs.debian.org/1024291">#1024291</a> filed against <a href="https://tracker.debian.org/pkg/gnunet"><code>gnunet</code></a>.</li><li><a href="https://bugs.debian.org/1024292">#1024292</a> filed against <a href="https://tracker.debian.org/pkg/swift-im"><code>swift-im</code></a>.</li><li><a href="https://bugs.debian.org/1024396">#1024396</a> filed against <a href="https://tracker.debian.org/pkg/brewtarget"><code>brewtarget</code></a>.</li><li><a href="https://bugs.debian.org/1024399">#1024399</a> filed against <a href="https://tracker.debian.org/pkg/xrprof"><code>xrprof</code></a>.</li><li><a href="https://bugs.debian.org/1024404">#1024404</a> filed against <a href="https://tracker.debian.org/pkg/gitlint"><code>gitlint</code></a>.</li><li><a href="https://bugs.debian.org/1024412">#1024412</a> filed against <a href="https://tracker.debian.org/pkg/claws-mail"><code>claws-mail</code></a>.</li><li><a href="https://bugs.debian.org/1024413">#1024413</a> filed against <a href="https://tracker.debian.org/pkg/presage"><code>presage</code></a>.</li><li><a href="https://bugs.debian.org/1024530">#1024530</a> filed against <a href="https://tracker.debian.org/pkg/jh7100-bootloader-recovery"><code>jh7100-bootloader-recovery</code></a>.</li></ul></li><li><p>Victor Westerhuis:</p><ul><li><a href="https://bugs.debian.org/1024482">#1024482</a> &amp; <a href="https://bugs.debian.org/1024638">#1024638</a> filed against <a href="https://tracker.debian.org/pkg/opencv"><code>opencv</code></a>.</li></ul></li><li><p>John Neffenger:</p><ul><li><a href="https://github.com/apache/tomcat/pull/566"><code>tomcat</code></a> (Fixed Apache bug <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=66346">#66346</a>)</li></ul></li></ul><hr /><h3 id="diffoscope"><a href="https://diffoscope.org">diffoscope</a></h3><p><a href="https://diffoscope.org"><img src="/images/reports/2022-11/diffoscope.png#right" alt="" /></a></p><p><a href="https://diffoscope.org"><em>diffoscope</em></a> is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions <code>226</code> and <code>227</code> to Debian:</p><ul><li>Support both <code>python3-progressbar</code> and <code>python3-progressbar2</code>, two modules providing the <code>progressbar</code> Python module. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/81903e0b">…</a>]</li><li>Don’t run Python decompiling tests on Python bytecode that <code>file(1)</code> cannot detect yet and Python 3.11 cannot unmarshal. (<a href="https://bugs.debian.org/1024335">#1024335</a>)</li><li>Don’t attempt to attach text-only differences notice if there are no differences to begin with. (<a href="https://bugs.debian.org/1024171">#1024171</a>)</li><li>Make sure we recommend <code>apksigcopier</code>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/792115b9">…</a>]</li><li>Tidy generation of <code>os_list</code>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/f0be250e">…</a>]</li><li>Make the code clearer around generating the Debian ‘substvars’. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/58fd63c8">…</a>]</li><li>Use our <code>assert_diff</code> helper in <code>test_lzip.py</code>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/6d3a2779">…</a>]</li><li>Drop other copyright notices from <code>lzip.py</code> and <code>test_lzip.py</code>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/4a6f0811">…</a>]</li></ul><p>In addition to this, Christopher Baines added <a href="https://www.nongnu.org/lzip/"><em>lzip</em></a> support [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/e1b947b8">…</a>], and FC Stegerman added an optimisation whereby we don’t run <code>apktool</code> if no differences are detected before the signing block [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/1852890a">…</a>].</p><hr /><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2022-11/reproducible-builds.png#right" alt="" /></a></p><p>A significant number of changes were made to the Reproducible Builds website and documentation this month, including Chris Lamb ensuring the <a href="https://www.openeuler.org/en/">openEuler</a> logo is correctly visible with a white background [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/f0251baa">…</a>], FC Stegerman de-duplicated by email address to avoid listing some contributors twice [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fed37547">…</a>], Hervé Boutemy added <a href="https://maven.apache.org/">Apache Maven</a> to the <a href="/who/projects/">list of affiliated projects</a> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5879bed0">…</a>] and <em>boyska</em> updated our <a href="/contribute/"><em>Contribute</em></a> page to remark that the <a href="https://salsa.debian.org/reproducible-builds/">Reproducible Builds presence on <em>salsa.debian.org</em></a> is not just the Git repository but is also for creating issues [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5471f8d8">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/9b4238ad">…</a>]. In addition to all this, however, Holger Levsen made the following changes:</p><ul><li>Add a number of existing publications [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6a3972fa">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/82d4570c">…</a>] and update metadata for some existing publications as well [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/435e36ec">…</a>].</li><li>Hide draft posts on the <a href="/">website homepage</a>. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/684acdce">…</a>]</li><li>Add the Warpforge build tool as a participating project of the summit. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/6f076241">…</a>]</li><li>Clarify in the footer that we welcome patches to the website repository. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/7ffc9492">…</a>]</li></ul><hr /><h3 id="testing-framework">Testing framework</h3><p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2022-11/testframework.png#right" alt="" /></a></p><p>The Reproducible Builds project operates a comprehensive testing framework at <a href="https://tests.reproducible-builds.org">tests.reproducible-builds.org</a> in order to check packages and other artifacts for reproducibility. In October, the following changes were made by Holger Levsen:</p><ul><li>Improve the generation of ‘meta’ package sets (used in grouping packages for reporting/statistical purposes) to treat Debian <em>bookworm</em> as equivalent to Debian <em>unstable</em> in this specific case [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/3d3ab211">…</a>]and to parse the list of packages used in the Debian cloud images [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/7f65008c">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/a62656fa">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/5b079c49">…</a>].</li><li>Temporarily allow Frederic to <code>ssh(1)</code> into our snapshot server as the <code>jenkins</code> user. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/9f407d14">…</a>]</li><li>Keep some reproducible jobs Jenkins logs much longer [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/65fd1455">…</a>] (<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/7101f5c9">later reverted</a>).</li><li>Improve the node health checks to detect failures to update the Debian cloud image package set [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/c4d670d2">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/7223af42">…</a>] and to improve prioritisation of some kernel warnings [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/2f1cf2e6">…</a>].</li><li>Always echo any IRC output to Jenkins’ output as well. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/6589dc83">…</a>]</li><li>Deal gracefully with problems related to processing the cloud image package set. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/997b8184">…</a>]</li></ul><p>Finally, Roland Clobus continued his work on testing Live Debian images, including adding support for specifying the origin of the Debian installer [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e237cab3">…</a>] and to warn when the image has unmet dependencies in the package list (e.g. due to a transition) [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/a9a96757">…</a>].</p><p><br /></p><p>If you are interested in contributing to the Reproducible Builds project, please visit our <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. You can get in touch with us via:</p><ul><li><p>IRC: <code>#reproducible-builds</code> on <code>irc.oftc.net</code>.</p></li><li><p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p></li><li><p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code>rb-general@lists.reproducible-builds.org</code></a></p></li></ul></description></item><item><title>Reproducible Builds in October 2022</title><pubDate>Fri, 11 Nov 2022 15:56:14 +0000</pubDate><link>https://reproducible-builds.org/reports/2022-10/</link><guid isPermaLink="true">https://reproducible-builds.org/reports/2022-10/</guid><description><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2022-10/reproducible-builds.png#right" alt="" /></a></p><p><em>Welcome to the <a href="https://reproducible-builds.org">Reproducible Builds</a> report for October 2022!</em> In these reports we attempt to outline the most important things that we have been up to over the past month.</p><p>As ever, if you are interested in contributing to the project, please visit our <a href="/contribute/"><em>Contribute</em></a> page on our website.</p><hr /><p><a href="/events/venice2022/"><img src="/images/reports/2022-10/summit_photo.jpg#right" alt="" /></a></p><p><br /></p><p>Our <a href="/events/venice2022/">in-person summit this year</a> was held in the past few days in Venice, Italy. Activity and news from the summit will therefore be covered in next month’s report!</p><hr /><p><a href="https://www.computer.org/csdl/proceedings-article/sp/2023/933600a167/1He7XSTyRKE"><img src="/images/reports/2022-10/paper.png#right" alt="" /></a></p><p>A new article related to reproducible builds was recently published in the <a href="https://www.computer.org/csdl/proceedings/sp/2023/1He7WWuJExG">2023 IEEE Symposium on Security and Privacy</a>. Titled <a href="https://www.computer.org/csdl/proceedings-article/sp/2023/933600a167/1He7XSTyRKE"><em>Taxonomy of Attacks on Open-Source Software Supply Chains</em></a> and authored by Piergiorgio Ladisa, Henrik Plate, Matias Martinez and Olivier Barais, their paper:</p><blockquote><p>[…] proposes a general taxonomy for attacks on opensource supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages from code contributions to package distribution.</p></blockquote><p>Taking the form of an <a href="https://en.wikipedia.org/wiki/Attack_tree">attack tree</a>, the paper covers 107 unique vectors linked to 94 real world supply-chain incidents which is then mapped to 33 mitigating safeguards including, of course, reproducible builds:</p><blockquote><p><em>Reproducible Builds</em> received a very high utility rating (5) from 10 participants (58.8%), but also a high-cost rating (4 or 5) from 12 (70.6%). One expert commented that a ”reproducible build like used by Solarwinds now, is a good measure against tampering with a single build system” and another claimed this ”is going to be the single, biggest barrier”.</p></blockquote><hr /><p>It was noticed this month that Solarwinds <a href="https://www.solarwinds.com/resources/whitepaper/setting-the-new-standard-in-secure-software-development-the-solarwinds-next-generation-build-system">published a whitepaper back in December 2021</a> in order to:</p><blockquote><p>[…] illustrate a concerning new reality for the software industry and illuminates the increasingly sophisticated threats made by outside nation-states to the supply chains and infrastructure on which we all rely.</p></blockquote><p>The 12-month anniversary of the 2020 “<a href="https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach">Solarwinds attack</a>” (which SolarWinds Worldwide LLC itself calls the “SUNBURST” attack) was, of course, the likely impetus for publication.</p><hr /><p>Whilst collaborating on <a href="https://github.com/cyrusimap/cyrus-imapd/issues/3893">making the Cyrus IMAP server reproducible</a>, <a href="https://github.com/elliefm">Ellie Timoney</a> asked why the Reproducible Builds testing framework uses two remarkably distinctive build paths when attempting to flush out builds that vary on the absolute system path in which they were built. In the case of the <a href="https://www.cyrusimap.org/">Cyrus IMAP server</a>, these happened to be:</p><ul><li><code>/build/1st/cyrus-imapd-3.6.0~beta3/</code></li><li><code>/build/2/cyrus-imapd-3.6.0~beta3/2nd/</code></li></ul><p>Asked why they vary in three different ways, <a href="https://github.com/cyrusimap/cyrus-imapd/issues/3893#issuecomment-1279441131">Chris Lamb listed in detail the motivation behind to each difference</a>.</p><hr /><p>On <a href="https://lists.reproducible-builds.org/listinfo/rb-general/">our mailing list</a> this month:</p><ul><li><p>Daniel Garcia from <a href="https://walletscrutiny.com/">WalletScrutiny.com</a> started a thread asking for <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-October/002703.html">input on buttons with the Reproducible Builds logo</a>, requesting design suggestions or other feedback. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-October/002703.html">…</a>]</p></li><li><p><a href="https://archlinux.org/">Arch Linux</a> contributor <em>kpcyrd</em> wrote to our list this month with the news that “multiple people in Arch Linux noticed the output of our <code>git archive</code> command doesn’t match the tarball served by <a href="https://github.com/">GitHub</a> anymore. <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-October/002709.html">In his post</a>, <em>kpcyrd</em> narrows the change to a <a href="https://github.com/git/git/commit/4f4be00d302bc52d0d9d5a3d4738bb525066c710">specific commit in Git</a>. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-October/002709.html">…</a>]</p></li><li><p>Akihiro Suda wrote to a share a new tool called <a href="https://github.com/reproducible-containers/repro-get"><code>repro-get</code></a>. According to <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-October/002716.html">Akihiro’s post</a>, “repro-get is a tool to install a specific snapshot of apt/dnf/apk/pacman packages using SHA256SUMS files”. This is needed in order to install specific (or “pinned”) dependencies needed to validate a build.</p></li><li><p>Finally, Janneke Nieuwenhuizen <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-October/002708.html">announced the release of GNU Mes 0.24.1</a>, which represents 23 commits over five months by four people. <a href="https://www.gnu.org/software/mes/">GNU Mes</a> is a Scheme interpreter and C compiler for bootstrapping the GNU System. [<a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-October/002708.html">…</a>]</p></li></ul><hr /><p><a href="https://www.openeuler.org/"><img src="/images/reports/2022-10/openEuler.png#right" alt="" /></a></p><p>The Reproducible Builds project is delighted to welcome <a href="https://www.openeuler.org/">openEuler</a> to the <a href="/who/projects/"><em>Involved projects</em></a> page [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/bfc7b803">…</a>]. openEuler is Linux distribution developed by <a href="https://www.huawei.com/">Huawei</a>, a counterpart to it’s more commercially-oriented <a href="https://developer.huaweicloud.com/ict/en/site-euleros/euleros">EulerOS</a>.</p><hr /><h3 id="debian">Debian</h3><p><a href="https://debian.org/"><img src="/images/reports/2022-10/debian.png#right" alt="" /></a></p><p><a href="https://www.chiark.greenend.org.uk/~cjwatson/">Colin Watson</a> wrote about his experience towards making the databases generated by the <code>man-db</code> UNIX manual page indexing tool:</p><blockquote><p>One of the people working on [reproducible builds] <a href="https://bugs.debian.org/1010957">noticed</a> that man-db’s database files were an obstacle to [reproducibility]: in particular, the exact contents of the database seemed to depend on the order in which files were scanned when building it. The reporter proposed solving this by processing files in sorted order, but I wasn’t keen on that approach: firstly because it would mean we could no longer process files in an order that makes it more efficient to read them all from disk (still valuable on rotational disks), but mostly because the differences seemed to point to other bugs.</p></blockquote><p>Colin goes on to describe his approach to solving the problem, including fixing various fits of internal caching, and he ends his post with “None of this is particularly glamorous work, but it paid off”.</p><hr /><p>Vagrant Cascadian announced on <a href="https://lists.reproducible-builds.org/pipermail/rb-general/">our mailing list</a> another online sprint to help “clear the huge backlog of reproducible builds patches submitted” by performing NMUs (<a href="https://wiki.debian.org/NonMaintainerUpload">Non-Maintainer Uploads</a>). The first such sprint took place on September 22nd, but another was held on October 6th, and another small one on October 20th. This resulted in the following progress:</p><ul><li><p>Chris Lamb:</p><ul><li><a href="https://tracker.debian.org/pkg/ascii2binary"><code>ascii2binary</code></a> (Fixed <a href="https://bugs.debian.org/1020812">#1020812</a>, <a href="https://bugs.debian.org/998758">#998758</a> &amp; <a href="https://bugs.debian.org/1007421">#1007421</a>)</li><li><a href="https://tracker.debian.org/pkg/bibclean"><code>bibclean</code></a> (Fixed <a href="https://bugs.debian.org/829754">#829754</a> &amp; <a href="https://bugs.debian.org/929036">#929036</a>)</li><li><a href="https://tracker.debian.org/pkg/dradio"><code>dradio</code></a> (Fixed <a href="https://bugs.debian.org/1020814">#1020814</a>)</li><li><a href="https://tracker.debian.org/pkg/leave"><code>leave</code></a> (Fixed <a href="https://bugs.debian.org/777403">#777403</a>, <a href="https://bugs.debian.org/967002">#967002</a> &amp; <a href="https://bugs.debian.org/999259">#999259</a>)</li><li><a href="https://tracker.debian.org/pkg/libimage-imlib2-perl"><code>libimage-imlib2-perl</code></a> (Fixed <a href="https://bugs.debian.org/1020665">#1020665</a>)</li><li><a href="https://tracker.debian.org/pkg/mailto"><code>mailto</code></a> (Fixed <a href="https://bugs.debian.org/998978">#998978</a> &amp; <a href="https://bugs.debian.org/777413">#777413</a>)</li><li><a href="https://tracker.debian.org/pkg/remote-tty"><code>remote-tty</code></a> (Fixed <a href="https://bugs.debian.org/829721">#829721</a> &amp; <a href="https://bugs.debian.org/977280">#977280</a>)</li><li><a href="https://tracker.debian.org/pkg/xcolmix"><code>xcolmix</code></a> (Fixed <a href="https://bugs.debian.org/1020748">#1020748</a>, <a href="https://bugs.debian.org/999219">#999219</a> &amp; <a href="https://bugs.debian.org/988018">#988018</a>)</li><li><a href="https://tracker.debian.org/pkg/z80asm"><code>z80asm</code></a> (Fixed <a href="https://bugs.debian.org/939775">#939775</a> &amp; <a href="https://bugs.debian.org/1020875">#1020875</a>)</li></ul></li><li><p>Holger Levsen:</p><ul><li><a href="https://tracker.debian.org/pkg/libtheora"><code>libtheora</code></a> (Fixed <a href="https://bugs.debian.org/990843">#990843</a> &amp; <a href="https://bugs.debian.org/990844">#990844</a>)</li><li><a href="https://tracker.debian.org/pkg/sgml-base"><code>sgml-base</code></a> (Fixed <a href="https://bugs.debian.org/1006646">#1006646</a> &amp; <a href="https://bugs.debian.org/929706">#929706</a>)</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://tracker.debian.org/pkg/ario"><code>ario</code></a> (Investigated <a href="https://bugs.debian.org/828876">#828876</a>)</li><li><a href="https://tracker.debian.org/pkg/cloop"><code>cloop</code></a> (Fixed <a href="https://bugs.debian.org/787996">#787996</a>)</li><li><a href="https://tracker.debian.org/pkg/elvis-tiny"><code>elvis-tiny</code></a> (Fixed <a href="https://bugs.debian.org/829755">#829755</a> &amp; <a href="https://bugs.debian.org/901345">#901345</a>)</li><li><a href="https://tracker.debian.org/pkg/hannah"><code>hannah</code></a> (Fixed <a href="https://bugs.debian.org/845782">#845782</a> &amp; <a href="https://bugs.debian.org/901260">#901260</a>)</li><li><a href="https://tracker.debian.org/pkg/mc"><code>mc</code></a> (Investigated <a href="https://bugs.debian.org/828683">#828683</a>)</li><li><a href="https://tracker.debian.org/pkg/mod-dnssd"><code>mod-dnssd</code></a> (Submitted alternate fix for <a href="https://bugs.debian.org/828752">#828752</a>)</li><li><a href="https://tracker.debian.org/pkg/snake4"><code>snake4</code></a> (Fixed <a href="https://bugs.debian.org/829715">#829715</a> &amp; <a href="https://bugs.debian.org/913734">#913734</a>)</li><li><a href="https://tracker.debian.org/pkg/the"><code>the</code></a> (Fixed <a href="https://bugs.debian.org/842550">#842550</a>)</li><li><a href="https://tracker.debian.org/pkg/zephyr"><code>zephyr</code></a> (Investigated <a href="https://bugs.debian.org/828867">#828867</a> &amp; <a href="https://bugs.debian.org/1021374">#1021374</a>)</li><li><a href="https://tracker.debian.org/pkg/msp430mcu"><code>msp430mcu</code></a> (Fixed <a href="https://bugs.debian.org/860275">#860275</a>)</li><li><a href="https://tracker.debian.org/pkg/checkpw"><code>checkpw</code></a> (Fixed <a href="https://bugs.debian.org/777299">#777299</a> &amp; <a href="https://bugs.debian.org/1020887">#1020887</a>)</li><li><a href="https://tracker.debian.org/pkg/madlib"><code>madlib</code></a> (Fixed <a href="https://bugs.debian.org/778946">#778946</a>)</li></ul></li></ul><hr /><p>41 reviews of Debian packages were added, 62 were updated and 12 were removed this month adding to <a href="https://tests.reproducible-builds.org/debian/index_issues.html">our knowledge about identified issues</a>. A number of issue types were updated too. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/c3feb10e">1</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/518f83f0">…</a>]</p><hr /><p>Lastly, Luca Boccassi <a href="https://salsa.debian.org/debian/debhelper/-/merge_requests/93">submitted a patch</a> to <code>debhelper</code>, a set of tools used in the packaging of the majority of Debian packages. The patch addressed an issue in the <code>dh_installsysusers</code> utility so that the <code>postinst</code> post-installation script that <code>debhelper</code> generates the same data regardless of the underlying filesystem ordering.</p><hr /><h3 id="other-distributions">Other distributions</h3><p><a href="https://www.f-droid.org/"><img src="/images/reports/2022-10/fdroid.png#right" alt="" /></a></p><p><a href="https://f-droid.org/">F-Droid</a> is a community-run app store that provides free software applications for Android phones. This month, F-Droid changed their documentation and guidance to now explicitly encourage RB for new apps [<a href="https://gitlab.com/fdroid/fdroiddata/-/merge_requests/12002">…</a>][<a href="https://gitlab.com/fdroid/fdroiddata/-/issues/2816">…</a>], and FC Stegerman created an <a href="https://gitlab.com/fdroid/fdroidserver/-/issues/1056">extremely in-depth issue on GitLab</a> concerning the <a href="https://source.android.com/docs/security/features/apksigning/v2">APK signing block</a>. You can read more about F-Droid’s approach to reproducibility in <a href="/news/2022/06/24/supporter-spotlight-hans-christoph-steiner-f-droid-project/">our July 2022 interview with Hans-Christoph Steiner of the F-Droid Project</a>.</p><p>In openSUSE, Bernhard M. Wiedemann published his usual <a href="https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/GFJP5HGSAPHJ4S63D3PYQJ237EDCMBXQ/">openSUSE monthly report</a>.</p><hr /><h3 id="upstream-patches">Upstream patches</h3><p>The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:</p><ul><li><p>Bernhard M. Wiedemann:</p><ul><li><a href="https://github.com/vectorgraphics/asymptote/pull/351"><code>asymptote</code></a> (date-related issue)</li><li><a href="https://build.opensuse.org/request/show/1010423"><code>fastjet-contrib</code></a> (sort nondeterminstic filesystem ordering)</li><li><a href="https://build.opensuse.org/request/show/1009599"><code>forge</code></a> (<a href="https://www.sphinx-doc.org/">Sphinx</a> “doctree” issue)</li><li><a href="https://build.opensuse.org/request/show/1009603"><code>gau2grid</code></a> (output varies with <code>march=native</code>)</li><li><a href="https://github.com/securego/gosec/pull/887"><code>gosec</code></a> (date-related issue)</li><li><a href="https://github.com/helmfile/helmfile/pull/486"><code>helmfile</code></a> (date-related issue)</li><li><a href="https://build.opensuse.org/request/show/1032570"><code>libnvme</code></a> (date-related issue)</li><li><a href="https://build.opensuse.org/request/show/1008583"><code>moab</code></a> (CPU)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1203982"><code>tcl</code></a> (fails to build in 2038)</li><li><a href="https://build.opensuse.org/request/show/1032506"><code>vectorscan</code></a> (output varies with <code>march=native</code>)</li><li><a href="https://github.com/alexcrichton/xz2-rs/issues/100"><code>xz2/lzma</code></a> (Rust-related filesystem ordering)</li></ul></li><li><p>Chris Lamb:</p><ul><li><a href="https://bugs.debian.org/891263">#891263</a> filed against <a href="https://tracker.debian.org/pkg/puppet"><code>puppet</code></a> back in early 2018 was <a href="https://github.com/puppetlabs/puppet/pull/8916#issuecomment-1265615317">finally merged into Puppet</a> and was released in <a href="https://puppet.com/docs/puppet/7/puppet_index.html">Puppet 7.20.0</a>.</li><li><a href="https://bugs.debian.org/1021198">#1021198</a> filed against <a href="https://tracker.debian.org/pkg/puppet-agent"><code>puppet-agent</code></a>.</li><li><a href="https://bugs.debian.org/1022777">#1022777</a> filed against <a href="https://tracker.debian.org/pkg/tpm2-pytss"><code>tpm2-pytss</code></a> (<a href="https://github.com/tpm2-software/tpm2-pytss/pull/376">forwarded upstream</a>).</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://bugs.debian.org/1021331">#1021331</a> filed against <a href="https://tracker.debian.org/pkg/cclive"><code>cclive</code></a>.</li><li><a href="https://bugs.debian.org/1021373">#1021373</a> filed against <a href="https://tracker.debian.org/pkg/librep"><code>librep</code></a>.</li><li><a href="https://bugs.debian.org/1021374">#1021374</a> filed against <a href="https://tracker.debian.org/pkg/zephyr"><code>zephyr</code></a>.</li><li><a href="https://bugs.debian.org/1021452">#1021452</a> filed against <a href="https://tracker.debian.org/pkg/libdv"><code>libdv</code></a>.</li><li><a href="https://bugs.debian.org/1021454">#1021454</a> filed against <a href="https://tracker.debian.org/pkg/dbview"><code>dbview</code></a>.</li><li><a href="https://bugs.debian.org/1021456">#1021456</a> filed against <a href="https://tracker.debian.org/pkg/bwbasic"><code>bwbasic</code></a>.</li><li><a href="https://bugs.debian.org/1021457">#1021457</a> filed against <a href="https://tracker.debian.org/pkg/olpc-powerd"><code>olpc-powerd</code></a>.</li><li><a href="https://bugs.debian.org/1021458">#1021458</a> filed against <a href="https://tracker.debian.org/pkg/o3dgc"><code>o3dgc</code></a>.</li><li><a href="https://bugs.debian.org/1021461">#1021461</a> filed against <a href="https://tracker.debian.org/pkg/icon"><code>icon</code></a>.</li><li><a href="https://bugs.debian.org/1021463">#1021463</a> filed against <a href="https://tracker.debian.org/pkg/rdist"><code>rdist</code></a>.</li><li><a href="https://bugs.debian.org/1021464">#1021464</a> filed against <a href="https://tracker.debian.org/pkg/stfl"><code>stfl</code></a>.</li><li><a href="https://bugs.debian.org/1021466">#1021466</a> filed against <a href="https://tracker.debian.org/pkg/pacman"><code>pacman</code></a>.</li><li><a href="https://bugs.debian.org/1021469">#1021469</a> filed against <a href="https://tracker.debian.org/pkg/lam"><code>lam</code></a>.</li><li><a href="https://bugs.debian.org/1021470">#1021470</a> filed against <a href="https://tracker.debian.org/pkg/xsok"><code>xsok</code></a>.</li><li><a href="https://bugs.debian.org/1021471">#1021471</a> filed against <a href="https://tracker.debian.org/pkg/python-djvulibre"><code>python-djvulibre</code></a>.</li><li><a href="https://bugs.debian.org/1021472">#1021472</a> filed against <a href="https://tracker.debian.org/pkg/xzoom"><code>xzoom</code></a>.</li><li><a href="https://bugs.debian.org/1021473">#1021473</a> filed against <a href="https://tracker.debian.org/pkg/nitpic"><code>nitpic</code></a>.</li><li><a href="https://bugs.debian.org/1021498">#1021498</a> filed against <a href="https://tracker.debian.org/pkg/tcm"><code>tcm</code></a>.</li><li><a href="https://bugs.debian.org/1021509">#1021509</a> filed against <a href="https://tracker.debian.org/pkg/xxkb"><code>xxkb</code></a>.</li><li><a href="https://bugs.debian.org/1021512">#1021512</a> filed against <a href="https://tracker.debian.org/pkg/yersinia"><code>yersinia</code></a>.</li><li><a href="https://bugs.debian.org/1021513">#1021513</a> filed against <a href="https://tracker.debian.org/pkg/centrifuge"><code>centrifuge</code></a>.</li><li><a href="https://bugs.debian.org/1021514">#1021514</a> and <a href="https://bugs.debian.org/1021516">#1021516</a> filed against <a href="https://tracker.debian.org/pkg/ssocr"><code>ssocr</code></a>.</li><li><a href="https://bugs.debian.org/1021518">#1021518</a> filed against <a href="https://tracker.debian.org/pkg/jakarta-jmeter"><code>jakarta-jmeter</code></a>.</li><li><a href="https://bugs.debian.org/1021520">#1021520</a> filed against <a href="https://tracker.debian.org/pkg/guymager"><code>guymager</code></a>.</li><li><a href="https://bugs.debian.org/1021521">#1021521</a> and <a href="https://bugs.debian.org/1021522">#1021522</a> filed against <a href="https://tracker.debian.org/pkg/crack"><code>crack</code></a>.</li><li><a href="https://bugs.debian.org/1021751">#1021751</a> filed against <a href="https://tracker.debian.org/pkg/dc3dd"><code>dc3dd</code></a>.</li><li><a href="https://bugs.debian.org/1021789">#1021789</a> filed against <a href="https://tracker.debian.org/pkg/dlt-viewer"><code>dlt-viewer</code></a>.</li><li><a href="https://bugs.debian.org/1021792">#1021792</a> and <a href="https://bugs.debian.org/1021793">#1021793</a> filed against <a href="https://tracker.debian.org/pkg/vart"><code>vart</code></a>.</li><li><a href="https://bugs.debian.org/1021799">#1021799</a> and <a href="https://bugs.debian.org/1021800">#1021800</a> filed against <a href="https://tracker.debian.org/pkg/pgrouting"><code>pgrouting</code></a>.</li><li><a href="https://bugs.debian.org/1021860">#1021860</a> filed against <a href="https://tracker.debian.org/pkg/libsx"><code>libsx</code></a>.</li><li><a href="https://bugs.debian.org/1021893">#1021893</a> filed against <a href="https://tracker.debian.org/pkg/device-tree-compiler"><code>device-tree-compiler</code></a>.</li><li><a href="https://bugs.debian.org/1022130">#1022130</a> filed against <a href="https://tracker.debian.org/pkg/tsdecrypt"><code>tsdecrypt</code></a>.</li></ul></li><li><p>John Neffenger:</p><ul><li><a href="https://github.com/openjdk/jdk/pull/10070"><code>openjdk</code></a> (Fixed <a href="https://bugs.openjdk.org/browse/JDK-8292892">JDK-8292892</a>)</li></ul></li></ul><h3 id="diffoscope"><a href="https://diffoscope.org">diffoscope</a></h3><p><a href="https://diffoscope.org"><img src="/images/reports/2022-10/diffoscope.png#right" alt="" /></a></p><p><a href="https://diffoscope.org"><em>diffoscope</em></a> is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions <code>224</code> and <code>225</code> to Debian:</p><ul><li>Add support for comparing the text content of HTML files using <a href="https://alir3z4.github.io/html2text/"><code>html2text</code></a>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/d647eb75">…</a>]</li><li>Add support for detecting ordering-only differences in XML files. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/dbf5350f">…</a>]</li><li>Fix an issue with detecting ordering differences. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/727b3c9e">…</a>]</li><li>Use the capitalised version of “Ordering” consistently everywhere in output. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/844e00c7">…</a>]</li><li>Add support for displaying font metadata using <a href="https://fonttools.readthedocs.io/en/latest/ttx.html"><code>ttx(1)</code></a> from the <a href="https://fonttools.readthedocs.io/en/latest/index.html"><em>fonttools</em></a> suite. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/fe8326a8">…</a>]</li><li><p>Testsuite improvements:</p><ul><li>Temporarily allow the <code>stable-po</code> pipeline to fail in the CI. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/ac2eb11f">…</a>]</li><li>Rename the <code>order1.diff</code> test fixture to <code>json_expected_ordering_diff</code>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/1bb51831">…</a>]</li><li>Tidy the JSON tests. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/7f0407a1">…</a>]</li><li>Use <code>assert_diff</code> over <code>get_data</code> and an manual assert within the XML tests. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/a6a0f90b">…</a>]</li><li>Drop the <code>ALLOWED_TEST_FILES</code> test; it was mostly just annoying. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/7b7d28f0">…</a>]</li><li>Tidy the <code>tests/test_source.py</code> file. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/06fd0c79">…</a>]</li></ul></li></ul><p>Chris Lamb also added a link to diffoscope’s <a href="https://www.openbsd.org/">OpenBSD</a> packaging on the <a href="https://diffoscope.org"><em>diffoscope.org</em></a> homepage [<a href="https://salsa.debian.org/reproducible-builds/diffoscope-website/commit/cb122aa">…</a>] and Mattia Rizzolo fix an test failure that was occurring under with <a href="https://llvm.org/">LLVM</a> 15 [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/154ad453">…</a>].</p><h3 id="testing-framework">Testing framework</h3><p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2022-10/testframework.png#right" alt="" /></a></p><p>The Reproducible Builds project operates a comprehensive testing framework at <a href="https://tests.reproducible-builds.org">tests.reproducible-builds.org</a> in order to check packages and other artifacts for reproducibility. In October, the following changes were made by Holger Levsen:</p><ul><li>Run the <code>logparse</code> tool to analyse results on the <a href="https://wiki.debian.org/DebianEdu/">Debian Edu</a> build logs. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/db3efa21">…</a>]</li><li>Install <code>btop(1)</code> on all nodes running Debian. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/5e33a32a">…</a>]</li><li>Switch Arch Linux from using SHA1 to SHA256. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/470e8e8d">…</a>]</li><li>When checking Debian <code>debstrap</code> jobs, correctly log the tool usage. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/5efaac25">…</a>]</li><li>Cleanup more task-related temporary directory names when testing Debian packages. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/53e3f678">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/7ed09046">…</a>]</li><li>Use the <code>cdebootstrap-static</code> binary for the 2nd runs of the <code>cdebootstrap</code> tests. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b6cf19d5">…</a>]</li><li>Drop <a href="https://bugs.debian.org/1020630">a workaround</a> when testing OpenWrt and coreboot as the issue in <em>diffoscope</em> has now been fixed. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b048e50b">…</a>]</li><li>Turn on an <code>rm(1)</code> warning into an “info”-level message. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/8e2e8aa7">…</a>]</li><li>Special case the <code>osuosl168</code> node for running Debian <em>bookworm</em> already. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/5db24ae9">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/889afec3">…</a>]</li><li>Use the new <code>non-free-firmware</code> suite on the <code>o168</code> node. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/0d75fe0e">…</a>]</li></ul><p>In addition, Mattia Rizzolo made the following changes:</p><ul><li>Ensure that 2nd build has a merged <code>/usr</code>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/1bd43360">…</a>]</li><li>Only reconfigure the <code>usrmerge</code> package on Debian <em>bookworm</em> and above. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/474a47c3">…</a>]</li><li>Fix <code>bc(1)</code> syntax in the computation of the percentage of unreproducible packages in the dashboard. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b410b49e">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/25691e9e">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/b153a66d">…</a>]</li><li>In the <code>index_suite_</code> pages, order the package status to be the same order of the menu. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/fbcab7bf">…</a>]</li><li>Pass the <code>--distribution</code> parameter to the <code>pbuilder</code> utility. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/dc5a5284">…</a>]</li></ul><p>Finally, Roland Clobus continued his work on testing Live Debian images. In particular, he extended the maintenance script to warn when workspace directories cannot be deleted. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/299812ee">…</a>]</p><p><br /></p><p>If you are interested in contributing to the Reproducible Builds project, please visit our <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. However, you can get in touch with us via:</p><ul><li><p>IRC: <code>#reproducible-builds</code> on <code>irc.oftc.net</code>.</p></li><li><p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p></li><li><p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code>rb-general@lists.reproducible-builds.org</code></a></p></li></ul></description></item><item><title>Reproducible Builds in September 2022</title><pubDate>Fri, 07 Oct 2022 21:25:12 +0000</pubDate><link>https://reproducible-builds.org/reports/2022-09/</link><guid isPermaLink="true">https://reproducible-builds.org/reports/2022-09/</guid><description><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2022-09/reproducible-builds.png#right" alt="" /></a></p><p>Welcome to the September 2022 report from the <a href="/">Reproducible Builds</a> project! In our reports we try to outline the most important things that we have been up to over the past month. As a quick recap, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. If you are interested in contributing to the project, please visit our <a href="/contribute/"><em>Contribute</em></a> page on our website.</p><hr /><p><a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/"><img src="/images/reports/2022-09/nsa.png#right" alt="" /></a></p><p>David A. Wheeler reported to us that the US National Security Agency (<a href="https://en.wikipedia.org/wiki/National_Security_Agency">NSA</a>), Cybersecurity and Infrastructure Security Agency (<a href="https://en.wikipedia.org/wiki/Cybersecurity_and_Infrastructure_Security_Agency">CISA</a>) and the Office of the Director of National Intelligence (<a href="https://en.wikipedia.org/wiki/Director_of_National_Intelligence">ODNI</a>) have released a document called <a href="https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF"><em>Securing the Software Supply Chain: Recommended Practices Guide for Developers</em></a> (PDF).</p><p>As David <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-September/002684.html">remarked in his post to our mailing list</a>, it “<em>expressly</em> recommends having reproducible builds as part of ‘advanced’ recommended mitigations”. The publication of this document has been accompanied <a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/">by a press release</a>.</p><hr /><p>Holger Levsen was made aware of a small Microsoft project called <em>oss-reproducible</em>. Part of, <a href="https://github.com/microsoft/OSSGadget"><em>OSSGadget</em></a>, a larger “collection of tools for analyzing open source packages”, the purpose of <em>oss-reproducible</em> is to:</p><blockquote><p>analyze open source packages for reproducibility. We start with an existing package (for example, the NPM <code>left-pad</code> package, version 1.3.0), and we try to answer the question, <strong>Do the package contents authentically reflect the purported source code?</strong></p></blockquote><p>More details can be found in the <code>README.md</code> file <a href="https://github.com/microsoft/OSSGadget/tree/main/src/oss-reproducible">within the code repository</a>.</p><hr /><p><a href="https://bestpractices.coreinfrastructure.org/en"><img src="/images/reports/2022-09/bestpractice.png#right" alt="" /></a></p><p>David A. Wheeler also pointed out that there are some potential upcoming changes to the <a href="https://bestpractices.coreinfrastructure.org/en">OpenSSF Best Practices</a> badge for open source software in relation to reproducibility. Whilst the badge programme has <a href="https://bestpractices.coreinfrastructure.org/en/criteria">three certification levels</a> (“passing”, “silver” and “gold”), the “gold” level includes the criterion that “The project MUST have a reproducible build”.</p><p><a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-September/002696.html">David reported</a> that some projects have argued that this reproducibility criterion should be slightly relaxed as outlined in an <a href="https://github.com/coreinfrastructure/best-practices-badge/issues/1865">issue on the <code>best-practices-badge</code></a> GitHub project. Essentially, though, the claim is that the reproducibility requirement doesn’t make sense for projects that do not release built software, and that timestamp differences by <em>themselves</em> don’t necessarily indicate malicious changes. Numerous pragmatic problems around excluding timestamps were raised in the discussion of the issue.</p><hr /><p><a href="https://www.sonatype.com/press-releases/sonatype-finds-700-average-increase-in-open-source-supply-chain-attacks"><img src="/images/reports/2022-09/sonatype.png#right" alt="" /></a></p><p><a href="https://www.sonatype.com/">Sonatype</a>, a “pioneer of software supply chain management”, issued a <a href="https://www.sonatype.com/press-releases/sonatype-finds-700-average-increase-in-open-source-supply-chain-attacks">press release</a> month to report that they had found:</p><blockquote><p>[…] a massive year-over-year increase in cyberattacks aimed at open source project ecosystems. According to early data from Sonatype’s 8th annual State of the Software Supply Chain Report, which will be released in full this October, Sonatype has recorded an average 700% jump in repository attacks over the last three years.</p></blockquote><p>More information is available <a href="https://www.sonatype.com/press-releases/sonatype-finds-700-average-increase-in-open-source-supply-chain-attacks">in the press release</a>.</p><hr /><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2022-09/reproducible-builds.png#right" alt="" /></a></p><p>A number of changes were made to the Reproducible Builds website and documentation this month, including Chris Lamb adding a redirect from <a href="/projects/"><code>/projects/</code></a> to <a href="/who/"><code>/who/</code></a> in order to keep old or archived links working [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/5926d0df">…</a>], Jelle van der Waa added a <a href="https://www.rust-lang.org/">Rust</a> programming language <a href="/docs/source-date-epoch/#rust">example for <code>SOURCE_DATE_EPOCH</code></a> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/ea2f4306">…</a>][<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/561d91de">…</a>] and Mattia Rizzolo included <a href="https://protocol.ai/">Protocol Labs</a> amongst our <a href="/who/sponsors/">project-level sponsors</a> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/e39c8a8e">…</a>].</p><p><br /></p><h3 id="debian">Debian</h3><p><a href="https://debian.org/"><img src="/images/reports/2022-09/debian.png#right" alt="" /></a></p><p>There was a large amount of reproducibility work taking place within <a href="https://debian.org/">Debian</a> this month:</p><ul><li><p>The <code>nfft</code> source package was removed from the archive, and now <em>all</em> packages in Debian <em>bookworm</em> now have a corresponding <code>.buildinfo</code> file. This can be confirmed and tracked on the <a href="https://tests.reproducible-builds.org/debian/bookworm/amd64/index_no_buildinfos.html">associated page on the</a> <em>tests.reproducible-builds.org</em> site.</p></li><li><p>Vagrant Cascadian <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-September/002689.html">announced on our mailing list</a> an informal online sprint to help “clear the huge backlog of reproducible builds patches submitted” by performing NMU (<a href="https://wiki.debian.org/NonMaintainerUpload">Non-Maintainer Uploads</a>). The first such sprint took place on September 22nd with the following results:</p><ul><li><p>Holger Levsen:</p><ul><li>Mailed <a href="https://bugs.debian.org/1010957">#1010957</a> in <code>man-db</code> asking for an update and whether to remove the patch tag for now. This was subsequently removed and the maintainer started to address the issue.</li><li>Uploaded <code>gmp</code> to <code>DELAYED/15</code>, fixing <a href="https://bugs.debian.org/1009931">#1009931</a>.</li><li>Emailed <a href="https://bugs.debian.org/1017372">#1017372</a> in <code>plymouth</code> and asked for the maintainer’s opinion on the patch. This resulted in the maintainer improving Vagrant’s original patch (and uploading it) as well as <a href="https://gitlab.freedesktop.org/plymouth/plymouth/-/issues/188">filing an issue upstream</a>.</li><li>Uploaded <code>time</code> to <code>DELAYED/15</code>, fixing <a href="https://bugs.debian.org/983202">#983202</a>.</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li>Verify and updated patch for <code>mylvmbackup</code> (<a href="https://bugs.debian.org/782318">#782318</a>)</li><li>Verified/updated patches for <code>libranlip</code>. (<a href="https://bugs.debian.org/788000">#788000</a>, <a href="https://bugs.debian.org/846975">#846975</a> &amp; <a href="https://bugs.debian.org/1007137">#1007137</a>)</li><li>Uploaded <code>libranlip</code> to <code>DELAYED/10</code>.</li><li>Verified patch for <code>cclive</code>. (<a href="https://bugs.debian.org/824501">#824501</a>)</li><li>Uploaded <code>cclive</code> to <code>DELAYED/10</code>.</li><li>Vagrant was unable to reproduce the underlying issue within <a href="https://bugs.debian.org/791423">#791423</a> (<code>linuxtv-dvb-apps</code>) and so the bug was marked as “done”.</li><li>Researched <a href="https://bugs.debian.org/794398">#794398</a> (in <code>clhep</code>).</li></ul></li></ul><p>The plan is to repeat these sprints every two weeks, with the next taking place on <a href="https://time.is/compare/1600_06_Oct_2022_in_UTC"><strong>Thursday October 6th at 16:00 UTC</strong></a> on the <code>#debian-reproducible</code> IRC channel.</p></li><li><p>Roland Clobus posted his <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-September/002693.html">13th update of the status of reproducible Debian ISO images</a> on our mailing list. During the last month, Roland ensured that the live images are now automatically fed to <a href="https://openqa.debian.net">openQA</a> for automated testing after they have been shown to be reproducible. Additionally Roland asked on the debian-devel mailing list about a way to determine the canonical timestamp of the Debian archive. [<a href="https://lists.debian.org/debian-devel/2022/09/msg00199.html">…</a>]</p></li><li><p>Following up on <a href="/reports/2022-08/">last month’s work on reproducible bootstrapping</a>, Holger Levsen filed two bugs against the <em>debootstrap</em> and <em>cdebootstrap</em> utilities. (<a href="https://bugs.debian.org/1019697">#1019697</a> &amp; <a href="https://bugs.debian.org/1019698">#1019698</a>)</p></li></ul><p>Lastly, 44 reviews of Debian packages were added, 91 were updated and 17 were removed this month adding to <a href="https://tests.reproducible-builds.org/debian/index_issues.html">our knowledge about identified issues</a>. A number of issue types have been updated too, including the descriptions of <code>cmake_rpath_contains_build_path</code> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/6c4d7438">…</a>], <code>nondeterministic_version_generated_by_python_param</code> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/d6d81ff0">…</a>] and <code>timestamps_in_documentation_generated_by_org_mode</code> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/fcb9f175">…</a>]. Furthermore, two new issue types were created: <code>build_path_used_to_determine_version_or_package_name</code> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/4259239c">…</a>] and <code>captures_build_path_via_cmake_variables</code> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/a687dc93">…</a>].</p><h3 id="other-distributions">Other distributions</h3><p>In openSUSE, Bernhard M. Wiedemann published his usual <a href="https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/XQQ44R5MZ2HUKYXDZXUOEMTNLRFQVFBJ/">openSUSE monthly report</a>.</p><h3 id="diffoscope"><a href="https://diffoscope.org">diffoscope</a></h3><p><a href="https://diffoscope.org"><img src="/images/reports/2022-09/diffoscope.png#right" alt="" /></a></p><p><a href="https://diffoscope.org"><em>diffoscope</em></a> is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions <code>222</code> and <code>223</code> to Debian, as well as made the following changes:</p><ul><li><p>The <code>cbfstools</code> utility is now provided in Debian via the <code>coreboot-utils</code> package so we can enable that functionality within Debian. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/e21f4153">…</a>]</p></li><li><p>Looked into <a href="https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/313">Mach-O support</a>.</p></li><li><p>Fixed the <a href="https://try.diffoscope.org/"><em>try.diffoscope.org</em></a> service by addressing a compatibility issue between <code>glibc</code>/<code>seccomp</code> that was preventing the Docker-contained <em>diffoscope</em> instance from spawning any external processes whatsoever [<a href="https://salsa.debian.org/reproducible-builds/try.diffoscope.org/commit/3fa5eb9">…</a>]. I also updated the <code>requirements.txt</code> file, as some of the specified packages were no longer available [<a href="https://salsa.debian.org/reproducible-builds/try.diffoscope.org/commit/4f3f3a7">…</a>][<a href="https://salsa.debian.org/reproducible-builds/try.diffoscope.org/commit/dec1878">…</a>].</p></li></ul><p>In addition Jelle van der Waa added support for <code>file</code> version 5.43 [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/88c08e7e">…</a>] and Mattia Rizzolo updated the packaging:</p><ul><li>Also include <code>coreboot-utils</code> in the <code>Build-Depends</code> and <code>Test-Depends</code> fields so that it is available for tests. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/5ac8ede5">…</a>]</li><li>Use `pep517 and pip to load the requirements. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/2f2d803f">…</a>]</li><li>Remove packages in <code>Breaks</code>/<code>Replaces</code> that have been obsoleted since the release of Debian <em>bullseye</em>. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/40cd80fc">…</a>]</li></ul><h3 id="reprotest"><a href="https://tracker.debian.org/pkg/reprotest"><em>Reprotest</em></a></h3><p><a href="https://tracker.debian.org/pkg/reprotest"><em>reprotest</em></a> is our end-user tool to build the same source code twice in widely and deliberate different environments, and checking whether the binaries produced by the builds have any differences. This month, <em>reprotest</em> version <code>0.7.22</code> was <a href="https://tracker.debian.org/news/1360152/accepted-reprotest-0722-source-into-unstable/">uploaded to Debian unstable</a> by Holger Levsen, which included the following changes by Philip Hands:</p><ul><li>Actually ensure that the <code>setarch(8)</code> utility can actually execute before including an architecture to test. [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/aa9a790">…</a>]</li><li>Include all files matching <code>*.*deb</code> in the default <code>artifact_pattern</code> in order to archive all results of the build. [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/b2cfd30">…</a>]</li><li>Emit an error when building the Debian package if the Debian packaging version does not patch the “Python” version of <em>reprotest</em>. [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/bfa0eca">…</a>]</li><li>Remove an unneeded invocation of the <code>head(1)</code> utility. [<a href="https://salsa.debian.org/reproducible-builds/reprotest/commit/48b9c11">…</a>]</li></ul><h3 id="upstream-patches">Upstream patches</h3><p>The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:</p><ul><li><p>Bernhard M. Wiedemann (18 bugs):</p><ul><li><a href="https://github.com/zopefoundation/DateTime/issues/41"><code>DateTime</code></a> (fails to build in 2038)</li><li><a href="https://github.com/FreeRCT/FreeRCT/pull/303"><code>FreeRCT</code></a> (date-related issue)</li><li><a href="https://build.opensuse.org/request/show/1005798"><code>clanlib1</code></a> (filesystem ordering)</li><li><a href="https://github.com/cli/cli/issues/6259"><code>cli</code></a> (fails to build in 2038)</li><li><a href="https://build.opensuse.org/request/show/1002975"><code>deepin-gettext-tools</code></a> (patch+version update toolchain sort python glob)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1203310"><code>mariadb</code></a> (fails to build in 2038)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1203317"><code>mercurial</code></a> (fails to build in 2038)</li><li><a href="https://build.opensuse.org/request/show/1005891"><code>mirrormagic</code></a> (parallelism-related issue)</li><li><a href="https://build.opensuse.org/request/show/1005916"><code>ocaml-extlib</code></a> (parallelism-related issue)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1203311"><code>python-xmlrpc/python-softlayer</code></a> (fails to build in 2038)</li><li><a href="https://build.opensuse.org/request/show/1003076"><code>python</code></a> (fails to build in 2038)</li><li><a href="https://build.opensuse.org/request/show/1005783"><code>q3rally</code></a> (zip-related issue)</li><li><a href="https://build.opensuse.org/request/show/1005890"><code>rnd_jue</code></a> (parallelism-related issue)</li><li><a href="https://build.opensuse.org/request/show/1002273"><code>rsync</code></a> (workaround an issue in GCC 7.x)</li><li><a href="https://github.com/SCons/scons/pull/4239"><code>scons</code></a> (<code>SOURCE_DATE_EPOCH</code>-related issue)</li><li><a href="https://github.com/Wargus/stratagus/pull/415"><code>stratagus</code></a> (date-related issue)</li><li><a href="https://github.com/vranki/triplane/pull/5"><code>triplane</code></a> (nondeterminism caused by uninitialised memory)</li><li><a href="https://build.opensuse.org/request/show/1005912"><code>tyrquake</code></a> (date-related issue)</li></ul></li><li><p>Chris Lamb:</p><ul><li><a href="https://bugs.debian.org/1019382">#1019382</a> filed against <a href="https://tracker.debian.org/pkg/gnome-online-accounts"><code>gnome-online-accounts</code></a>.</li><li>There was renewed activity on a reproducibility-related bug in the <a href="https://www.sphinx-doc.org/">Sphinx</a> documentation tool this month. Originally filed in October 2021 by Chris Lamb, the bug in question relates to <a href="https://github.com/sphinx-doc/sphinx/issues/9778">contents of the <code>LANGUAGE</code> environment variable inconsistently affecting the output of <code>objects.inv</code> files</a>.</li></ul></li><li><p>Jelle van der Waa:</p><ul><li><a href="https://github.com/enzo1982/mp4v2/pull/17"><code>mp4v2</code></a> (date-related issue)</li><li><a href="https://gitlab.gnome.org/GNOME/mm-common/-/merge_requests/6"><code>mm-common</code></a> (uid/gid issue)</li><li><a href="https://github.com/containers/aardvark-dns/pull/229"><code>aardvark-dns</code></a> (date-related issue)</li></ul></li><li><p>Vagrant Cascadian (70 bugs!):</p><ul><li><a href="https://bugs.debian.org/1020648">#1020648</a> filed against <a href="https://tracker.debian.org/pkg/extrepo-data"><code>extrepo-data</code></a>.</li><li><a href="https://bugs.debian.org/1020650">#1020650</a> filed against <a href="https://tracker.debian.org/pkg/tmpreaper"><code>tmpreaper</code></a>.</li><li><a href="https://bugs.debian.org/1020651">#1020651</a> filed against <a href="https://tracker.debian.org/pkg/xmlrpc-epi"><code>xmlrpc-epi</code></a>.</li><li><a href="https://bugs.debian.org/1020653">#1020653</a> filed against <a href="https://tracker.debian.org/pkg/pal"><code>pal</code></a>.</li><li><a href="https://bugs.debian.org/1020656">#1020656</a> filed against <a href="https://tracker.debian.org/pkg/nvram-wakeup"><code>nvram-wakeup</code></a>.</li><li><a href="https://bugs.debian.org/1020657">#1020657</a> filed against <a href="https://tracker.debian.org/pkg/netris"><code>netris</code></a>.</li><li><a href="https://bugs.debian.org/1020658">#1020658</a> filed against <a href="https://tracker.debian.org/pkg/netpbm-free"><code>netpbm-free</code></a>.</li><li><a href="https://bugs.debian.org/1020659">#1020659</a> filed against <a href="https://tracker.debian.org/pkg/lookup"><code>lookup</code></a>.</li><li><a href="https://bugs.debian.org/1020660">#1020660</a> filed against <a href="https://tracker.debian.org/pkg/logtools"><code>logtools</code></a>.</li><li><a href="https://bugs.debian.org/1020661">#1020661</a> filed against <a href="https://tracker.debian.org/pkg/libid3tag"><code>libid3tag</code></a>.</li><li><a href="https://bugs.debian.org/1020662">#1020662</a> filed against <a href="https://tracker.debian.org/pkg/log4cpp"><code>log4cpp</code></a>.</li><li><a href="https://bugs.debian.org/1020665">#1020665</a> filed against <a href="https://tracker.debian.org/pkg/libimage-imlib2-perl"><code>libimage-imlib2-perl</code></a>.</li><li><a href="https://bugs.debian.org/1020668">#1020668</a> filed against <a href="https://tracker.debian.org/pkg/jnettop"><code>jnettop</code></a>.</li><li><a href="https://bugs.debian.org/1020670">#1020670</a> filed against <a href="https://tracker.debian.org/pkg/gwaei"><code>gwaei</code></a>.</li><li><a href="https://bugs.debian.org/1020671">#1020671</a> filed against <a href="https://tracker.debian.org/pkg/ipfm"><code>ipfm</code></a>.</li><li><a href="https://bugs.debian.org/1020672">#1020672</a> filed against <a href="https://tracker.debian.org/pkg/tarlz"><code>tarlz</code></a>.</li><li><a href="https://bugs.debian.org/1020673">#1020673</a> filed against <a href="https://tracker.debian.org/pkg/w3cam"><code>w3cam</code></a>.</li><li><a href="https://bugs.debian.org/1020674">#1020674</a> filed against <a href="https://tracker.debian.org/pkg/ifstat"><code>ifstat</code></a>.</li><li><a href="https://bugs.debian.org/1020715">#1020715</a> filed against <a href="https://tracker.debian.org/pkg/xserver-xorg-input-joystick"><code>xserver-xorg-input-joystick</code></a>.</li><li><a href="https://bugs.debian.org/1020719">#1020719</a> filed against <a href="https://tracker.debian.org/pkg/chibicc"><code>chibicc</code></a>.</li><li><a href="https://bugs.debian.org/1020723">#1020723</a> filed against <a href="https://tracker.debian.org/pkg/python-omegaconf"><code>python-omegaconf</code></a>.</li><li><a href="https://bugs.debian.org/1020724">#1020724</a> and <a href="https://bugs.debian.org/1020725">#1020725</a> filed against <a href="https://tracker.debian.org/pkg/snapper"><code>snapper</code></a>.</li><li><a href="https://bugs.debian.org/1020736">#1020736</a> filed against <a href="https://tracker.debian.org/pkg/libreswan"><code>libreswan</code></a>.</li><li><a href="https://bugs.debian.org/1020743">#1020743</a> filed against <a href="https://tracker.debian.org/pkg/pure-ftpd"><code>pure-ftpd</code></a>.</li><li><a href="https://bugs.debian.org/1020748">#1020748</a> filed against <a href="https://tracker.debian.org/pkg/xcolmix"><code>xcolmix</code></a>.</li><li><a href="https://bugs.debian.org/1020749">#1020749</a> filed against <a href="https://tracker.debian.org/pkg/gigalomania"><code>gigalomania</code></a>.</li><li><a href="https://bugs.debian.org/1020750">#1020750</a> filed against <a href="https://tracker.debian.org/pkg/xjump"><code>xjump</code></a>.</li><li><a href="https://bugs.debian.org/1020751">#1020751</a> filed against <a href="https://tracker.debian.org/pkg/waili"><code>waili</code></a>.</li><li><a href="https://bugs.debian.org/1020752">#1020752</a> filed against <a href="https://tracker.debian.org/pkg/sjeng"><code>sjeng</code></a>.</li><li><a href="https://bugs.debian.org/1020753">#1020753</a> filed against <a href="https://tracker.debian.org/pkg/seqtk"><code>seqtk</code></a>.</li><li><a href="https://bugs.debian.org/1020754">#1020754</a> filed against <a href="https://tracker.debian.org/pkg/shapetools"><code>shapetools</code></a>.</li><li><a href="https://bugs.debian.org/1020755">#1020755</a> filed against <a href="https://tracker.debian.org/pkg/rotter"><code>rotter</code></a>.</li><li><a href="https://bugs.debian.org/1020756">#1020756</a> filed against <a href="https://tracker.debian.org/pkg/rakarrack"><code>rakarrack</code></a>.</li><li><a href="https://bugs.debian.org/1020757">#1020757</a> filed against <a href="https://tracker.debian.org/pkg/rig"><code>rig</code></a>.</li><li><a href="https://bugs.debian.org/1020759">#1020759</a> filed against <a href="https://tracker.debian.org/pkg/postal"><code>postal</code></a>.</li><li><a href="https://bugs.debian.org/1020798">#1020798</a> filed against <a href="https://tracker.debian.org/pkg/netkit-rsh"><code>netkit-rsh</code></a>.</li><li><a href="https://bugs.debian.org/1020800">#1020800</a> filed against <a href="https://tracker.debian.org/pkg/libapache-mod-evasive"><code>libapache-mod-evasive</code></a>.</li><li><a href="https://bugs.debian.org/1020804">#1020804</a> filed against <a href="https://tracker.debian.org/pkg/paxctl"><code>paxctl</code></a>.</li><li><a href="https://bugs.debian.org/1020805">#1020805</a> filed against <a href="https://tracker.debian.org/pkg/png23d"><code>png23d</code></a>.</li><li><a href="https://bugs.debian.org/1020806">#1020806</a> filed against <a href="https://tracker.debian.org/pkg/perl-byacc"><code>perl-byacc</code></a>.</li><li><a href="https://bugs.debian.org/1020807">#1020807</a> filed against <a href="https://tracker.debian.org/pkg/poster"><code>poster</code></a>.</li><li><a href="https://bugs.debian.org/1020808">#1020808</a> filed against <a href="https://tracker.debian.org/pkg/powerdebug"><code>powerdebug</code></a>.</li><li><a href="https://bugs.debian.org/1020809">#1020809</a> filed against <a href="https://tracker.debian.org/pkg/aespipe"><code>aespipe</code></a>.</li><li><a href="https://bugs.debian.org/1020810">#1020810</a> filed against <a href="https://tracker.debian.org/pkg/aewm++-goodies"><code>aewm++-goodies</code></a>.</li><li><a href="https://bugs.debian.org/1020811">#1020811</a> filed against <a href="https://tracker.debian.org/pkg/apache-upload-progress-module"><code>apache-upload-progress-module</code></a>.</li><li><a href="https://bugs.debian.org/1020812">#1020812</a> filed against <a href="https://tracker.debian.org/pkg/ascii2binary"><code>ascii2binary</code></a>.</li><li><a href="https://bugs.debian.org/1020813">#1020813</a> filed against <a href="https://tracker.debian.org/pkg/bible-kjv"><code>bible-kjv</code></a>.</li><li><a href="https://bugs.debian.org/1020814">#1020814</a> filed against <a href="https://tracker.debian.org/pkg/dradio"><code>dradio</code></a>.</li><li><a href="https://bugs.debian.org/1020815">#1020815</a> filed against <a href="https://tracker.debian.org/pkg/libapache2-mod-python"><code>libapache2-mod-python</code></a>.</li><li><a href="https://bugs.debian.org/1020816">#1020816</a> filed against <a href="https://tracker.debian.org/pkg/tempest-for-eliza"><code>tempest-for-eliza</code></a>.</li><li><a href="https://bugs.debian.org/1020817">#1020817</a> filed against <a href="https://tracker.debian.org/pkg/aplus-fsf"><code>aplus-fsf</code></a>.</li><li><a href="https://bugs.debian.org/1020866">#1020866</a> filed against <a href="https://tracker.debian.org/pkg/wrapsrv"><code>wrapsrv</code></a>.</li><li><a href="https://bugs.debian.org/1020867">#1020867</a> filed against <a href="https://tracker.debian.org/pkg/uclibc"><code>uclibc</code></a>.</li><li><a href="https://bugs.debian.org/1020870">#1020870</a> filed against <a href="https://tracker.debian.org/pkg/xppaut"><code>xppaut</code></a>.</li><li><a href="https://bugs.debian.org/1020872">#1020872</a> filed against <a href="https://tracker.debian.org/pkg/xvier"><code>xvier</code></a>.</li><li><a href="https://bugs.debian.org/1020873">#1020873</a> filed against <a href="https://tracker.debian.org/pkg/xserver-xorg-video-glide"><code>xserver-xorg-video-glide</code></a>.</li><li><a href="https://bugs.debian.org/1020875">#1020875</a> filed against <a href="https://tracker.debian.org/pkg/z80asm"><code>z80asm</code></a>.</li><li><a href="https://bugs.debian.org/1020876">#1020876</a> filed against <a href="https://tracker.debian.org/pkg/yaskkserv"><code>yaskkserv</code></a>.</li><li><a href="https://bugs.debian.org/1020877">#1020877</a> filed against <a href="https://tracker.debian.org/pkg/edid-decode"><code>edid-decode</code></a>.</li><li><a href="https://bugs.debian.org/1020878">#1020878</a> filed against <a href="https://tracker.debian.org/pkg/dustmite"><code>dustmite</code></a>.</li><li><a href="https://bugs.debian.org/1020879">#1020879</a> filed against <a href="https://tracker.debian.org/pkg/dustmite"><code>dustmite</code></a>.</li><li><a href="https://bugs.debian.org/1020880">#1020880</a> filed against <a href="https://tracker.debian.org/pkg/libapache2-mod-authnz-pam"><code>libapache2-mod-authnz-pam</code></a>.</li><li><a href="https://bugs.debian.org/1020881">#1020881</a> filed against <a href="https://tracker.debian.org/pkg/kafs-client"><code>kafs-client</code></a>.</li><li><a href="https://bugs.debian.org/1020882">#1020882</a> filed against <a href="https://tracker.debian.org/pkg/yaku-ns"><code>yaku-ns</code></a>.</li><li><a href="https://bugs.debian.org/1020884">#1020884</a> filed against <a href="https://tracker.debian.org/pkg/bplay"><code>bplay</code></a>.</li><li><a href="https://bugs.debian.org/1020886">#1020886</a> filed against <a href="https://tracker.debian.org/pkg/chise-base"><code>chise-base</code></a>.</li><li><a href="https://bugs.debian.org/1020887">#1020887</a> filed against <a href="https://tracker.debian.org/pkg/checkpw"><code>checkpw</code></a>.</li><li><a href="https://bugs.debian.org/1020888">#1020888</a> filed against <a href="https://tracker.debian.org/pkg/clamz"><code>clamz</code></a>.</li><li><a href="https://bugs.debian.org/1020889">#1020889</a> filed against <a href="https://tracker.debian.org/pkg/libapache2-mod-auth-pgsql"><code>libapache2-mod-auth-pgsql</code></a>.</li></ul></li></ul><h3 id="testing-framework">Testing framework</h3><p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2022-09/testframework.png#right" alt="" /></a></p><p>The Reproducible Builds project runs a significant testing framework at <a href="https://tests.reproducible-builds.org">tests.reproducible-builds.org</a> in order to check packages and other artifacts for reproducibility. This month, however, the following changes were made:</p><ul><li><p>Holger Levsen:</p><ul><li>Add a job to build <em>reprotest</em> from Git [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/cae18bea">…</a>] and use the correct Git branch when building it [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/012fb28e">…</a>].</li></ul></li><li><p>Mattia Rizzolo:</p><ul><li>Enable syncing of results from building live Debian ISO images. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/9e3d80df">…</a>]</li><li>Use <code>scp -p</code> in order to preserve modification times when syncing live ISO images. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/43d61a2f">…</a>]</li><li>Apply the <a href="https://www.shellcheck.net/">shellcheck</a> shell script analysis tool. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/17547cc6">…</a>]</li><li>In a build node wrapper script, remove some debugging code which was messing up calling <code>scp(1)</code> correctly [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/41fd4fd9">…</a>] and consquently add support to use both <code>scp -p</code> and regular <code>scp</code> [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/ee995b43">…</a>].</li></ul></li><li><p>Roland Clobus:</p><ul><li>Track and handle the case where the Debian archive gets updated between two live image builds. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/ff1efeec">…</a>]</li><li>Remove a call to <code>sudo(1)</code> as it is not (or no longer) required to delete old <em>live-build</em> results. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/commit/e79f4ae4">…</a>]</li></ul></li></ul><h3 id="contact">Contact</h3><p>As ever, if you are interested in contributing to the Reproducible Builds project, please visit our <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. However, you can get in touch with us via:</p><ul><li><p>IRC: <code>#reproducible-builds</code> on <code>irc.oftc.net</code>.</p></li><li><p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p></li><li><p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code>rb-general@lists.reproducible-builds.org</code></a></p></li></ul></description></item><item><title>Reproducible Builds in August 2022</title><pubDate>Fri, 09 Sep 2022 12:53:24 +0000</pubDate><link>https://reproducible-builds.org/reports/2022-08/</link><guid isPermaLink="true">https://reproducible-builds.org/reports/2022-08/</guid><description><p><a href="https://reproducible-builds.org/"><img src="/images/reports/2022-08/reproducible-builds.png#right" alt="" /></a></p><p><strong>Welcome to the August 2022 report from the <a href="https://reproducible-builds.org">Reproducible Builds</a> project!</strong> In these reports we outline the most important things that we have been up to over the past month. As a quick recap, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.</p><p>As ever, if you are interested in contributing to the project, please visit our <a href="/contribute/"><em>Contribute</em></a> page on our website.</p><h4 id="community-news">Community news</h4><p>As announced last month, registration is currently <strong>open</strong> for our <a href="/events/venice2022/">in-person summit this year</a> which is due to be held between <strong>November 1st → November 3rd</strong>. The event will take place in <strong>Venice (Italy)</strong>. Very soon we intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees. Please see the <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2022-July/002666.html">announcement email</a> for information about how to register.</p><hr /><p><a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/"><img src="/images/reports/2022-08/nsa.png#right" alt="" /></a></p><p>The US <a href="https://en.wikipedia.org/wiki/National_Security_Agency">National Security Agency</a> (NSA), <a href="https://en.wikipedia.org/wiki/Cybersecurity_and_Infrastructure_Security_Agency">Cybersecurity and Infrastructure Security Agency</a> (CISA) and the <a href="https://en.wikipedia.org/wiki/Director_of_National_Intelligence#Office_of_the_Director_of_National_Intelligence">Office of the Director of National Intelligence</a> (ODNI) have released a document called “<em>Securing the Software Supply Chain: Recommended Practices Guide for Developers</em>” (<a href="https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF">PDF</a>) as part of their Enduring Security Framework (ESF) work.</p><p>The document expressly recommends having reproducible builds as part of “advanced” recommended mitigations, along with hermetic builds. Page 31 (page 35 in the <a href="https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF">PDF</a>) says:</p><blockquote><p>Reproducible builds provide additional protection and validation against attempts to compromise build systems. They ensure the binary products of each build system match: i.e., they are built from the same source, regardless of variable metadata such as the order of input files, timestamps, locales, and paths. Reproducible builds are those where re-running the build steps with identical input artifacts results in bit-for-bit identical output. Builds that cannot meet this must provide a justification why the build cannot be made reproducible.</p></blockquote><p>The <a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/">full press release</a> is available online.</p><hr /><p><a href="https://appfair.net/"><img src="/images/reports/2022-08/appfair.png#right" alt="" /></a></p><p>On <a href="https://lists.reproducible-builds.org/listinfo/rb-general/">our mailing list</a> this month, Marc Prud’hommeaux posted a feature request for <em>diffoscope</em> which additionally outlines a project called <a href="https://appfair.net/">The App Fair</a>, an autonomous distribution network of free and open-source macOS and iOS applications, where “validated apps are then signed and submitted for publication”.</p><hr /><p>Author/blogger <a href="https://craphound.com/bio/">Cory Doctorow</a> posted published a provocative blog post this month titled “<a href="https://pluralistic.net/2022/07/28/descartes-was-an-optimist/#uh-oh">Your computer is tormented by a wicked god</a>”. Touching on Ken Thompson’s famous talk, “<a href="https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf">Reflections on Trusting Trust</a>”, the early goals of “Secure Computing” and UEFI firmware interfaces:</p><blockquote><p>This is the core of a two-decade-old debate among security people, and it’s one that the “benevolent God” faction has consistently had the upper hand in. They’re the “curated computing” advocates who insist that preventing you from choosing an alternative app store or side-loading a program is for your own good – because if it’s possible for you to override the manufacturer’s wishes, then malicious software may impersonate you to do so, or you might be tricked into doing so. [..] This benevolent dictatorship model only works so long as the dictator is both perfectly benevolent and perfectly competent. We know the dictators aren’t always benevolent. […] But even if you trust a dictator’s benevolence, you can’t trust in their perfection. Everyone makes mistakes. Benevolent dictator computing works well, but fails badly. Designing a computer that intentionally can’t be fully controlled by its owner is a nightmare, because that is a computer that, once compromised, can attack its owner with impunity.</p></blockquote><hr /><p>Lastly, Chengyu HAN updated the <a href="/">Reproducible Builds website</a> to correct an incorrect Git command. [<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/fc235bb9">…</a>]</p><h4 id="debian">Debian</h4><p><a href="https://debian.org/"><img src="/images/reports/2022-08/debian.png#right" alt="" /></a></p><p>In <a href="https://debian.org/">Debian</a> this month, the <code>essential</code> and <code>required</code> package sets became 100% reproducible in Debian <em>bookworm</em> on the <code>amd64</code> and <code>arm64</code> architectures. These two subsets of the full Debian archive refer to Debian package “priority” levels as described in the <a href="https://www.debian.org/doc/debian-policy/ch-archive.html#s-priorities">§2.5 Priorities</a> section of the <a href="https://www.debian.org/doc/debian-policy/">Debian Policy</a> — there is no canonical “minimal installation” package set in Debian due to its diverse methods of installation.</p><p>As it happens, these package sets are <em>not</em> reproducible on the <code>i386</code> architecture because the <code>ncurses</code> package on that architecture is not yet reproducible, and the <code>sed</code> package currently fails to build from source on <code>armhf</code> too. The full list of reproducible packages within these package sets can be viewed within our QA system, such as on the page of <a href="https://tests.reproducible-builds.org/debian/bookworm/amd64/pkg_set_required.html"><code>required</code> packages in <code>amd64</code></a> and the list of <a href="https://tests.reproducible-builds.org/debian/bookworm/arm64/pkg_set_essential.html"><code>essential</code> packages on <code>arm64</code></a>, both for Debian <em>bullseye</em>.</p><hr /><p>It recently has become very easy to install reproducible Debian Docker containers using <code>podman</code> on Debian bullseye:</p><pre><code>$ sudo apt install podman$ podman run --rm -it debian:bullseye bash</code></pre><p>The (pre-built) image used is itself built using <a href="https://github.com/debuerreotype/debuerreotype"><em>debuerrotype</em></a>, as explained on <a href="https://docker.debian.net/"><em>docker.debian.net</em></a>. This page also details how to build the image yourself and what checksums are expected if you do so.</p><hr /><p>Related to this, it has also become straightforward to reproducibly bootstrap Debian using <a href="https://gitlab.mister-muffin.de/josch/mmdebstrap"><em>mmdebstrap</em></a>, a replacement for the usual <em>debootstrap</em> tool to create Debian root filesystems:</p><pre><code>$ SOURCE_DATE_EPOCH=$(date --utc --date=2022-08-29 +%s) mmdebstrap unstable &gt; unstable.tar</code></pre><p>This works for (at least) Debian <em>unstable</em>, <em>bullseye</em> and <em>bookworm</em>, and is tested automatically by a number of QA jobs set up by Holger Levsen (<a href="https://jenkins.debian.net/job/reproducible_mmdebstrap_unstable/"><em>unstable</em></a>, <a href="https://jenkins.debian.net/job/reproducible_mmdebstrap_bookworm/"><em>bookworm</em></a> and <a href="https://jenkins.debian.net/job/reproducible_mmdebstrap_bullseye/"><em>bullseye</em></a>)</p><hr /><p>Work has also taken place to ensure that the canonical <em>debootstrap</em> and <em>cdebootstrap</em> tools are <em>also</em> capable of bootstrapping Debian reproducibly, although it currently requires a few extra steps:</p><ol><li><p>“Clamping” the modification time of files that are newer than <code>$SOURCE_DATE_EPOCH</code> to be not greater than <code>SOURCE_DATE_EPOCH</code>.</p></li><li><p>Deleting a few files. For <em>debootstrap</em>, this requires the deletion of <code>/etc/machine-id</code>, <code>/var/cache/ldconfig/aux-cache</code>, <code>/var/log/dpkg.log</code>, <code>/var/log/alternatives.log</code> and <code>/var/log/bootstrap.log</code>, and for <em>cdebootstrap</em> we also need to delete the <code>/var/log/apt/history.log</code> and <code>/var/log/apt/term.log</code> files as well.</p></li></ol><p>This process works at least for <em>unstable</em>, <em>bullseye</em> and <em>bookworm</em> and is now being tested automatically by a number of QA jobs setup by Holger Levsen [<a href="https://jenkins.debian.net/job/reproducible_debootstrap_bullseye/">…</a>][<a href="https://jenkins.debian.net/job/reproducible_debootstrap_bookworm/">…</a>][<a href="https://jenkins.debian.net/job/reproducible_debootstrap_unstable/">…</a>][<a href="https://jenkins.debian.net/job/reproducible_cdebootstrap_bullseye/">…</a>][<a href="https://jenkins.debian.net/job/reproducible_cdebootstrap_bookworm/">…</a>][<a href="https://jenkins.debian.net/job/reproducible_cdebootstrap_unstable/">…</a>]. As part of this work, Holger filed two bugs to request a better initialisation of the <code>/etc/machine-id</code> file in both <em>debootstrap</em> [<a href="https://bugs.debian.org/1018740">…</a>] and <em>cdebootstrap</em> [<a href="https://bugs.debian.org/1018741">…</a>].</p><hr /><p>Elsewhere in Debian, 131 reviews of Debian packages were added, 20 were updated and 27 were removed this month, adding to <a href="https://tests.reproducible-builds.org/debian/index_issues.html">our extensive knowledge about identified issues</a>. Chris Lamb added a number of issue types, including: <code>randomness_in_browserify_output</code> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/b2d75f42">…</a>], <code>haskell_abi_hash_differences</code> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/732f0fc1">…</a>], <code>nondeterministic_ids_in_html_output_generated_by_python_sphinx_panels</code> [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/3c9fbbcb">…</a>]. Lastly, Mattia Rizzolo removed the <code>deterministic</code> flag from the <code>captures_kernel_variant</code> flag [<a href="https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/83ea690e">…</a>].</p><h4 id="other-distributions">Other distributions</h4><p><a href="https://guix.gnu.org/"><img src="/images/reports/2022-08/guix.png#right" alt="" /></a></p><p>Vagrant Cascadian posted an <a href="https://lists.gnu.org/archive/html/guix-devel/2022-08/msg00161.html">update of the status of Reproducible Builds in GNU Guix</a>, writing that:</p><blockquote><p><code>Ignoring the pesky unknown packages, it is more like ~93% reproducible</code><code>and ~7% unreproducible... that feels a bit better to me!</code></p><p><code>These numbers wander around over time, mostly due to packages moving</code><code>back into an "unknown" state while the build farms catch up with each</code><code>other... although the above numbers seem to have been pretty consistent</code><code>over the last few days.</code></p></blockquote><p>The <a href="https://lists.gnu.org/archive/html/guix-devel/2022-08/msg00161.html">post itself</a> contains a lot more details, including a brief discussion of tooling.</p><p>Elsewhere in GNU Guix, however, Vagrant updated a number of packages such as <code>itpp</code> [<a href="https://git.savannah.gnu.org/cgit/guix.git/commit/?id=b30614b28cdc4eb893eeea4523109769f913499e">…</a>], <code>perl-class-methodmaker</code> [<a href="https://git.savannah.gnu.org/cgit/guix.git/commit/?id=f31e55d0819064557b9a2af687f05b131f5c4f26">…</a>], <code>libnet</code> [<a href="https://git.savannah.gnu.org/cgit/guix.git/commit/?id=d2b85f8906489fb95d8be41d6ba9fd520a5967d0">…</a>], <code>directfb</code> [<a href="https://git.savannah.gnu.org/cgit/guix.git/commit/?id=397b103bef313c84eb662051fbcd28e223806bd3">…</a>] and <code>mm-common</code> [<a href="https://issues.guix.gnu.org/57304">…</a>], as well as updated the version of <em>reprotest</em> to 0.7.21 [<a href="https://git.savannah.gnu.org/cgit/guix.git/commit/?id=f030ae422b6d13a7a21158d9a37c9760597d1573">…</a>].</p><p><a href="https://www.opensuse.org/"><img src="/images/reports/2022-08/opensuse.png#right" alt="" /></a></p><p>In openSUSE, Bernhard M. Wiedemann published his usual <a href="https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/KXF3OGYAJMGB5LU2QJJZSOCIAL22JUBU/">openSUSE monthly report</a>.</p><h4 id="diffoscope"><a href="https://diffoscope.org">diffoscope</a></h4><p><a href="https://diffoscope.org"><img src="/images/reports/2022-08/diffoscope.png#right" alt="" /></a></p><p><a href="https://diffoscope.org"><em>diffoscope</em></a> is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions <code>220</code> and <code>221</code> to Debian, as well as made the following changes:</p><ul><li>Update <code>external_tools.py</code> to reflect changes to <code>xxd</code> and the <code>vim-common</code> package. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/c6432ec7">…</a>]</li><li>Depend on the dedicated <code>xxd</code> package now, not the <code>vim-common</code> package. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/8a823c69">…</a>]</li><li>Don’t crash if we can <em>open</em> a PDF file using the <a href="ihttps://pybrary.net/pyPdf/">PyPDF</a> library, but cannot subsequently parse the annotations within. [<a href="https://salsa.debian.org/reproducible-builds/diffoscope/commit/dbeab9e3">…</a>]</li></ul><p>In addition, Vagrant Cascadian updated <em>diffoscope</em> in <a href="https://www.gnu.org/software/guix/">GNU Guix</a>, first to to version 220 [<a href="https://git.savannah.gnu.org/cgit/guix.git/commit/?id=04ef952a4928a427fa3d778e23d4e99299c9fa5a">…</a>] and later to 221 [<a href="https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ec6122250de7c83a7e77054584a34767b11337db">…</a>].</p><h4 id="community-news-1">Community news</h4><p>The Reproducible Builds project aims to fix as many currently-unreproducible packages as possible as well as to send all of our patches upstream wherever appropriate. This month we created a number of patches, including:</p><ul><li><p>Bernhard M. Wiedemann:</p><ul><li><a href="https://build.opensuse.org/request/show/1000142"><code>at-spi-sharp</code></a> (build failure when build on a multiprocessor machine).</li><li><a href="https://github.com/borgbackup/borg/issues/6996"><code>borgbackup</code></a> (fails to build in 2038, <a href="https://build.opensuse.org/request/show/999784">fix</a>)</li><li><a href="https://build.opensuse.org/request/show/1000483"><code>buzztrax</code></a> (parallelism-related issue)</li><li><a href="https://build.opensuse.org/request/show/993689"><code>chart-testing</code></a> (date-related issue)</li><li><a href="https://github.com/memcached/memcached/pull/927"><code>memcached</code></a> (fails to build in 2038)</li><li><a href="https://github.com/nim-lang/Nim/issues/20285"><code>nim</code></a> (fails to build in 2038)</li><li><a href="https://github.com/chansen/p5-time-moment/pull/48"><code>perl-Time-Moment</code></a> (fails to build in 2038)</li><li><a href="https://github.com/py-bson/bson/pull/117"><code>python-bson</code></a> (fails to build in 2038)</li><li><a href="https://review.opendev.org/c/openstack/python-heatclient/+/855083"><code>python-heatclient</code></a> (fails to build in 2038)</li><li><a href="https://bugzilla.opensuse.org/show_bug.cgi?id=1202666"><code>python3.8</code></a> (fails to build in 2038)</li><li><a href="https://build.opensuse.org/request/show/992182"><code>reproducible-faketools</code></a></li><li><a href="https://github.com/s3fs-fuse/s3fs-fuse/pull/2026"><code>s3fs</code></a> (date-related issue)</li><li><a href="https://build.opensuse.org/request/show/994525"><code>systemd</code></a> (date-related issue)</li></ul></li><li><p>Chris Lamb:</p><ul><li><a href="https://bugs.debian.org/1016486">#1016486</a> filed against <a href="https://tracker.debian.org/pkg/wayfire"><code>wayfire</code></a>.</li><li><a href="https://bugs.debian.org/1016583">#1016583</a> filed against <a href="https://tracker.debian.org/pkg/multipath-tools"><code>multipath-tools</code></a>.</li><li><a href="https://bugs.debian.org/1016584">#1016584</a> filed against <a href="https://tracker.debian.org/pkg/node-canvas-confetti"><code>node-canvas-confetti</code></a>.</li><li><a href="https://bugs.debian.org/1017473">#1017473</a> filed against <a href="https://tracker.debian.org/pkg/psi"><code>psi</code></a> (<a href="https://github.com/psi-im/psi/pull/699">forwarded upstream</a>).</li><li><a href="https://bugs.debian.org/1017475">#1017475</a> filed against <a href="https://tracker.debian.org/pkg/sphinx-panels"><code>sphinx-panels</code></a> (<a href="https://github.com/executablebooks/sphinx-panels/pull/82">forwarded upstream</a>).</li><li><a href="https://bugs.debian.org/1017920">#1017920</a> filed against <a href="https://tracker.debian.org/pkg/sysfsutils"><code>sysfsutils</code></a>.</li><li><a href="https://bugs.debian.org/1017945">#1017945</a> filed against <a href="https://tracker.debian.org/pkg/geeqie"><code>geeqie</code></a>.</li></ul></li><li><p>Vagrant Cascadian:</p><ul><li><a href="https://bugs.debian.org/1017073">#1017073</a> filed against <a href="https://tracker.debian.org/pkg/python-suntime"><code>python-suntime</code></a>.</li><li><a href="https://bugs.debian.org/1017372">#1017372</a> filed against <a href="https://tracker.debian.org/pkg/plymouth"><code>plymouth</code></a>.</li><li><a href="https://bugs.debian.org/1017373">#1017373</a> filed against <a href="https://tracker.debian.org/pkg/tiemu"><code>tiemu</code></a>.</li><li><a href="https://bugs.debian.org/1017421">#1017421</a> filed against <a href="https://tracker.debian.org/pkg/fltk1.3"><code>fltk1.3</code></a>.</li><li><a href="https://bugs.debian.org/1018802">#1018802</a> filed against <a href="https://tracker.debian.org/pkg/localechooser"><code>localechooser</code></a>.</li><li><a href="https://lists.denx.de/pipermail/u-boot/2022-August/492156.html"><code>uboot</code></a> (Rasmus Villemoes proposed fixing gcc instead [<a href="https://gcc.gnu.org/pipermail/gcc-patches/2022-August/600491.html">…</a>][<a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93371">…</a>])</li></ul></li></ul><h4 id="testing-framework">Testing framework</h4><p><a href="https://tests.reproducible-builds.org/"><img src="/images/reports/2022-08/testframework.png#right" alt="" /></a></p><p>The Reproducible Builds project runs a significant testing framework at <a href="https://tests.reproducible-builds.org">tests.reproducible-builds.org</a>, to check packages and other artifacts for reproducibility. This month, Holger Levsen made the following changes:</p><ul><li><p>Debian-related changes:</p><ul><li>Temporarily add Debian <em>unstable</em> <code>deb-src</code> lines to enable test builds a <a href="https://wiki.debian.org/NonMaintainerUpload">Non-maintainer Upload</a> (NMU) campaign targeting 708 sources without <code>.buildinfo</code> files found in Debian <em>unstable</em>, including 475 in bookworm. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/87cf75b0">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/2ddfa8e1">…</a>]</li><li>Correctly deal with the <a href="https://wiki.debian.org/DebianEdu/">Debian Edu</a> packages not being installable. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/c6503196">…</a>]</li><li>Finally, stop scheduling <em>stretch</em>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/40c48f0b">…</a>]</li><li>Make sure all Ubuntu nodes have the <code>linux-image-generic</code> kernel package installed. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/61f1c057">…</a>]</li></ul></li><li><p>Health checks &amp; view:</p><ul><li>Detect <a href="https://www.openssh.com/">SSH</a> login problems. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/6a98f816">…</a>]</li><li>Only report the first uninstallable package set. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/c69cb969">…</a>]</li><li>Show new bootstrap jobs. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/2d64b3ee">…</a>] and <em>debian-live</em> jobs. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/73cc19d3">…</a>] in the job health view.</li><li>Fix regular expression to detect various zombie jobs. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/c42d00ff">…</a>]</li></ul></li><li><p>New jobs:</p><ul><li>Add a new job to test reproducibility of <a href="https://gitlab.mister-muffin.de/josch/mmdebstrap"><em>mmdebstrap</em></a> bootstrapping tool. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/1a4bf7a5">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/2ecb9c31">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/79810a93">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/e2885c3e">…</a>]</li><li>Run our new <em>mmdebstrap</em> job remotely [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/088d6d77">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/2f11e8cf">…</a>]</li><li>Improve the output of the <em>mmdebstrap</em> job. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/b40cee9e">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/41612318">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/1333cb55">…</a>]</li><li>Adjust the <em>mmdebstrap</em> script to additionally support <em>debootstrap</em> as well. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/6294d6df">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/297b9827">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/bf292af4">…</a>]</li><li>Work around <em>mmdebstrap</em> and <em>debootstrap</em> keeping logfiles within their artifacts. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/955cc9ba">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/06f47311">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/4bdda15e">…</a>]</li><li>Add support for testing <em>cdebootstrap</em> too and add such a job for unstable. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/c1bd3041">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/f71341bb">…</a>][<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/835bdc62">…</a>]</li><li>Use a reproducible value for <code>SOURCE_DATE_EPOCH</code> for all our new bootstrap jobs. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/262045c5">…</a>]</li></ul></li><li><p>Misc changes:</p><ul><li>Send the <code>create_meta_pkg_sets</code> notification to <code>#debian-reproducible-changes</code> instead of <code>#debian-reproducible</code>. [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/afbd1d10">…</a>]</li></ul></li></ul><p>In addition, Roland Clobus re-enabled the tests for <em>live-build</em> images [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/e4d7f0b5">…</a>] and added a feature where the build would retry instead of give up when the archive was synced whilst building an ISO [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/7b28da62">…</a>], and Vagrant Cascadian added logging to report the current target of the <code>/bin/sh</code> symlink [<a href="https://salsa.debian.org/qa/jenkins.debian.net/-/commit/e4776858">…</a>].</p><h4 id="contact">Contact</h4><p>As ever, if you are interested in contributing to the Reproducible Builds project, please visit our <a href="https://reproducible-builds.org/contribute/"><em>Contribute</em></a> page on our website. However, you can get in touch with us via:</p><ul><li><p>IRC: <code>#reproducible-builds</code> on <code>irc.oftc.net</code>.</p></li><li><p>Twitter: <a href="https://twitter.com/ReproBuilds">@ReproBuilds</a></p></li><li><p>Mailing list: <a href="https://lists.reproducible-builds.org/listinfo/rb-general"><code>rb-general@lists.reproducible-builds.org</code></a></p></li></ul></description></item></channel></rss>