Merry Christmas from everybody working on reproducible builds. 🎅 Here’s what happened in the Reproducible Builds effort between Sunday December 16 and Saturday December 22 2018:
The F-Droid project, a catalogue of free-software applications for the Android platform published a page on their website describing their adoption and implementation of reproducible builds.
Dave Rosenthal wrote about securing the software supply chain touching on reproducible builds and certificate transparency, etc. In addition, Avery (“apenwarr”) Pennarun wrote a blog post entitled “mtime comparison considered harmful”.
Chris Lamb updated
strip-nondeterminism, our tool to post-process files to remove known non-deterministic output:
Reproducible Builds represents one of those ideas where the goal seems obvious and yet the execution requires an incredible and pervasive effort across the industry, and the people working on it have done an amazing job…
Joachim Breitner wrote a blog post titled “Thoughts on Bootsrapping GHC”, attempting to answer the question of “how can we build a whole operating system from just and only source code, using very little, or even no, binary seeds or auto-generated files.”
Julian Hyde posted to the Apache “Incubator” mailing list discussing the differences between their binary and source releases and how they should correlate.
There was further discussion on our mailing list on discussing Reproducible Builds through a mathematical formalism perspective.
go getrelies on connection-level authentication (HTTPS or SSH) to check that it is talking to the right server to download code. There is no additional check of the code itself, leaving open the possibility of man-in-the-middle attacks if the HTTPS or SSH mechanisms are compromised in some way. Decentralization means that the code for a build is fetched from many different servers, which means the build depends on many systems to serve correct code.
6 Debian package reviews were added, 10 were updated and 11 were removed in this week, adding to our knowledge about identified issues.
On January 9th 2019, Chris Lamb will speak at Université de Rennes, France on reproducible builds.
Packages reviewed and fixed, and bugs filed
- Bernhard M. Wiedemann:
- Chris Lamb:
- Jelle van der Waa:
- wavemon (date and time in binary)
- Eli Schwartz
- crystal (depend on standard variable to let the user define the builddate)
Test framework development
- Arch Linux-specific changes:
- Debian-specific changes:
- Misc/generic changes:
- Don’t use existing hosts as example. […]
- Add link to database schema. (Thanks for Bernhard M. Wiedemann for pointing out that was missing.) […]
- Thank the OSU Open Source Lab from Oregon State University (OSUOSL) for hosting the new
amd64nodes […] as well as add the new nodes themselves […][…], perform the various networking configuration […] and other various tweaks […].
- Various bits of build node maintenance. […][…][…][…]
In addition, Mattia Rizzolo updated the
reproducible_notes.py script to only store notes for Debian packages in the database for now. […]
reproducible-builds.org website development
Chris Lamb made a huge number of updates to our reproducible-builds.org project website this week:
- Apply some initial, easy styling improvements to our pages via a custom CSS stylesheet for easier merging. […][…]
- Move the blog index page and blog posts to the new style. […][…]
- Migrate news entries and the index to the new style. […][…]
- Put the list of involved projects in a nice card grid. […]
- Ensure we don’t horizontally scroll due to oversized images in blog posts. […]
- Set a more informative site title. […]
- Add a simple footer for the new style. […]
- Don’t space out Markdown-generated bulleted lists so much. […] Holger Levsen also updated the pages for our recent summit in Paris to add links to the summit report […][…] and to credit other organisers and sponsors […][…]. He later added links to Jelle van der Waa and Bernhard M. Wiedemann reports. […][…]
This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Eli Schwartz, Jelle van der Waa, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.