Welcome to the December 2021 report from the Reproducible Builds project! In these reports, we try and summarise what we have been up to over the past month, as well as what else has been occurring in the world of software supply-chain security.
As a quick recap of what reproducible builds is trying to address, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. As always, if you would like to contribute to the project, please get in touch with us directly or visit the Contribute page on our website.
Early in December, Julien Voisin blogged about setting up a rebuilderd instance in order to reproduce Tails images. Working on previous work from 2018, Julien has now set up a public-facing instance which is providing build attestations.
As Julien dryly notes in his post, “Currently, this isn’t really super-useful to anyone, except maybe some Tails developers who want to check that the release manager didn’t backdoor the released image.” Naturally, we would contend — sincerely — that this is indeed useful.
The secure/anonymous Tor browser now supports reproducible source releases. According to the project’s changelog, version 0.4.7.3-alpha of Tor can now build reproducible tarballs via the make dist-reprod command. This issue was tracked via Tor issue #26299.
Fabian Keil posted a question to our mailing list this month asking how they might analyse differences in images produced with the FreeBSD and ElectroBSD’s mkimg and makefs commands:
After rebasing ElectroBSD from FreeBSD stable/11 to stable/12
I recently noticed that the "memstick" images are unfortunately
still not 100% reproducible.
Fabian’s original post generated a short back-and-forth with Chris Lamb regarding how diffoscope might be able to support the particular format of images generated by this command set.
diffoscope
diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploading versions 195, 196, 197 and 198 to Debian, as well as made the following changes:
- Support showing Ordering differences only within
.dscfield values. […] - Add support for ‘XMLb’ files. […]
- Also add, for example,
/usr/lib/x86_64-linux-gnuto our local binary search path. […] - Support OCaml versions 4.11, 4.12 and 4.13. […]
- Drop some unnecessary
has_same_content_aslogging calls. […] - Replace
tokenvariable with an anonymously-named variable instead to remove extra lines. […] - Don’t use the runtime platform’s native endianness when unpacking
.pycfiles. This fixes test failures on big-endian machines. […]
Mattia Rizzolo also made a number of changes to diffoscope this month as well, such as:
- Also recognize GnuCash files as XML. […]
- Support the pgpdump PGP packet visualiser version 0.34. […]
- Ignore the new Lintian tag
binary-with-bad-dynamic-table. […] - Fix the
Enhancesfield indebian/control. […]
Finally, Brent Spillner fixed the version detection for Black ‘uncompromising code formatter’ […], Jelle van der Waa added an external tool reference for Arch Linux […] and Roland Clobus added support for reporting when the GNU_BUILD_ID field has been modified […]. Thank you for your contributions!
Distribution work
In Debian this month, 70 reviews of packages were added, 27 were updated and 41 were removed, adding to our database of knowledge about specific issues. A number of issue types were created as well, including:
build_path_identifiers_in_documentation_generated_by_doxygennon_deterministic_doc_base_file_for_javadocnondeterministic_ordering_in_guile_binaries
strip-nondeterminism version 1.13.0-1 was uploaded to Debian unstable by Holger Levsen. It included contributions already covered in previous months as well as new ones from Mattia Rizzolo, particularly that the dh_strip_nondeterminism Debian integration interface uses the new get_non_binnmu_date_epoch() utility when available: this is important to ensure that strip-nondeterminism does not break some kinds of binNMUs.
In the world of openSUSE, however, Bernhard M. Wiedemann posted his monthly reproducible builds status report.
In NixOS, work towards the longer-term goal of making the graphical installation image reproducible is ongoing. For example, Artturin made the gnome-desktop package reproducible.
Upstream patches
The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. In December, we wrote a large number of such patches, including:
-
Bernhard M. Wiedemann:
g++7/rsync(randomness in output)python-eventlet(build fails in the future)python-PyQRCode(incorporates copyright year)
-
Chris Lamb:
-
Simon McVittie:
-
Vagrant Cascadian:
- #1000944 filed against
apbs. - #1000945 filed against
binutils-riscv64-unknown-elf. - #1000946 filed against
gcc-riscv64-unknown-elf. - #1001850 filed against
userbindmount. - #1001853 filed against
nanomsg. - #1001854 filed against
freediameter. - #1001856 filed against
gr-satellites. - #1001859 filed against
kjs. - #1001860 filed against
xeus-python. - #1001866 filed against
libime. - #1001867 filed against
fcitx5-gtk. - #1001868 filed against
fcitx. - #1001869 filed against
libpodofo. - #1001870 filed against
meshlab. - #1001872 filed against
eiskaltdcpp. - #1001873 filed against
editorconfig-core. - #1002671 filed against
python-parse-type. - #1002673 filed against
sphinx-copybutton. - #1002674 filed against
fcitx5-qt.
- #1000944 filed against
-
Roland Clobus:
- libxmlb#110 filed upstream against
libxmlb, fixed by Richard Hughes. Waiting for an upstream release.
- libxmlb#110 filed upstream against
Testing framework
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:
-
Holger Levsen:
- Run the Debian scheduler less often. […]
- Fix the name of the Debian ‘testing’ suite name. […]
- Detect builds that are rescheduling due to problems with the diffoscope container. […]
- No longer special-case particular machines having a different
/bootpartition size. […] - Automatically fix failed
apt-dailyandapt-daily-upgradeservices […], failede2scrub_all.service&user@systemd units […][…] as well as ‘generic’ build failures […]. - Simplify a script to powercycle
arm64architecture nodes hosted at/by codethink.co.uk. […] - Detect if the udd-mirror.debian.net service is down. […]
- Various miscellaneous node maintenance. […][…]
-
Roland Clobus (Debian ‘live’ image generation):
- If the latest snapshot is not complete yet, try to use the previous snapshot instead. […]
- Minor: whitespace correction + comment correction. […]
- Use unique folders and reports for each Debian version. […]
- Turn off debugging. […]
- Add a better error description for incorrect/missing arguments. […]
- Report non-reproducible issues in Debian sid images. […]
Lastly, Mattia Rizzolo updated the automatic logfile parsing rules in a number of ways (eg. to ignore a warning about the Python setuptools deprecation) […][…] and Vagrant Cascadian adjusted the config for the Squid caching proxy on a node. […]
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:
-
Mailing list:
rb-general@lists.reproducible-builds.org -
IRC:
#reproducible-buildsonirc.oftc.net. -
Mastodon: @reproducible_builds@fosstodon.org
