Skip to content
Commits on Source (2)
Hide whitespace changes
Inline Side-by-side
_reports/2019-05.md
View file @ 73b7ed54
......@@ -6,46 +6,52 @@ title: "Reproducible Builds in May 2019"
draft: true
---
**Welcome to the May 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!**
In our reports we outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains over the past month.
[![]({{ "/images/reports/2019-05/reproducible-builds.png#right" | prepend: site.baseurl }})](https://reproducible-builds.org/)
As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing third-parties to come to a consensus on whether a build was compromised.
**Welcome to the May 2019 report from the [Reproducible Builds](https://reproducible-builds.org) project!** In our reports we outline the most important things which have been up to in and around the world of reproducible builds & secure toolchains over the past month.
As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users pre-compiled. The motivation behind reproducible builds effort is to ensure no malicious flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing third-parties to come to a consensus on whether a build was compromised.
In this month's report, we will cover:
* **Media coverage***More supply chain attacks, Reproducible Builds on the conference circuit, etc.*
* **Upstream news***Mozilla updating their add-on policy, etc.*
* **Distribution work***Debian Installer progress, openSUSE updates, etc.*
* **Software development***try.diffoscope.org rewrite, upstream patches, etc.*
* **Media coverage***More supply chain attacks, Reproducible Builds at conferences, etc.*
* **Upstream news***Mozilla updates their add-on policy, etc.*
* **Distribution work***Debian Installer progress, openSUSE updates.*
* **Software development***A try.diffoscope.org rewrite, more upstream patches, etc.*
* **Misc news***From our mailing list, etc.*
* **Getting in touch***How to contribute, etc.*
* **Getting in touch***How to contribute, contact details, etc.*
If you are interested in contributing to our project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website.
---
## Media coverage
* Adam Greenberg reported on [Wired](https://www.wired.com) about the [Barium](https://www.wired.com/story/barium-supply-chain-hackers/), detailing a single group of malicious actors who appear responsible for a variety supply chain hacks of [CCleaner](https://www.ccleaner.com/), [Asus](https://www.asus.com/) and more, therefore planting backdoors on and gaining access to millions of machines.
[![]({{ "/images/reports/2019-05/wired.png#right" | prepend: site.baseurl }})](https://www.wired.com/)
* The work of Chris Lamb in/around Debian's Reproducible Builds effort [won a Google Open Source Peer Bonus award](https://opensource.googleblog.com/2019/04/google-open-source-peer-bonus-winners.html), a program with the goal of recognising and supporting the ecosystem and sustainability of free software by rewarding and recognising developers for their contributions to open source projects
* Adam Greenberg reported on [Wired](https://www.wired.com) about the "mysterious hacker group" [Barium](https://www.wired.com/story/barium-supply-chain-hackers/), detailing a single group of malicious actors who appear responsible for a variety supply chain attacks of [CCleaner](https://www.ccleaner.com/), [Asus](https://www.asus.com/) and more, planting backdoors on & gaining access to millions of end-user machines.
* Kushal Das presented at [PyCon](https://us.pycon.org/2019/about/) 2019 on [building reproducible Python applications for secured environments](https://www.youtube.com/watch?v=wRHi8Ui5vWA). In the talk, Kushal argues that validating the dependencies of the project is very critical along with the actual project source code, referring to incidents where people were [able to steal bitcoins using a popular library](https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/). His talk uses the [SecureDrop client application](https://github.com/freedomofpress/securedrop-client) for journalists as an example project and see how he tried to tackle the similar problem.
* The work of Chris Lamb in/around Debian's Reproducible Builds effort [was awarded a Google Open Source Peer Bonus award](https://opensource.googleblog.com/2019/04/google-open-source-peer-bonus-winners.html), a program with the goal of recognising and supporting the ecosystem and sustainability of free software by recognising developers for their contributions to open source projects.
* [GitHub](https://github.com/) announced [adding a package registry feature](https://github.com/features/package-registry) which [suggest but alas not guarantee](https://github.com/ipfs/package-managers/issues/55) a strong link between the Git repository and the published packages, highlighting the need for Reproducible Builds.
* Kushal Das presented at [PyCon](https://us.pycon.org/2019/about/) 2019 on [building reproducible Python applications for secured environments](https://www.youtube.com/watch?v=wRHi8Ui5vWA). Here, Kushal argues that validating the dependencies of the project is as critical as actual project source code, referring to incidents where actors [were able to steal bitcoins using a popular library](https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/). His talk uses the [SecureDrop client application](https://github.com/freedomofpress/securedrop-client) for journalists as an example project to see how to tackle the more general problem.
* [Andrew Martin](https://www.binarysludge.com/) [published his slides](https://drive.google.com/a/control-plane.io/file/d/1xUDrcWmB3a_5oMxeIJuqf6vtXZN/view?usp=sharing) for his talk titled [*Rootless, Reproducible and Hermetic: Secure Container Build Showdown*](https://www.youtube.com/watch?v=X_Sb96EKFPA) that he gave at [KubeCon 2019](https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2019/).
[![]({{ "/images/reports/2019-05/kubecon.png#right" | prepend: site.baseurl }})](https://www.youtube.com/watch?v=X_Sb96EKFPA)
* [GitHub](https://github.com/) announced [adding a package registry feature](https://github.com/features/package-registry) which "[suggest but alas not guarantee](https://github.com/ipfs/package-managers/issues/55)" a strong link between the Git repository and the published packages, highlighting the need for Reproducible Builds in this area.
* [Andrew Martin](https://www.binarysludge.com/) has [published his slides](https://drive.google.com/a/control-plane.io/file/d/1xUDrcWmB3a_5oMxeIJuqf6vtXZN/view?usp=sharing) for his talk entitled [*Rootless, Reproducible and Hermetic: Secure Container Build Showdown*](https://www.youtube.com/watch?v=X_Sb96EKFPA) that he gave at [KubeCon 2019](https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2019/).
---
## Upstream news
* The [IPFS](https://ipfs.io) "[Package Managers Special Interest Group](https://github.com/ipfs/package-managers#readme)" is [gathering research around package management](https://github.com/ipfs/package-managers/blob/master/docs/papers.md), much of which is relevant to the Reproducible Builds effort.
The [IPFS](https://ipfs.io) "[Package Managers Special Interest Group](https://github.com/ipfs/package-managers#readme)" is [gathering research around package management](https://github.com/ipfs/package-managers/blob/master/docs/papers.md), much of which is relevant to the Reproducible Builds effort.
[![]({{ "/images/reports/2019-05/buildroot.png#right" | prepend: site.baseurl }})](https://buildroot.org/)
* [Mozilla](https://www.mozilla.org)'s update "Add-on Policy" document for the [Firefox web browser](https://www.mozilla.org/en-GB/firefox/) now [dictates that add-ons may contain "transpiled, minified or otherwise machine-generated code"](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews-2019-05), but Mozilla needs to review a copy of the human-readable source code. The author must provide this information to Mozilla during submission along with instructions on how to reproduce the build.
Atharva Lele plans to work on reproducible builds for the [Buildroot](https://buildroot.org/) embedded Linux project as part of [Google Summer of Code](https://summerofcode.withgoogle.com/), [ensuring that two instances of buildroot running with the same configuration for the same device yield the same result](https://summerofcode.withgoogle.com/projects/#5992608243908608).
* Atharva Lele is going to work on reproducible builds for the [Buildroot](https://buildroot.org/) embedded Linux project as part of [Google Summer of Code](https://summerofcode.withgoogle.com/), [ensuring that two instances of buildroot running with the same configuration for the same device yield the same result](https://summerofcode.withgoogle.com/projects/#5992608243908608).
[Mozilla](https://www.mozilla.org)'s latest update to the [Firefox](https://www.mozilla.org/en-GB/firefox/) add-on policy [now dictates that add-ons may contain "transpiled, minified or otherwise machine-generated code"](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews-2019-05) but Mozilla needs to review a copy of the human-readable source code. The author must provide this information to Mozilla during submission along with instructions on how to reproduce the build.
---
......@@ -53,15 +59,15 @@ In this month's report, we will cover:
[![]({{ "/images/reports/2019-05/opensuse.png#right" | prepend: site.baseurl }})](https://www.opensuse.org/)
Holger Levsen filed a wishlist request requesting that `.buildinfo` build attestation documents from the [Debian Long Term Support (LTS)](https://wiki.debian.org/LTS/) project [are also distributed by the build/archive infrastructure](https://bugs.debian.org/929397) so that the reproducibility status of these security packages can be validated.
Bernhard M. Wiedemann posted his [monthly Reproducible Builds status update](https://lists.opensuse.org/opensuse-factory/2019-05/msg00341.html) for the [openSUSE](https://opensuse.org/) distribution.
Holger Levsen filed a wishlist request requesting that Debian's `.buildinfo` build environment specification documents from the [Debian Long Term Support (LTS)](https://wiki.debian.org/LTS/) project are [also distributed by the build/archive infrastructure](https://bugs.debian.org/929397) so that the reproducibility status of these security packages can be validated.
[![]({{ "/images/reports/2019-05/debian.png#left" | prepend: site.baseurl }})](https://debian.org/)
There was yet more progress towards making the [Debian Installer](https://www.debian.org/devel/debiah-installer/) images reproducible. Following-on from last months, [Chris Lamb](https://chris-lamb.co.uk/) performed some further testing of the generated images and [requested a status update](https://bugs.debian.org/926242#67) which resulted in a call for testing the [possible removal of a now-obsolete workaround](https://bugs.debian.org/926242#87) that is hindering progress.
68 reviews of Debian packages were added, 30 were updated and 11 were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb discovered, identified and triaged two new issue types, the first identifying randomness in [Fontconfig](https://www.freedesktop.org/wiki/Software/fontconfig/) `.uuid` files [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/0b9e9668) and another [`randomness_in_output_from_perl_deparse`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/430c2d21).
68 reviews of Debian packages were added, 30 were updated and 11 were removed this month, adding to [our knowledge about identified issues](https://tests.reproducible-builds.org/debian/index_issues.html). Chris Lamb discovered, identified and triaged two new issue types, the first identifying randomness in [Fontconfig](https://www.freedesktop.org/wiki/Software/fontconfig/) `.uuid` files [[...](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/0b9e9668)] and another [`randomness_in_output_from_perl_deparse`](https://salsa.debian.org/reproducible-builds/reproducible-notes/commit/430c2d21).
Finally, [GNU Guix](https://www.gnu.org/software/guix) announced its [1.0.0 release](https://www.gnu.org/software/guix/blog/2019/gnu-guix-1.0.0-released/).
......@@ -71,7 +77,7 @@ Finally, [GNU Guix](https://www.gnu.org/software/guix) announced its [1.0.0 rele
#### Upstream patches
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:
The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream wherever possible. This month, we wrote a large number of such patches, including:
[![]({{ "/images/reports/2019-05/notion.png#right" | prepend: site.baseurl }})](https://notionwm.net/)
......@@ -105,6 +111,8 @@ The Reproducible Builds project detects, dissects and attempts to fix as many cu
* [#929791](https://bugs.debian.org/929791) filed against [ghmm](https://tracker.debian.org/pkg/ghmm).
* [#929793](https://bugs.debian.org/929793) filed against [liblopsub](https://tracker.debian.org/pkg/liblopsub).
[![]({{ "/images/reports/2019-05/u-boot.png#center" | prepend: site.baseurl }})](https://www.denx.de/wiki/U-Boot/)
Finally, Vagrant Cascadian [submitted a patch](https://patchwork.ozlabs.org/patch/1093969/) for [u-boot](https://www.denx.de/wiki/U-Boot/) boot loader fixing reproducibility when building a new type of compressed image. This [was subsequently merged in version `2019.07-rc2`](https://git.denx.de/?p=u-boot.git;a=commit;h=878e2a50b50199cb06ee28df53151e396a29d838).
#### diffoscope
......@@ -129,7 +137,7 @@ Finally, Vagrant Cascadian [submitted a patch](https://patchwork.ozlabs.org/patc
* Adjust various build and test-dependencies, including specifying the [ffmpeg](https://ffmpeg.org/) video encoding tool/library and the [Black](https://ffmpeg.org/) code formatter [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0eddfab)] in the build-dependencies [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/d2d3dec)] and reinstating the [oggvideotools](https://sourceforge.net/projects/oggvideotools/) and `procyon-decompiler` as test dependencies, now that are no-longer buggy [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/6940757)], etc.
* Make the Debian autopkgtests not fail when a limited subset of "required tools" are temporarily unavailable. [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/f584fa2)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/3d74240)][[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/2e11182)]
In addition, Santiago Torres altered the behaviour of the tests to ensure compatibility with various versions of [file(1)]() [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0f02296)] and Vagrant Cascadian added support for various external tools in [GNU Guix](https://www.gnu.org/software/guix/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7f3416f)] and updated the version of *diffoscope* in that distribution [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ff793da66918ace85048f90dc069415ef067ba06)].
In addition, Santiago Torres altered the behaviour of the tests to ensure compatibility with various versions of [`file(1)`]() [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/0f02296)] and Vagrant Cascadian added support for various external tools in [GNU Guix](https://www.gnu.org/software/guix/) [[...](https://salsa.debian.org/reproducible-builds/diffoscope/commit/7f3416f)] and updated the version of *diffoscope* in that distribution [[...](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ff793da66918ace85048f90dc069415ef067ba06)].
#### try.diffoscope.org
......@@ -189,7 +197,9 @@ Bernhard M. Wiedemann then [documented a more concise C code example](https://re
## Misc news
* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month [Lars Wirzenius](https://liw.fi/) asked [various questions about reproducible builds and their bearing on building a distributed continuous integration system](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/001566.html) which had many replies ([view thread index](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/thread.html#1566)).
* On [our mailing list](https://lists.reproducible-builds.org/pipermail/rb-general/) this month [Lars Wirzenius](https://liw.fi/) asked [various questions about reproducible builds](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/001566.html) and their bearing on building a distributed continuous integration system which received many replies ([view thread index](https://lists.reproducible-builds.org/pipermail/rb-general/2019-May/thread.html#1566)).
[![]({{ "/images/reports/2019-05/profitbricks.png#right" | prepend: site.baseurl }})](https://www.profitbricks.com)
* The server powering [`lists.reproducible-builds.org`](http://lists.reproducible-builds.org/) changed home. Thanks to [`potager.org`](https://potager.org/) for hosting us all this time and many thanks to [Profitbricks](https://www.profitbricks.com) for hosting our new mail server.
......@@ -206,14 +216,15 @@ Thanks, Sam!
## Getting in touch
If you are interested in contributing the Reproducible Builds project, please visit our [Contribute](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
![]({{ "/images/reports/2019-05/irc.png#right" | prepend: site.baseurl }})
* IRC: `#reproducible-builds` on `irc.oftc.net`.
If you are interested in contributing the Reproducible Builds project, please visit our [*Contribute*](https://reproducible-builds.org/contribute/) page on our website. However, you can get in touch with us via:
* IRC: `#reproducible-builds` on `irc.oftc.net`.
* Twitter: [@ReproBuilds](https://twitter.com/ReproBuilds)
* Mailing list: [`rb-general`](https://lists.reproducible-builds.org/listinfo/rb-general)
* Mailing list: [`rb-general@lists.reproducible-builds.org`](https://lists.reproducible-builds.org/listinfo/rb-general)
<br>
......
assets/styles/custom.scss
View file @ 73b7ed54
......@@ -9,6 +9,7 @@ main {
img {
max-width: 100%;
padding-bottom: 0.5rem;
}
img[src$="#left"] {
......