Reproducible Builds in January 2022

View all our monthly reports


Welcome to the January 2022 report from the Reproducible Builds project. In our reports, we try outline the most important things that have been happening in the past month. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.


An interesting blog post was published by Paragon Initiative Enterprises about Gossamer, a proposal for securing the PHP software supply-chain. Utilising code-signing and third-party attestations, Gossamer aims to mitigate the risks within the notorious PHP world via publishing attestations to a transparency log. Their post, titled Solving Open Source Supply Chain Security for the PHP Ecosystem goes into some detail regarding the design, scope and implementation of the system.


This month, the Linux Foundation announced SupplyChainSecurityCon, a conference focused on exploring the security threats affecting the software supply chain, sharing best practices and mitigation tactics. The conference is part of the Linux Foundation’s Open Source Summit North America and will take place June 21st — 24th 2022, both virtually and in Austin, Texas.


Debian

There was a significant progress made in the Debian Linux distribution this month, including:


Other distributions

kpcyrd reported on Twitter about the release of version 0.2.0 of pacman-bintrans, an experiment with binary transparency for the Arch Linux package manager, pacman. This new version is now able to query rebuilderd to check if a package was independently reproduced.


In the world of openSUSE, however, Bernhard M. Wiedemann posted his monthly reproducible builds status report.


diffoscope

diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 199, 200, 201 and 202 to Debian unstable (that were later backported to Debian bullseye-backports by Mattia Rizzolo), as well as made the following changes to the code itself:

  • New features:

    • First attempt at incremental output support with a timeout. Now passing, for example, --timeout=60 will mean that diffoscope will not recurse into any sub-archives after 60 seconds total execution time has elapsed. Note that this is not a fixed/strict timeout due to implementation issues. [][]
    • Support both variants of odt2txt, including the one provided by the unoconv package. []
  • Bug fixes:

    • Do not return with a UNIX exit code of 0 if we encounter with a file whose human-readable metadata matches literal file contents. []
    • Don’t fail if comparing a nonexistent file with a .pyc file (and add test). [][]
    • If the debian.deb822 module raises any exception on import, re-raise it as an ImportError. This should fix diffoscope on some Fedora systems. []
    • Even if a Sphinx .inv inventory file is labelled The remainder of this file is compressed using zlib, it might not actually be. In this case, don’t traceback and simply return the original content. []
  • Documentation:

    • Improve documentation for the new --timeout option due to a few misconceptions. []
    • Drop reference in the manual page claiming the ability to compare non-existent files on the command-line. (This has not been possible since version 32 which was released in September 2015). []
    • Update ‘X has been modified after NT_GNU_BUILD_ID has been applied’ messages to, for example, not duplicating the full filename in the diffoscope output. []
  • Codebase improvements:

    • Tidy some control flow. []
    • Correct a ‘recompile’ typo. []

In addition, Alyssa Ross fixed the comparison of CBFS names that contain spaces [], Sergei Trofimovich fixed whitespace for compatibility with version 21.12 of the Black source code reformatter [] and Zbigniew Jędrzejewski-Szmek fixed JSON detection with a new version of file [].


Testing framework

The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, the following changes were made:

  • Frédéric Pierret (fepitre):

    • Add Debian bookworm to package set creation. []
  • Holger Levsen:

    • Install the po4a package where appropriate, as it is needed for the Reproducible Builds website job []. In addition, also run the i18n.sh and contributors.sh scripts [].
    • Correct some grammar in Debian ‘live’ image build output. []
    • Shell monitor improvements:
      • Only show the ‘offline node’ section if there are offline nodes. []
      • Colorise offline nodes. []
      • Shrink screen usage. [][][]
    • Node health check improvements:
      • Detect if ‘live’ package builds encounter incomplete snapshots. [][][]
      • Detect if a host is running with today’s date (when it should be set artificially in the future). []
    • Use the devscripts package from bullseye-backports on Debian nodes. []
    • Use the Munin monitoring package bullseye-backports on Debian nodes too. []
    • Update ‘New Year’ handling, needed to be able to detect ‘real’ and fake dates. [][]
    • Improve the error message of the script that powercycles the arm64 architecture nodes hosted by Codethink. []
  • Mattia Rizzolo:

    • Use the new --timeout option added in diffoscope version 202. []
  • Roland Clobus:

    • Update the build scripts now that the hooks for ‘live’ builds are now maintained upstream in the live-build repository. []
    • Show ‘info’ lines in Jenkins when reproducible hooks have been active. []
    • Use unique folders for the artifacts from each ‘live’ Debian version. []
  • Vagrant Cascadian:

    • Switch the Debian armhf architecture nodes to use new proxy. []
    • Misc. node maintenance. [].


Upstream patches

The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. In January, we wrote a large number of such patches, including:


And finally…

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:




View all our monthly reports

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches welcome via our Git repository (instructions) or via our mailing list. • Full contact info