Reproducible Builds in July 2022

View all our monthly reports


Welcome to the July 2022 report from the Reproducible Builds project!

In our reports we attempt to outline the most relevant things that have been going on in the past month. As a brief introduction, the reproducible builds effort is concerned with ensuring no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.


Reproducible Builds summit 2022

Despite several delays, we are pleased to announce that registration is open for our in-person summit this year:

November 1st → November 3rd

The event will happen in Venice (Italy). We intend to pick a venue reachable via the train station and an international airport. However, the precise venue will depend on the number of attendees.

Please see the announcement email for information about how to register.


Is reproducibility practical?

Ludovic Courtès published an informative blog post this month asking the important question: Is reproducibility practical?:

Our attention was recently caught by a nice slide deck on the methods and tools for reproducible research in the R programming language. Among those, the talk mentions Guix, stating that it is “for professional, sensitive applications that require ultimate reproducibility”, which is “probably a bit overkill for Reproducible Research”. While we were flattered to see Guix suggested as good tool for reproducibility, the very notion that there’s a kind of “reproducibility” that is “ultimate” and, essentially, impractical, is something that left us wondering: What kind of reproducibility do scientists need, if not the “ultimate” kind? Is “reproducibility” practical at all, or is it more of a horizon?

The post goes on to outlines the concept of reproducibility, situating examples within the context of the GNU Guix operating system.


diffoscope

diffoscope is our in-depth and content-aware diff utility. Not only can it locate and diagnose reproducibility issues, it can provide human-readable diffs from many kinds of binary formats. This month, Chris Lamb prepared and uploaded versions 218, 219 and 220 to Debian, as well as made the following changes:

  • New features:

  • Bug fixes:

    • Fix a regression introduced in version 207 where diffoscope would crash if one directory contained a directory that wasn’t in the other. Thanks to Alderico Gallo for the testcase. []
    • Don’t traceback if we encounter an invalid Unicode character in Haskell versioning headers. []

  • Output improvements:

  • Codebase improvements:

    • Space out a file a little. []
    • Update various copyright years. []


Mailing list

On our mailing list this month:

  • Roland Clobus posted his Eleventh status update about reproducible [Debian] live-build ISO images, noting — amongst many other things! — that “all major desktops build reproducibly with bullseye, bookworm and sid.”

  • Santiago Torres-Arias announced a Call for Papers (CfP) for a new SCORED conference, an “academic workshop around software supply chain security”. As Santiago highlights, this new conference “invites reviewers from industry, open source, governement and academia to review the papers [and] I think that this is super important to tackle the supply chain security task”.


Upstream patches

The Reproducible Builds project attempts to fix as many currently-unreproducible packages as possible. This month, however, we submitted the following patches:


Reprotest

reprotest is the Reproducible Builds project’s end-user tool to build the same source code twice in widely and deliberate different environments, and checking whether the binaries produced by the builds have any differences. This month, the following changes were made:

  • Holger Levsen:

    • Uploaded version 0.7.21 to Debian unstable as well as mark 0.7.22 development in the repository [].
    • Make diffoscope dependency unversioned as the required version is met even in Debian buster. []
    • Revert an accidentally committed hunk. []

  • Mattia Rizzolo:

    • Apply a patch from Nick Rosbrook to not force the tests to run only against Python 3.9. []
    • Run the tests through pybuild in order to run them against all supported Python 3.x versions. []
    • Fix a deprecation warning in the setup.cfg file. []
    • Close a new Debian bug. []


Reproducible builds website

A number of changes were made to the Reproducible Builds website and documentation this month, including:

  • Arnout Engelen:

  • Chris Lamb:

    • Correct some grammar. []

  • Holger Levsen:

    • Add talk from FOSDEM 2015 presented by Holger and Lunar. []
    • Show date of presentations if we have them. [][]
    • Add my presentation from DebConf22 [] and from Debian Reunion Hamburg 2022 [].
    • Add dhole to the speakers of the DebConf15 talk. []
    • Add raboof’s talk “Reproducible Builds for Trustworthy Binaries” from May Contain Hackers. []
    • Drop some Debian-related suggested ideas which are not really relevant anymore. []
    • Add a link to list of packages with patches ready to be NMUed. []

  • Mattia Rizzolo:

    • Add information about our upcoming event in Venice. [][][][]


Testing framework

The Reproducible Builds project runs a significant testing framework at tests.reproducible-builds.org, to check packages and other artifacts for reproducibility. This month, Holger Levsen made the following changes:

  • Debian-related changes:

    • Create graphs displaying existing .buildinfo files per each Debian suite/arch. [][]
    • Fix a typo in the Debian dashboard. [][]
    • Fix some issues in the pkg-r package set definition. [][][]
    • Improve the “builtin-pho” HTML output. [][][][]
    • Temporarily disable all live builds as our snapshot mirror is offline. []

  • Automated node health checks:

    • Detect dpkg failures. []
    • Detect files with bad UNIX permissions. []
    • Relax a regular expression in order to detect Debian Live image build failures. []

  • Misc changes:

    • Test that FreeBSD virtual machine has been updated to version 13.1. []
    • Add a reminder about powercycling the armhf-architecture mst0X node. []
    • Fix a number of typos. [][]
    • Update documentation. [][]
    • Fix Munin monitoring configuration for some nodes. []
    • Fix the static IP address for a node. []

In addition, Vagrant Cascadian updated host keys for the cbxi4pro0 and wbq0 nodes [] and, finally, node maintenance was also performed by Mattia Rizzolo [] and Holger Levsen [][][].


Contact

As ever, if you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:



View all our monthly reports

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info