Welcome to the December 2021 report from the Reproducible Builds project! In these reports, we try and summarise what we have been up to over the past month, as well as what else has been occurring in the world of software supply-chain security.
As a quick recap of what reproducible builds is trying to address, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. As always, if you would like to contribute to the project, please get in touch with us directly or visit the Contribute page on our website.
Early in December, Julien Voisin blogged about setting up a rebuilderd instance in order to reproduce Tails images. Working on previous work from 2018, Julien has now set up a public-facing instance which is providing build attestations.
As Julien dryly notes in his post, “Currently, this isn’t really super-useful to anyone, except maybe some Tails developers who want to check that the release manager didn’t backdoor the released image.” Naturally, we would contend — sincerely — that this is indeed useful.
The secure/anonymous Tor browser now supports reproducible source releases. According to the project’s changelog, version
0.4.7.3-alpha of Tor can now build reproducible tarballs via the
make dist-reprod command. This issue was tracked via Tor issue #26299.
After rebasing ElectroBSD from FreeBSD stable/11 to stable/12
I recently noticed that the "memstick" images are unfortunately
still not 100% reproducible.
diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploading versions
198 to Debian, as well as made the following changes:
- Support showing Ordering differences only within
.dscfield values. […]
- Add support for ‘XMLb’ files. […]
- Also add, for example,
/usr/lib/x86_64-linux-gnuto our local binary search path. […]
- Support OCaml versions 4.11, 4.12 and 4.13. […]
- Drop some unnecessary
has_same_content_aslogging calls. […]
tokenvariable with an anonymously-named variable instead to remove extra lines. […]
- Don’t use the runtime platform’s native endianness when unpacking
.pycfiles. This fixes test failures on big-endian machines. […]
Mattia Rizzolo also made a number of changes to diffoscope this month as well, such as:
- Also recognize GnuCash files as XML. […]
- Support the pgpdump PGP packet visualiser version 0.34. […]
- Ignore the new Lintian tag
- Fix the
Finally, Brent Spillner fixed the version detection for Black ‘uncompromising code formatter’ […], Jelle van der Waa added an external tool reference for Arch Linux […] and Roland Clobus added support for reporting when the
GNU_BUILD_ID field has been modified […]. Thank you for your contributions!
In Debian this month, 70 reviews of packages were added, 27 were updated and 41 were removed, adding to our database of knowledge about specific issues. A number of issue types were created as well, including:
1.13.0-1 was uploaded to Debian unstable by Holger Levsen. It included contributions already covered in previous months as well as new ones from Mattia Rizzolo, particularly that the
dh_strip_nondeterminism Debian integration interface uses the new
get_non_binnmu_date_epoch() utility when available: this is important to ensure that strip-nondeterminism does not break some kinds of binNMUs.
In NixOS, work towards the longer-term goal of making the graphical installation image reproducible is ongoing. For example, Artturin made the
gnome-desktop package reproducible.
The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. In December, we wrote a large number of such patches, including:
Bernhard M. Wiedemann:
- #1000944 filed against
- #1000945 filed against
- #1000946 filed against
- #1001850 filed against
- #1001853 filed against
- #1001854 filed against
- #1001856 filed against
- #1001859 filed against
- #1001860 filed against
- #1001866 filed against
- #1001867 filed against
- #1001868 filed against
- #1001869 filed against
- #1001870 filed against
- #1001872 filed against
- #1001873 filed against
- #1002671 filed against
- #1002673 filed against
- #1002674 filed against
- #1000944 filed against
The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:
- Run the Debian scheduler less often. […]
- Fix the name of the Debian ‘testing’ suite name. […]
- Detect builds that are rescheduling due to problems with the diffoscope container. […]
- No longer special-case particular machines having a different
/bootpartition size. […]
- Automatically fix failed
apt-daily-upgradeservices […], failed
user@systemd units […][…] as well as ‘generic’ build failures […].
- Simplify a script to powercycle
arm64architecture nodes hosted at/by codethink.co.uk. […]
- Detect if the udd-mirror.debian.net service is down. […]
- Various miscellaneous node maintenance. […][…]
Roland Clobus (Debian ‘live’ image generation):
- If the latest snapshot is not complete yet, try to use the previous snapshot instead. […]
- Minor: whitespace correction + comment correction. […]
- Use unique folders and reports for each Debian version. […]
- Turn off debugging. […]
- Add a better error description for incorrect/missing arguments. […]
- Report non-reproducible issues in Debian sid images. […]
Lastly, Mattia Rizzolo updated the automatic logfile parsing rules in a number of ways (eg. to ignore a warning about the Python setuptools deprecation) […][…] and Vagrant Cascadian adjusted the config for the Squid caching proxy on a node. […]
If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via: