Skip to content
Commits on Source (3)
Hide whitespace changes
Inline Side-by-side
_blog/posts/191.md
View file @ 4a95fe67
---
layout: new/blog
week: 191
published: 2018-12-25 12:01:43
---
Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday December 16 and Saturday December 22 2018:
[![](/images/blog/191/header.png#center)](https://reproducible-builds.org/)
* The [F-Droid](https://f-droid.org) project, an catalogue of free-software applications for the Android platform, have published a page on their website [describing their adoption and implementation of reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/).
Merry Christmas from everybody working on reproducible builds. 🎅 Here's what happened in the [Reproducible Builds](https://reproducible-builds.org) effort between Sunday December 16 and Saturday December 22 2018:
* [Dave Rosenthal](https://blog.dshr.org/) wrote about [securing the software supply chain](https://blog.dshr.org/2018/12/securing-software-supply-chain.html) touching on reproducible builds, certificate transparency, etc. In addition, Avery ("apenwarr") Pennarun wrote a blog post entitled "[mtime comparison considered harmful](https://apenwarr.ca/log/20181113)".
* The [F-Droid](https://f-droid.org) project, an catalogue of free-software applications for the Android platform published a page on their website [describing their adoption and implementation of reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/).
* Chris Lamb updated `strip-nondeterminism` (our tool to post-process files to remove known non-deterministic output):
* [Dave Rosenthal](https://blog.dshr.org/) wrote about [securing the software supply chain](https://blog.dshr.org/2018/12/securing-software-supply-chain.html) touching on reproducible builds and certificate transparency, etc. In addition, Avery ("apenwarr") Pennarun wrote a blog post entitled "[mtime comparison considered harmful](https://apenwarr.ca/log/20181113)".
* [Chris Lamb](https://chris-lamb.co.uk/) updated `strip-nondeterminism`, our tool to post-process files to remove known non-deterministic output:
* Remove `javaproperties` handler after Emmanuel Bourg's patch was released in `openjdk-11` version `11.0.1+13-3`. ([#914289](https://bugs.debian.org/914289))
* Drop `.ar` handler; `binutils` is reproducible. ([#781262](https://bugs.debian.org/781262), [#843811](https://bugs.debian.org/843811))
* Ignore encrypted `.zip` files as we can never normalise them. ([#852207](https://bugs.debian.org/852207))
* Drop `.ar` handler as `binutils` is reproducible. ([#781262](https://bugs.debian.org/781262), [#843811](https://bugs.debian.org/843811))
* Ignore encrypted `.zip` files as we can never normalise them by definition. ([#852207](https://bugs.debian.org/852207))
* As part of the [Software Freedom Conservancy](https://sfconservancy.org)'s fundraiser, Josh Triplett [referenced us in a short interview](https://sfconservancy.org/blog/2018/dec/18/JoshT/):
> Reproducible Builds represents one of those ideas where the goal seems obvious and yet the execution requires an incredible and pervasive effort across the industry, and the people working on it have done an amazing job.
> Reproducible Builds represents one of those ideas where the goal seems obvious and yet the execution requires an incredible and pervasive effort across the industry, and the people working on it have done an amazing job…
* [Joachim Breitner](http://www.joachim-breitner.de/blog) wrote a blog post titled "[Thoughts on Bootsrapping GHC](http://www.joachim-breitner.de/blog/748-Thoughts_on_bootstrapping_GHC)", attempting to answer the question of "how can we build a whole operating system from just and only source code, using very little, or even no, binary seeds or auto-generated files."
* A full and in-depth report about [our recent summit](https://reproducible-builds.org/events/paris2018/) is being prepared but in the meantime [there were further reports published](https://discourse.nixos.org/t/reproducible-builds-summit-report/1683/2) from [NixOS](https://nixos.org/) developers `zimbatm`, `Profpatsch` and `lewo`.
* Reproducible Builds were mentioned in [Episode 2](https://librelounge.org/episodes/episode-2-thanksgiving-npm-and-malware-in-free-software.html) of the [Libre Lounge](https://librelounge.org/) podcast in a more-general discussion about software supply chains around the recent [NPM event-stream attack](https://blog.bitpay.com/npm-package-vulnerability-copay/). ([Direct link](https://pca.st/6mqx#t=42m3s))
* Reproducible builds were mentioned in [Episode 2](https://librelounge.org/episodes/episode-2-thanksgiving-npm-and-malware-in-free-software.html) of the [Libre Lounge](https://librelounge.org/) podcast in a more-general discussion about software supply chains around the recent [NPM event-stream attack](https://blog.bitpay.com/npm-package-vulnerability-copay/). ([Direct link](https://pca.st/6mqx#t=42m3s))
* Julian Hyde posted to the Apache "Incubator" mailing list discussing the [differences between their binary and source releases](https://lists.apache.org/thread.html/ceb357513ff0403414b5fff7dbeb1ea43961e71f9e48425d6e3cea8f@%3Cgeneral.incubator.apache.org%3E) and how they should correlate.
......@@ -33,11 +36,11 @@ Here's what happened in the [Reproducible Builds](https://reproducible-builds.or
* The blog for the [Go programming language](https://golang.org) posted their [plans for Go modules in 2019](https://blog.golang.org/modules2019#TOC_5) which include providing a "notary" service. As some background to the problem:
> Today, `go get` relies on connection-level authentication (HTTPS or SSH) to check that it is talking to the right server to download code. There is no additional check of the code itself, leaving open the possibility of man-in-the-middle attacks if the HTTPS or SSH mechanisms are compromised in some way. Decentralization means that the code for a build is fetched from many different servers, which means the build depends on many systems to serve correct code.
> Today `go get` relies on connection-level authentication (HTTPS or SSH) to check that it is talking to the right server to download code. There is no additional check of the code itself, leaving open the possibility of man-in-the-middle attacks if the HTTPS or SSH mechanisms are compromised in some way. Decentralization means that the code for a build is fetched from many different servers, which means the build depends on many systems to serve correct code.
* 6 Debian package reviews were added, 10 were updated and 11 were removed in this week, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html).
* On January 9th 2019, [Chris Lamb](https://chris-lamb.co.uk/) will speak at [Université de Rennes](https://www.univ-rennes1.fr/), France on reproducible builds.
* On January 9th 2019, Chris Lamb will speak at [Université de Rennes](https://www.univ-rennes1.fr/), France on reproducible builds.
## Packages reviewed and fixed, and bugs filed
......@@ -70,8 +73,8 @@ There were a number of updates to our [Jenkins](https://jenkins.io/)-based testi
* Misc/generic changes:
* Don't use existing hosts as example. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/3c660d2d)]
* Add link to database schema. (Thanks for Bernhard M. Wiedemann for pointing out that was missing.) [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/31ff1930)]
* Thank the [OSU Open Source Lab from Oregon State University (OSUOSL)](https://osuosl.org/) for hosting the new `amd64` nodes [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c7afe284)] as well as add the new nodes themselves ([[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8ea537f4)] & [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4160dbf6)]), perform the various networking configuration [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/710b804c)] and other various tweaks [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/01d0462f)].
* Various bits node maintenance. (eg. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c6298df6)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7b275c0a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1bdb6b3f)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/958278ae)])
* Thank the [OSU Open Source Lab from Oregon State University (OSUOSL)](https://osuosl.org/) for hosting the new `amd64` nodes [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c7afe284)] as well as add the new nodes themselves [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/8ea537f4)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/4160dbf6)], perform the various networking configuration [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/710b804c)] and other various tweaks [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/01d0462f)].
* Various bits of build node maintenance. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/c6298df6)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/7b275c0a)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/1bdb6b3f)][[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/958278ae)]
In addition, Mattia Rizzolo updated the `reproducible_notes.py` script to only store notes for Debian packages in the database for now. [[...](https://salsa.debian.org/qa/jenkins.debian.net/commit/0faa4aaf)]
......
index.md
View file @ 4a95fe67
......@@ -7,10 +7,10 @@ order: 0
<div class="text-center mt-md-5">
<a href="{{ "/" | prepend: site.baseurl }}">
<img class="img-fluid" src="{{ "/assets/images/logo-text.svg" | prepend: site.baseurl }}" alt="Reproducible Builds" style="height: 150px;" />
<img class="img-fluid" src="{{ "/assets/images/index/header-logo.png" | prepend: site.baseurl }}" alt="Reproducible Builds" style="height: 150px;" />
</a>
<p class="lead mt-sm-3 mt-md-5 mx-md-5 px-md-5">
<p class="lead mt-3 mt-md-5 mx-md-5 px-md-5">
<strong>Reproducible builds</strong> are a set of software development
practices that create an independently-verifiable path from source
to binary&nbsp;code.
......