Here’s what happened in the Reproducible Builds effort between Sunday November 11 and Saturday November 17 2018:
Code review for the LLVM compiler to support the
-fmacro-prefix-mapargument is currently in progress. Like the
-fdebug-prefix-mapflag, this argument replaces a string prefix for the
Kyle Rankin, the Chief Security Officer of Puri.sm authored a blog post entitled “Protecting the Digital Supply Chain” which describes how with Reproducible Builds you can show that no malicious code was injected in software supply chains:
Think of it like the combination of a food safety inspector and an independent lab that verifies the nutrition claims on a box of cereal all rolled into one.
Chris Lamb gave a presentation at the SFScon conference in Bozen, Italy on reproducible builds and how they can prevent developers from becoming targets of various attacks.
Holger Levsen updated our website to add the Tor project as a participant at our upcoming Paris Summit. In addition, Bernhard M. Wiedemann applied a sitewide change to use consistent capitalisation for openSUSE […].
38 Debian package reviews were added, 4 were updated and 19 were removed in this week, adding to our knowledge about identified issues. The
nondeterminstic_output_in_pkgconfig_files_generated_by_mesonwas removed as a fix was applied upstream […], and the note for the
randomness_in_binaries_generated_by_golangissue was updated. (1, 2)
diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week, Marius Gedminas provided a patch to add a
python_requiresfield to diffoscope’s
setup.py[…] and Mattia Rizzolo sorted the list of recommended Python modules in
Chris Lamb’s previously-authored patches for GNU mtools to ensure the Debian Installer images could become reproducible which were sent upstream last week (1 & 2) are now available in upstream’s 4.0.20 release.
Chris Lamb uploaded
strip-nondeterminism(our tool to post-process files to remove known non-deterministic output) version
0.45.0-1to Debian unstable in order that catch invalid ZIP “local” field lengths — we were previously blindly trusting the value supplied in the ZIP file (#803503). As part of this upload he moved the utility to the SemVer versioning scheme.
We have received more than 45 registrations for the upcoming Reproducible Builds summit in Paris between 11th—13th December 2018 and have now closed registrations. Very much looking forward to seeing you there!
Packages reviewed and fixed, and bugs filed
- Bernhard M. Wiedemann:
- Christoph Berg posted some work-in-progress patches for postgresql-hll (a PostgreSQL extension adding HyperLogLog data structures as a native data type) to make their build reproducible to the upstream mailing list.
Test framework development
Arch Linux-specific changes:
sed(1)calls for modifying
pacman.confmore robust, fixing building in the future as well as using proxies for downloading package dependencies. (1
- Improve the documentation of a multi-line sed(1) statement. […]
- Perform some administration on the package blacklists. (1, 2)
- Move to using sudo(8) for cleaning old
/tmpfiles left by package builds. […]
- Ensure all ProfitBricks (
i386) nodes in Karlsruhe use
pb1as a proxy and all nodes in Frankfurt use
pb10. This might have produced some build failures but fixed issues with Squid running in the future. This complements previous work for the
- Filed #913658: (“Broken links on packages pages”)
- Document that the proxy setting for chroot installs are actually correct. […]
- Ensure all ProfitBricks (
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.