Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • programmiana-guest/reproducible-website
  • reproducible-builds/reproducible-website
  • adgitate-guest/reproducible-website
  • simson-guest/reproducible-website
  • muz-guest/reproducible-website
  • bmwiedemann-guest/reproducible-website
  • csmith-guest/reproducible-website
  • mn-guest/reproducible-website
  • jelle/reproducible-website
  • grahamc-guest/reproducible-website
  • gutjuri/reproducible-website
  • dongcarl-guest/reproducible-website
  • soumya-guest/reproducible-website
  • taffit/reproducible-website
  • jaskaransingh-guest/reproducible-website
  • zack/reproducible-website
  • finn02-guest/reproducible-website
  • atharvalele-guest/reproducible-website
  • tvincent/reproducible-website
  • Foxboron-guest/reproducible-website
  • aborkowski-guest/reproducible-website
  • jscott/reproducible-website
  • sathieu/reproducible-website
  • fennifith-guest/reproducible-website
  • cindykimxp-guest/reproducible-website
  • pc-guest/reproducible-website
  • cbaines-guest/reproducible-website
  • probablyfine-guest/reproducible-website
  • Jacoba-NH/reproducible-website
  • lukpueh-guest/reproducible-website
  • aparcar-guest/reproducible-website
  • daviddelamo-guest/reproducible-website
  • tianon/reproducible-website
  • uniqx/reproducible-website
  • weblate/reproducible-website
  • gonzalo-bulnes/reproducible-website
  • drakonis/reproducible-website
  • kushaldas/reproducible-website
  • jjardon/reproducible-website
  • CalumMcConnell-guest/reproducible-website
  • Bubu-guest/reproducible-website
  • JPEWhacker-guest/reproducible-website
  • ianmuchina/reproducible-website
  • stoeckmann/reproducible-website
  • marco-guest/reproducible-website
  • fdschonborn/reproducible-website
  • chaifeng/reproducible-website
  • josch/reproducible-website
  • billchenchina/reproducible-website
  • TimJones/reproducible-website
  • jgneff/reproducible-website
  • seabass/reproducible-website
  • cyhan/reproducible-website
  • aron/reproducible-website
  • sjbutler/reproducible-website
  • RyanSquared/reproducible-website
  • jsirois/reproducible-website
  • jas/reproducible-website
  • rinni/reproducible-website
  • rabajaj0509/reproducible-website
  • rsc/reproducible-website
  • chabala/reproducible-website
  • marvil07/reproducible-website
  • drupol/reproducible-website
  • daandemeyer/reproducible-website
  • orhun/reproducible-website
  • crusoe/reproducible-website
  • jzerebecki-guest/reproducible-website
  • davide/reproducible-website
  • sertonix/reproducible-website
  • umlaeute/reproducible-website
  • AkihiroSuda/reproducible-website
  • nichmor/reproducible-website
73 results
Show changes
Commits on Source (2)
......@@ -3,20 +3,25 @@ layout: report
year: "2024"
month: "05"
title: "Reproducible Builds in May 2024"
draft: true
draft: false
date: 2024-06-08 10:30:00
---
[![]({{ "/images/reports/2024-05/reproducible-builds.png#right" | relative_url }})]({{ "/" | relative_url }})
**Welcome to the May 2024 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In these reports, we try to outline what we have been up to over the past month and highlight news items in software supply-chain security more broadly. As ever, if you are interested in contributing to the project, please visit our [*Contribute*]({{ "/contribute/" | relative_url }}) page on our website.
<!--
**Table of contents:**
*(Generated prior to publication)*
-->
0. [*A peek into build provenance for Homebrew*](#a-peek-into-build-provenance-for-homebrew)
0. [Distribution news](#distribution-news)
0. [Mailing list news](#mailing-list-news)
0. [Miscellaneous news](#miscellaneous-news)
0. [Two new academic papers](#two-new-academic-papers)
0. [*diffoscope*](#diffoscope)
0. [Website updates](#website-updates)
0. [Upstream patches](#upstream-patches)
0. [Reproducibility testing framework](#reproducibility-testing-framework)
---
......@@ -24,6 +29,8 @@ draft: true
### [*A peek into build provenance for Homebrew*](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/)
[![]({{ "/images/reports/2024-05/homebrew.png#right" | relative_url }})](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/)
Joe Sweeney and William Woodruff on the [Trail of Bits](https://www.trailofbits.com/) blog wrote an [extensive post about build provenance](https://blog.trailofbits.com/2024/05/14/a-peek-into-build-provenance-for-homebrew/) for [Homebrew](https://brew.sh/), the third-party package manager for MacOS. Their post details how each "bottle" (i.e. each release):
> […] built by Homebrew will come with a cryptographically verifiable statement binding the bottle’s content to the specific workflow and other build-time metadata that produced it. […] In effect, this injects **greater transparency** into the Homebrew build process, and **diminishes the threat** posed by a compromised or malicious insider by making it impossible to trick ordinary users into installing non-CI-built bottles.
......@@ -44,20 +51,33 @@ In Debian this month, Johannes Schauer Marin Rodrigues (aka *josch*) noticed tha
In response to this, Holger Levsen performed an analysis of all `.buildinfo` files and found that this needs almost 1,500 [binNMUs](https://wiki.debian.org/NonMaintainerUpload) to fix the fallout from this bug.
Elsewhere in Debian, Vagrant Cascadian posted about a [Non-Maintainer Upload (NMU) sprint](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003404.html) to take place during early June, and it was announced that there is now a `#debian-snapshot` IRC channel on OFTC to discuss the creation of a new source code archiving service to, perhaps, replace [*snapshot.debian.org*](https://snapshot.debian.org/). Lastly, 11 reviews of Debian packages were added, 15 were updated and 48 were removed this month adding to [our extensive knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issue types have been updated by Chris Lamb as well. [[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5fda7f6e)][[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/cf46a837)]
<br>
Elsewhere in Debian, Vagrant Cascadian posted about a [Non-Maintainer Upload (NMU) sprint](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003404.html) to take place during early June, and it was announced that there is now a `#debian-snapshot` IRC channel on OFTC to discuss the creation of a new source code archiving service to, perhaps, replace [*snapshot.debian.org*](https://snapshot.debian.org/).
[![]({{ "/images/reports/2024-05/freebsd.png#right" | relative_url }})](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html)
Lastly, 11 reviews of Debian packages were added, 15 were updated and 48 were removed this month adding to [our extensive knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). A number of issue types have been updated by Chris Lamb as well. [[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/5fda7f6e)][[…](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/cf46a837)]
Elsewhere in the world of distributions, deep within a [larger announcement from Colin Percival about the release of version 14.1-BETA2](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html), it was mentioned that the [FreeBSD](https://www.freebsd.org/) kernels are now built reproducibly.
<br>
[![]({{ "/images/reports/2024-05/freebsd.png#right" | relative_url }})](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html)
[![]({{ "/images/reports/2024-05/fedora.png#right" | relative_url }})](https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds)
Elsewhere in the world of distributions, deep within a [larger announcement from Colin Percival about the release of version 14.1-BETA2](https://lists.freebsd.org/archives/freebsd-stable/2024-May/002133.html), it was mentioned that the [FreeBSD](https://www.freebsd.org/) kernels are now built reproducibly.
In Fedora, however, the change proposal mentioned in [our report for April 2024]({{ "/reports/2024-04/" | relative_url }}) was approved, so, per the [ReproduciblePackageBuilds](https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds) wiki page, the [*add-determinism*](https://github.com/keszybz/add-determinism) tool is now running in new builds for Fedora 41 ('rawhide'). The *add-determinism* tool is a Rust program which, as its name suggests, adds determinism to files that are given as input by "attempting to standardize metadata contained in binary or source files to ensure consistency and clamping to `$SOURCE_DATE_EPOCH` in all instances". This is essentially the Fedora version of Debian's *strip-nondeterminism*. However, *strip-nondeterminism* is written in Perl, and Fedora did not want to pull Perl in the `buildroot` for every package. The *add-determinism* tool eliminates many causes of non-determinism and work is ongoing to continue the scope of packages it can operate on.
<br>
### Mailing list news
On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month, regular contributor *kpcyrd* wrote to the list [with an update on their source code indexing project, *whatsrc.org*](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003407.html). The [whatsrc.org](https://whatsrc.org/) project, which was launched last month in response to the [XZ Utils backdoor](https://en.wikipedia.org/wiki/XZ_Utils_backdoor), now contains and indexes almost 250,000 unique source code archives. In their post, *kpcyrd* gives an example of its intended purpose, noting that it shown that whilst "there seems to be consensus about [the] source code for zsh 5.9" in various Linux distributions, it "does not align with the contents of the zsh Git repository".
Holger Levsen also posted to the list with a ['pre-announcement' of sorts for the 2024 Reproducible Builds summit](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003411.html). In particular:
> [Whilst] the dates and location are not fixed yet, however if you don' help us with finding a suitable location *soon*, it is very likely that we'll meet again in **Hamburg in the 2nd half of September 2024** […].
Lastly, Frederic-Emmanuel Picca wrote to the list asking for help understanding the "[non-reproducible status of the Debian `silx` package"](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003393.html) and received replies from both [Vagrant Cascadian](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003394.html) and [Chris Lamb](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003396.html).
<br>
On the fedora side, the change proposal mentioned in [April 2024](https://reproducible-builds.org/reports/2024-04/)'s report was approved, so per [ReproduciblePackageBuilds](https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds) the [add-determinism](https://github.com/keszybz/add-determinism) tool is now running in new builds for Fedora 41 (rawhide). The add-determinism tool is a Rust program which, as its name suggests, adds determinism to files that are given as input by "attempting to standardize metadata contained in binary or source files to ensure consistency and clamping to `$SOURCE_DATE_EPOCH` in all instances". This is essentially the "Fedora version" of Debian's strip-nondeterminism. strip-nondeterminism is written in perl, and Fedora doesn't want to pull perl in the buildroot for every package. The add-determinism tool eliminates many causes of non-determinism. Work is ongoing to continue the scope of packages it can operate on.
### Miscellaneous news
......@@ -85,7 +105,7 @@ Lastly, it was observed that there was a concise and diagrammatic overview of "[
<br>
### Two new academic papers published
### Two new academic papers
Two new scholarly papers were published this month.
......@@ -109,24 +129,6 @@ Secondly, Ludovic Courtès, Timothy Sample, Simon Tournier and Stefano Zacchirol
<br>
### Mailing list news
On [our mailing list](https://lists.reproducible-builds.org/listinfo/rb-general/) this month:
Regular contributor *kpcyrd* wrote to the list [with an update on their source code indexing project, *whatsrc.org*](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003407.html). The [whatsrc.org](https://whatsrc.org/) project, which was launched last month in response to the [XZ Utils backdoor](https://en.wikipedia.org/wiki/XZ_Utils_backdoor), now contains and indexes almost 250,000 unique source code archives. In their post, *kpcyrd* gives an example of its intended purpose, noting that it shown that whilst "there seems to be consensus about [the] source code for zsh 5.9" in various Linux distributions, it "does not align with the contents of the zsh Git repository".
<br>
Holger Levsen posted to the list with a ['pre-announcement' of sorts for the 2024 Reproducible Builds summit](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003411.html). In particular:
> [Whilst] the dates and location are not fixed yet, however if you don' help us with finding a suitable location *soon*, it is very likely that we'll meet again in **Hamburg in the 2nd half of September 2024** […].
<br>
Lastly, Frederic-Emmanuel Picca wrote to the list asking for help understanding the "[non-reproducible status of the Debian `silx` package"](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003393.html) and received replies from both [Vagrant Cascadian](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003394.html) and [Chris Lamb](https://lists.reproducible-builds.org/pipermail/rb-general/2024-May/003396.html).
<br>
### [*diffoscope*](https://diffoscope.org)
......
images/reports/2024-05/hal-04582287.png

49.9 KiB | W: 0px | H: 0px

images/reports/2024-05/hal-04582287.png

39.5 KiB | W: 0px | H: 0px

images/reports/2024-05/hal-04582287.png
images/reports/2024-05/hal-04582287.png
images/reports/2024-05/hal-04582287.png
images/reports/2024-05/hal-04582287.png
  • 2-up
  • Swipe
  • Onion skin
images/reports/2024-05/hal-04586520.png

46.4 KiB | W: 0px | H: 0px

images/reports/2024-05/hal-04586520.png

37 KiB | W: 0px | H: 0px

images/reports/2024-05/hal-04586520.png
images/reports/2024-05/hal-04586520.png
images/reports/2024-05/hal-04586520.png
images/reports/2024-05/hal-04586520.png
  • 2-up
  • Swipe
  • Onion skin
images/reports/2024-05/homebrew.png

10.9 KiB